It’s now widely known in the general public that cyber attacks have been increasing in recent years. But there is not as much awareness yet about a specific type of cyber attack that has also been increasing at an alarming rate — attacks targeting healthcare organizations.
According to a report by the cybersecurity firm Critical Insights, healthcare data breaches affected 45 million people in 2021, which is an all-time high and up from 34 million in 2020 and 14 million in 2018. That is a threefold increase.
Due to the way that attacks on digital healthcare infrastructures jeopardize the personal data and health of patients — literally, millions of them as recent statistics show — it’s of the utmost importance for healthcare organizations to protect themselves and their patients.
The Harm Caused
It’s not difficult to see why cyber attacks on healthcare systems can be so harmful to patients and their families.
Hospitals and healthcare practitioners treat serious medical conditions and injuries on a regular basis. Many of these require regular and consistent schedules of treatments where time is of the essence. Cyber attacks can cause extended delays in radiation or chemotherapy treatments, for example, even though each treatment session is important and needs to be administered on time.
They can cause scheduled surgeries to get canceled despite what may have been long wait times for the patients. There have even been cases where delays in treatment caused by cyber attacks have directly resulted in patient deaths.
Disruption to treatment isn’t the only way patients can get hurt. Protected health information (PHI) is just as sensitive as personal identifiable information (PIL), if not more so, and threat actors can use this information to directly go after the patients themselves through acts of insurance fraud or blackmail where they threaten to release patients’ sensitive medical information unless the patients pay ransoms.
Then there are financial costs that result from lost revenue, legal and insurance-related expenses and ransom fees paid to the attackers to release the information that they’ve held hostage — even if the latter is paid through insurance it would likely get reflected in higher insurance premiums.
The average cost of a healthcare industry breach is $10 million, making it the most costly type of breach by industry, costlier even than the financial and energy industries. On the high end, the attack against CommonSpirit Health in October of 2022 cost $150 million, the highest to date, and the one against Scripps Health in May of 2021 cost $113 million.
Finally, there are other costs associated with cyber attacks that hospitals and healthcare systems have to “pay” that are not just monetary. Diminished reputation, a loss of trust on the part of a hospital’s existing patients and added stress to the healthcare workers and staff employed at these organizations (which in itself can lead to financial repercussions) are all additional ways that healthcare systems “pay” as a result of cyber attacks.
Increasing Attack Sophistication
Just as cybercriminals and their tactics have been gaining in sophistication in general, so too have attacks specifically targeted against healthcare targets.
An example of this is the co-opted use of Cobalt Strike, a legitimate cyber defense tool developed by the cybersecurity firm Fortra, for hacking healthcare networks, usually for ransomware purposes.
This is yet another form of increasingly sneaky methods that hackers have been using to hijack the very security tools designed to protect networks and keep them from gaining access to those networks.
Back in April of this year, Microsoft teamed up with Fortra and the Health Information Sharing and Analysis Center (H-ISAC) and obtained a court order to take down servers hosting bootleg copies of Fortra’s Cobalt Strike which cybercriminals were using to attack healthcare systems.
It is likely joining the fight against ransomware that targets healthcare systems for various reasons, which include protecting its reputation (since it is a major provider of services to the healthcare industry) and preventing financial losses since cyber attacks against healthcare systems can be costly to these systems and therefore, by extension, be costly to Microsoft as well.
Why Healthcare Systems
Are More Vulnerable
All of this begs the question of what makes healthcare targets so attractive to hackers in the first place. There are various reasons they are more vulnerable.
One reason is that many hospitals and healthcare organizations are underfunded and understaffed, and as a result they are generally not up to par with their cybersecurity defense measures and protocols.
Another reason is that healthcare workers and staff often lack basic cybersecurity training and awareness, which is somewhat understandable since historically their training focuses on how to deliver quality care, not keeping abreast of best cybersecurity practices which are constantly evolving. However, this can result in additional points of vulnerability as workers interact with data systems.
Next, many hospital systems, especially research hospitals, are connected to university systems. It isn’t that university systems are particularly vulnerable in themselves, necessarily, but a large data system being linked with another large data system simply means more potential points of entry for hackers, especially if the university faculty and staff also lack adequate training in the latest cybersecurity best practices.
Rural hospitals may be even more vulnerable due to typically having more separate buildings and structures spread out geographically. This makes it trickier to implement vulnerability management systems, which gets exacerbated by the fact rural hospitals can be even more underfunded and understaffed than hospitals in general, especially with respect to cybersecurity.
And finally another reason that ransomware hackers may target healthcare systems is simply that healthcare organizations are known for paying the ransoms due to the highly sensitive nature of patient data and the fact that hospitals cannot afford to go offline for extended periods of time because they provide medically essential services. Hackers know this and are most likely to go after targets that they know will pay.
How Healthcare Firms
Can Protect Themselves
Despite Microsoft’s efforts to crack down on the misuse of Cobalt Strike, which is just one means by which threat actors can attack. Healthcare organizations should therefore not rely on third party forces to protect them and take their own proactive measures to protect themselves.
First of all, healthcare organizations should invest in having security operations centers (SOC), which many organizations still don’t have, where a cybersecurity team works together to monitor, detect, and respond to threats.
Virtual SOCs are an option and have become more common but physical centers allow analysts, incident responders, engineers, and threat intelligence specialists to all be in the same room which maximizes efficient communication and collaboration.
In-person SOCs can also make it easier to control and secure access to sensitive information via measures like keycards or biometric scanners, whereas virtual SOCs that are geographically spread out could potentially create more possible points of entry for hackers.
Next, healthcare organizations and their security teams need to implement good patch processes, or steps that the cybersecurity team follows to keep their systems properly updated and protected.
This is a constantly ongoing process due to how fast hackers are always finding and exploiting new vulnerabilities. Far too often in places with poor patch processes, tickets are created pointing to new vulnerabilities but no actions are taken. This, in turn, is often due to poor device and asset management.
For example, let’s say Microsoft issues a report stating that a particular version of Windows has “X” or “Y” vulnerability, and they even provide the fix for it, but the vulnerability management team doesn’t know how many machines in their organization run on that particular version of Windows, in which department, or who the owners of those machines are. And so they are unable to implement the fixes.
Good device and asset management is therefore a must and goes hand in hand with good patch processes.
The Need for a Champion
As someone who has done cybersecurity work for healthcare organizations in the past, I understand very well that the recommendations I’ve made are easier said than done.
I remember joking one time with some colleagues that we needed a breaching incident to occur because, unfortunately, sometimes that’s what it takes for the decision makers in an organization to realize they need to devote more attention and resources to cybersecurity.
This is why healthcare organizations need “champions” advocating for adequate cybersecurity and who knows how to speak the language of the CIO, CFO, the C-suite executives, and other key decision makers.
Typically, someone like a CISO would be ideally positioned for this role, but unfortunately many healthcare organizations still don’t have dedicated CISOs.
This can result in self-fulfilling scenarios where the lack of champions results in an ongoing lack of adequate cybersecurity measures, resulting in yet more and more attacks. Without visible and vocal champions, making sure that cybersecurity professionals have the resources they need might continue to be an uphill struggle.
One thing is for certain, which is that without CISOs serving as champions for better cybersecurity within their organizations, someone needs to be able to convince the leaders of their healthcare organizations that good cybersecurity is in their own highest interests, including the bottom-line interests that executives tend to focus on.
While good cybersecurity may not actively make money for organizations, it prevents them from losing it — a lot of it. Should leaders fail to recognize this, incidents will continue to occur, reputations will be further harmed, and more money will be lost. Sadly, for many organizations, the old joke that I once shared with colleagues about needing a cyber attack to happen may end up being a prophetic one.
Dr. Brian Gant is an Assistant Professor of Cybersecurity at Maryville University. Dr. Gant is a security executive professional with over 18 years of corporate and federal Government experience in analytics, threat intelligence, critical infrastructures and executive protection.
