Nearly 90% of healthcare organizations have experienced a data breach in the past two years, and nearly half have had more than five data breaches during that same timeframe, according to a study by the Ponemon Institute. The industry has seen an explosive increase in targeted attacks recently as evidenced by a 320% increase in the number of healthcare providers victimized by hackers in 2016. The list of victims continues to grow, including Anthem, Premera, Excellus Blue Cross/Blue Shield, Tricare, Banner Health, Virginia Department of Health, and UCLA Health.
Not only has the number of attacks increased, many of them were devastatingly effective, as evidenced by the 160 million medical records that have been stolen since 2015. The Anthem breach alone, which was the largest healthcare breach ever recorded, exposed about 80 million individual medical records to their attackers. To put that in context, the number of medical records breached in the Anthem attack is greater than the entire populations of California, Texas, and North Carolina combined. These breaches are coming at a steep price as they are costing the healthcare industry approximately $6.2 billion per year according to Ponemon.
What is driving this dramatic escalation of attacks against the healthcare sector and who is orchestrating them? These attacks are driven primarily by two types of threat actors that have entirely different motivations:
Criminal actors breach organizations in the hopes of selling the medical records on the black market, or they attack the availability of healthcare systems and their data, often by launching ransomware-based attacks.
Nation-state backed actors seek information on individual subjects of interest that might enable them to blackmail or extort these individuals in the future, for espionage purposes.
The dramatic rise in successful attacks against healthcare organizations by both criminal and nation-state threat actors illustrates how attractive and susceptible these enterprises are to successful exploitation. Despite these wake-up calls, the healthcare sector as a whole remains extremely vulnerable to cyberattacks.
6 Ways Healthcare Industry is Vulnerable
Many healthcare enterprises have legacy or antiquated devices that are running outdated software or operating systems. Budget, resource, and operational concerns often can impede the practice of replacing software and devices before they become end-of-life, leaving them more susceptible to an attack.
Often the easiest paths for attackers lie in the integrated building management, physical security and clinical devices. These devices are often outside the control of IT, or overlooked, and can remain unpatched for years, providing a potential entry point for hostile actors.
Healthcare networks are often designed to minimize cost and maximize efficiency, creating flat networks that are easy targets for attackers. Everything else takes a backseat, including cybersecurity. Driven by cost pressures and the need for efficient business processes, many healthcare networks and systems have been created to provide the greatest amount of connectivity across the organization and facilitate the ability to communicate across departments, and facilities. This makes it easier for an attacker to perform reconnaissance across the enterprise and pivot easily throughout the network, often providing network access to critical data.
Healthcare organizations are hyper-focused on their primary mission – saving lives and helping patients – and cybersecurity risks aren’t on the forefront of their minds. Everything else takes a backseat. There is very little tolerance for the installation of patches that may cause conflicts with proprietary medical device software. Systems may seem to function without issue under legacy Operating Systems, such as Windows XP, and there is often very little interest in upgrading them for fear that they will no longer function correctly post-upgrade. Medical personnel often wield more influence over the organization than IT Security personnel, making it difficult to implement many cybersecurity practices.
Many healthcare enterprises leverage external third-party vendors to manage and run their systems, which can introduce a significant amount of risk. Instead of attacking large and well-funded organizations with advanced cyber capabilities directly, hostile actors often try to compromise a smaller third-party vendor that has access to the target organization, effectively bypassing all of the larger entity’s security controls and providing direct access into their networks.
Often healthcare enterprises operate as decentralized organizations. Comprised of semi-autonomous provider groups and service locations, these organizations are decentralized in a way that makes it much more difficult to prioritize cybersecurity investments, establish standards, and enforce compliance. As a result, the entire enterprise may be exposed by its most vulnerable component, with potentially dire consequences.
These factors combined have turned many healthcare organizations into the proverbial “sitting ducks” that are vulnerable to their predators. The industry is coming to terms with the fact that they are currently the most targeted sector globally. Healthcare executives have been scrambling to effectively respond to these threats.