After two years of steadily increasing cyber threats that resulted in record numbers of compromised patient information, financially extorted health organizations, and publicly disrupted hospital operations, it is clear that cybersecurity is a major concern for healthcare executives in 2017 and beyond.
According to Karthik Swarnam, AT&T Vice President of Security Architecture, “Cybercrime damages are expected to rise to $6 trillion annually by 2021. This represents the greatest transfer of economic wealth in history and risks the incentives for innovation and investment.” The healthcare industry has become a prime target for cyber attacks, facing security issues that have financial and reputational impact for hospitals and other healthcare institutions.
Over the past several years, the cyber threat landscape has drastically changed, and while many industries have worked to keep pace with cybercriminals, the healthcare industry has fallen behind. It’s time that healthcare executives began viewing cybersecurity breaches as the greatest threat to their reputation, patient trust, and ultimately their bottom line. In order to do so, organizations must first understand the threats they face. Let’s explore the Who, What, Why, and How of the 2017 cyber threat landscape.
Who?
Long gone are the days of the lone, basement hacker. The new reality is that hacking is now big business. Coordinated, collaborative, organized groups all over the world now work round the clock to hack everything from private email accounts to government databases. The cybercrime industry’s net worth has surpassed that of the illegal drug trade. Collaborating anonymously in underground chat rooms and deep web portals, cybercrime organizations are virtually impenetrable and almost impossible to bring to justice. All of this to say, that healthcare organizations can no longer deny the threat that cyber criminals pose.
How?
Cyber criminals target medical organizations using a variety of techniques including: malware, phishing, SQL injection attack, cross-site scripting (XSS), DDoS, and others. Over the past several years, ransomware, phishing attacks and medical device hijacks have played prominent roles in successful hacking attempts.
- Ransomware is a type of malware that prevents or limits users from accessing their system, by locking (i.e., encrypting) the user’s data until a monetary ransom is paid. In 2016, the healthcare industry was the victim of 88% of all ransomware attacks in U.S.
- Phishing scams are fraudulent email messages appearing to come from legitimate enterprises (e.g., your university, your Internet service provider, your bank). These messages usually direct you to a spoofed website or otherwise get you to divulge private information (e.g., password, credit card, or other account updates).
- Medical device Hijacks involve cybercriminals targeting medical devices. Attackers place malware within the network that then propagates. Inside of these medical devices, the cyber attacker now finds safe harbor in which to establish a backdoor (command and control). Given this open access, once the medical devices are penetrated, the attacker is free to discover targeted resources such as patient data.
Why?
The simple answer to this question is financial gain. The average going rate for a stolen healthcare record is $355, over twice the average cost of $155 for a credit card record. This is due to the comprehensive amount of information stored in a healthcare record. Cyber criminals also trade this information among each other to create a more complete picture of an individual. The skyrocketing cost of healthcare has also driven some cyber criminals to seek free health care using stolen credentials.
What?
For patients that have received a breach notification, the likelihood of being a victim of fraud is one in four. Because of the amount of sensitive information contained in a single healthcare record, hackers now have access to a multitude of opportunities to financially extort the victim. We’ve seen hackers use usernames and passwords to access various online accounts and even bill the victim for health services that were never rendered. For hospitals, the financial extortion can cost thousands, even millions, of dollars, and also have reputational repercussions.
As we, as a society, move swiftly toward a technologically-connected healthcare environment, the threats to cybersecurity will continue to multiply and evolve. Healthcare organizations must begin adopting a culture of security, which begins by recognizing and understanding the current cyber threat landscape. Successful organizations will be defined not by whether they have or haven’t been the victim of a cyber attack, but rather by how well they are able to detect and respond to attacks, and restore operations with minimal data compromise or financial loss.