In my previous post, I reviewed the primary compliance regulations that healthcare organizations around the world are subject to, all of which are intended to improve data protection in healthcare. But as I noted, the number of healthcare firms suffering data breaches is still growing, despite these regulations. Today, I’ll tackle the question of why this is happening.
Attacks are getting more sophisticated
One factor is clearly that attackers are constantly upping their game. Phishing attacks have become so much more convincing and targeted that we now have subcategories like spear phishing and whaling, techniques designed to ensnare particular people, especially “big fish” who can access confidential data or transfer funds. Using information readily available on social networking services like LinkedIn and Facebook, cybercriminals can now piece together connections between people and craft a very believable message that gets the victim to click a malicious link or open an infected document. For example, an email might replicate the writing style and tone of a company’s CEO, getting the CFO to make a confidential transfer of funds to a specified bank account in light of a new venture or acquisition.
Attackers are also designing increasingly sophisticated malware, including ransomware, and inventing more effective ways to deliver it. For example, we now have drive-by-downloads from malicious websites that can exploit known vulnerabilities in out-of-date applications and unpatched operating systems. Advertisements on web sites and within applications can be altered to carry a malicious payload; since the user is visiting a known web site or using a trusted application, they’re more likely to click on the ad. And free downloads of normally expensive software are also changed to include malicious components, or they merely masquerade as expensive software, tricking the victim into releasing the malware inside. Perhaps most alarmingly, ransomware is now even available "as a service," with the proceeds split between the attacker and the ransomware developer.
The healthcare sector has specific vulnerabilities
However, these advanced techniques are being used against organizations across all industries around the world; what makes the healthcare sector particularly vulnerable? There are a number of factors:
- Large attack surface — Medical care is no longer the domain of the generalist, but rather a complex collaboration between multiple medical specialists working for different organizations in various geographical locations using disparate IT systems. Mergers and acquisitions add to the complexity, driving a need for effective migration and consolidation And due to the recent push for interoperable electronic health records (EHR), sensitive patient data is continually flowing in and out of healthcare systems.
- Cloud adoption — Healthcare organizations are increasingly using cloud-based services for storing files, managing EHR, and exchanging information with suppliers, partners and government entities. In fact, MarketsandMarkets forecasts a near tripling of healthcare spending on cloud services, from $3.73 billion in 2015 to almost $9.5 billion by 2020. But organizations often fail to establish proper hybrid Active Directory security and governance.
- Specialized tools — In addition to cloud applications, healthcare workers are also taking advantage of complex collaboration systems, specialized mobile apps, and other tools that can be difficult for IT to track and secure. In addition, medical devices can be difficult to update, so known vulnerabilities go unpatched.
- Systematic underinvestment in healthcare cybersecurity — Data protection in healthcare has received insufficient funding for years. The HIMSS Cybersecurity Survey reports that nearly three quarters of healthcare providers spend less than 6 percent of their overall IT budget on security (as compared to 16 percent for the U.S. federal government, for instance). This leaves the organizations vulnerable; the S. Health and Human Services department claims that 60 percent of healthcare data breaches from 2009 to 2014 could have been avoided if the data had been properly encrypted.
- Lack of attention from IT — Healthcare IT teams have had to focus on meeting strict deadlines to implement electronic health record systems, which has left them little time to focus on other priorities, including healthcare data security and compliance.
- Lax security standards — Because healthcare workers have hectic schedules and work in life-and-death situations, the industry often fails to enforce healthcare data management and security best practices, such as requiring strong passwords, enforcing automatic logouts and avoiding shared credentials. Similarly, because healthcare staffing models often depend on volunteers and rotating staff members, IT security training can get short shrift.
These factors can leave healthcare organizations extremely vulnerable to both outside attackers and malicious insiders, as well as careless mistakes that can be just as damaging and costly. In my next post, I’ll explore the multiple ways that data breaches and ransomware infections can impact healthcare firms and their patients.
In the meantime, be sure to read our white paper, “Protecting Data in the Healthcare Industry,” to learn more about:
- The various regulations and requirements that healthcare firms must comply with
- The realities and trends that are increasing the risk for healthcare organizations
- How data breaches impact healthcare organizations
- Best practices for cyber security defenses