Healthcare organizations are getting attacked more viciously and more often, and there doesn’t seem to be an end in sight for these and other healthcare security threats. A recent survey from Kaspersky Lab found that nearly 80 percent of healthcare employees say their organizations have experienced as many as five cybersecurity attacks in the past five years or more. Meanwhile, a Coalfire survey found that healthcare IT security is the worst of any sector when it comes to dealing with external threats.
Recent data from the U.S. Department of Health and Human Services backs up this data, finding that healthcare organizations experienced more than 400 cyber incidents in the past two years. These included incidents of hacking, unauthorized access or disclosure, theft and loss. The problems are so bad that the HHS Health Care Industry Cybersecurity Task Force in 2017 said the industry’s cybersecurity was in “critical condition”.
The Kaspersky report found that one of the most prevalent types of hacking is ransomware. According to the report, 27 percent of healthcare employees in North America say their organizations have experienced a ransomware attack in the past year. What’s more, the vast majority of organizations that have experienced one ransomware incident admit to having experienced more—as many as five during a one-year period.
There are many reasons for the industry’s abysmal record in prevent cyberattacks. The Coalfire report found numerous incidents of unpatched software, misconfiguration, insecure protocols, unsupported connected devices and password flaws. It also found that many healthcare organizations don’t have enough money or staff to combat cyberattacks effectively.
In general, healthcare organizations are attractive targets for cybercriminals, but healthcare organizations are making it easier than it should be, according to Rob Cataldo, a vice president at Kaspersky Lab.
“As more healthcare breaches make news headlines every week, the more aware cybercriminals have become that organizations in the healthcare industry are not as secure as we’d all like to think,” he said. “Many of these organizations are leaving themselves vulnerable by continuing to use legacy technology systems, often leaving systems unpatched and insecure.”
One of the biggest problems is that healthcare organizations don’t seem to be learning from their mistakes, with many experiencing multiple attacks. In many cases, following the first attack, cybercriminals will create variations of cyber threats and resend them to the healthcare organization, either to avoid any barriers that prevented their initial attack from being successful or to take advantage of reconnaissance details gathered during the initial infiltration, Cataldo said.
To help healthcare organizations improve their cybersecurity defenses, HHS recently released a publication with a list of voluntary steps to help stem e-mail phishing attacks; ransomware; loss or theft of equipment or data; and insider, accidental or intentional data loss.
It’s also critical for IT teams to regularly update operating systems on all devices in the network with the latest patches and regularly back up important information stored in all locations. And they should ensure that new enterprise security solutions include dedicated anti-ransomware technologies. If faced with a new threat, some of these solutions can protect data by rolling back any changes made by the malware.
Finally, keep awareness high.
“Organizations should continuously raise employee awareness about modern cyber threats and attack methods,” Cataldo recommends. “Training and informing employees of IT security protocols and constantly communicating these through reminders can have a positive impact on preventing social engineering methods from spreading ransomware.”