In July 2021, Nate Warfield, CTO of the cybersecurity firm Prevailion, wrote that healthcare is facing “a full-blown crisis” when it comes to cybersecurity, in a post on the website Threatpost.
He offered as an example a breach on Scripps Health San Diego two months earlier, an attack that cost that system nearly $113 million, and noted that while the pandemic contributed to the uptick in such incursions, other factors come into play, too. One of them is organizations’ insistence in continuing to use outdated equipment – MRI machines, X-ray machines, CT scanners, etc. – which is expensive to replace but also vulnerable to hackers, as it tends to depend upon creaky, unpatched operating systems.
Moreover, Warfield wrote, the advent of electronic health records and wireless devices, which began well before the outbreak but increased after COVID-19 hit, added to systems’ vulnerability. So too did their widespread use of a single network throughout an entire organization, and the challenge presented by third parties (doctors, clinics, vendors, etc.).
The result, often, has been an attack surface that’s difficult to secure. There were 712 healthcare data breaches in 2021, an all-time high and a 10.9 percent jump from 2020. Those breaches impacted 45 million people, according to the cybersecurity company Critical Insights. That’s 11 million more than in 2020 and 31 million more than in 2018. Critical Insights also notes that attacks on health plans were up 35 percent and attacks on third parties jumped 18 percent.
Experts do not believe security concerns will abate any time soon. Leon Lerman, co-founder and chairman of the New York City-based healthcare technology firm Cynerio, told the website HIT Consultant that he expects an “increase in both the sheer number of attacks on hospitals as well as severity” in 2022, and that buffing up security “could be the difference between life or death,” as indeed a baby was alleged to have died after a ransomware attack at the Springhill Medical Center in Alabama in 2021.
In all ransomware attacks against healthcare organizations were up a staggering 123 percent last year, but they were far from the only threat. Besides ransomware, attacks could take the form of malware, phishing, spear phishing (targeting a specific person in an organization) or whaling (targeting a high-level person).
Countering these threats is a matter not only of improving big-picture thinking, but tending to granular matters. As suggested in a post on the website Health IT Security, organizations need to prioritize cybersecurity, though that has become more difficult in the face of budgets stretched to the breaking point during the pandemic.
Certainly, though, a coherent, comprehensive plan needs to be put in place. The Healthcare Information and Management Systems Society (HIMSS) believes that risk assessments, performed at least once a year, are the cornerstone of any such plans – and that these assessments take into account probability of occurrence, impact on the organization, as well as the prioritization of the risk.
Moreover, HIMSS pointed out, basic and advanced security measures need to be put in place – basic steps like encryption, firewalls and backups, and advanced measures like multi-factor authentication, network segmentation and vulnerability scans.
Not to be forgotten, either, is the value of advanced methods like blockchain (again, if budgets allow), as information can be securely stored and accessed on this digital ledger, as was notably shown when the technology company Hu-manity.com partnered with IBM Blockchain.
The bottom line is that the threat of cyberattacks is not going away anytime soon, and that healthcare organizations need to properly arm themselves for any eventuality.