What explains the surge in healthcare hacking, and who is behind this particular type of cyber threat? Why are hackers focusing on healthcare as a place to hack?
It’s simple: Hackers are focusing on healthcare because it is a critical infrastructure industry.
However, what makes the sector a particularly easy target are a couple of things:
The healthcare sector is under competing pressures to remain open to the public while also ensuring its own cybersecurity. The latter is easier said than done.
The industry suffers from a lack of resources compared to commercial alternatives, which often have highly compensated, well-trained, and vetted individuals taking care of their security.
On top of that, a lot of hospitals are short-staffed today, as many have gone through a tremendous amount of turnover due to the pandemic.
From a ransomware perspective, if you’re going to hold somebody’s data and attempt to gain from that, it’s helpful to instill urgency and a commitment on their part to fulfill your request and respond right away.
Urgency can be easy to create in a healthcare setting, considering the potential risks for patient care. If providers are hindered in any way, such as by not being able to access data or systems like medical devices due to ransomware viruses, they won’t be able to serve the community.
Secondly, from a HIPAA and compliance standpoint, there are fines that can escalate very quickly. If hackers capture and release sensitive healthcare information, the organization can be held accountable in fines that exceed tens of thousands, if not hundreds of thousands, of dollars. And in some instances, depending on the data and degree of disclosure, the fines could easily be in the millions.
While this is not as important as life and death in the community, it still is something that weighs on the minds of an organization or an executive within the organization. The ramifications to their budget and ability to provide their services in the future can be significant.
Besides, as soon as the hackers access the data, that is in and of itself a breach that has to be reported, whether it’s exposed or not.
All of that puts healthcare providers in a position where they have to make critical decisions quickly. Unfortunately, this makes them susceptible to ransomware attacks.
At the lowest level, there are private entities and individuals, from the proverbial unemployed basement-dweller to disgruntled employees seeking revenge.
The dark web has opened up the opportunity for essentially anybody with even basic operator skills, the capacity, and the wherewithal to engage in healthcare hacking. You don’t even need to be a talented high-level hacker anymore. You can just subscribe to services that enable you to hack and gain insight into these types of organizations.
At the higher level, there are organizations throughout the world that engage in healthcare hacking on a much larger scale. The biggest threat is probably nation-states such as North Korea and China that have taken aggressive steps to create entities within their own organization for counter-intelligence efforts.
Russia has even allowed third-party entities to take shelter underneath the protection of their organization. As long as they don’t attack Russian assets, they are more than welcome to be sheltered within Russia and go after other targets.
Healthcare hacking is clearly a huge problem, both for individual organizations and for our infrastructure. As a small organization, is there anything that you can do to address the issue?
The first step is acknowledging there is something you can do. People are often so overwhelmed by the fact that anybody can become a hacker and gain access to their information that they think, “What are we going to do anyway? It is what it is.”
However, that’s not the case. There are steps that you can take.
The most important thing is to look at your own organization from an awareness standpoint to identify the easiest things that you could do to initiate change.
Taking a security risk assessment internally is an important second step. In healthcare specifically, you have an obligation to conduct that on an annual basis.
It’s a good idea for any organization to do that. It can start with something so basic as making sure that known patches are deployed to your systems in order to close known vulnerabilities. That’s going to probably reduce the threshold of risk significantly as far as private individuals are concerned.
Cybersecurity is an arms race. The good news is that for all the efforts put forth by bad actors, counter-solutions are being put in place. And you can do something about it, too.
To protect your organization, you need to take a risk assessment to determine what assets you need to protect, how well you need to protect them, and where your investment should be. Those are the key elements just to get you started. You could do something economically, and then you’re already setting yourself up for some success.