Cyberattacks are rapidly overwhelming the healthcare sector. Both large and small healthcare providers continue to be a tantalizing target for repeated ransomware attacks due to limited security budgets that lead to an overall weakened cyber defense system. Hospitals are also often among the first types of organizations to pay-off ransomware attacks in order to retrieve their stolen data and limit the disturbances to daily operations and patient care. The industry houses valuable patient data in abundance, and cybercriminals have become skilled at using powerful hacking tools to launch more weaponized and severe ransomware attacks against providers.
According to a recent IBM report, breaches now come with a record-high price tag of $10.1 million on average, leaving behind potentially disruptive damage as the industry struggles to mitigate associated costs. The U.S. Department of Health and Human Services HHS Breach Portal states that since the beginning of 2022, there have been at least 368 breaches affecting over 25.1 million patients. More than half of the breaches started with the network servers being compromised either through email phishing, malware or privileged credential misuse.
With ransomware-as-a-service (RaaS) hackers like Conti, Hive and LockBit narrowing their focus from larger healthcare systems to smaller hospitals and specialty clinics, it is becoming easier than ever to retrieve the data and use it for launching various fraud and identity theft schemes. For many of these hospitals and rural clinics, insufficient security measures dramatically escalate the risk of an attack. Once infected, healthcare workers are often prevented from accessing critical hospital systems with no access to medical records or patient data that results in a backlog of work and compromised patient care.
Implement Threat Awareness Training
A solid cybersecurity posture is only as strong as its policies, backups and disaster plans. The first line of defense against ransomware involves simply educating employees through ongoing programs that keep awareness fresh and top of mind. Phishing is the most formidable social engineering tactic that cybercriminals use to persuade employees to disclose sensitive information, whether it be clicking a suspicious link, downloading an attachment or visiting a malicious website – not to mention simply providing credential information outright. Healthcare workers are often overworked and particularly susceptible to messages that possess a sense of urgency and crisis. Not only can these mistakes cost millions in lost revenue and ransomware payments, it can wreak havoc on operational systems. By making sure employees are aware of common attack vectors, what a ransomware attack is, and how to report suspicious activity, CISO’s can ensure there is always a first line of defense against hacking attempts.
Complete A Compromise Assessment of Your Environment
Taking a thoughtful, risk-based security approach is one of the easiest ways to combat budget restraints. To start, take a comprehensive assessment of the security risks in your environment. Next, IT teams and their CISO’s should conduct tests to identify top vulnerabilities and evaluate all key assets. From there, decisions can be made on how to accurately respond to each risk, either through termination and 24x7x365 monitoring. Often, the result of coding errors, software flaws and misconfigurations present prime opportunities for cybercriminals to easily gain unauthorized access to information systems. Finding and proactively remediating these risks can represent a significant time investment for both internal IT teams and security resources.
However, costs can be kept low through the hiring of affordable market providers such as a Managed Detection and Response (MDR) provider. By hiring a proven security partner, hospitals can outsource the management and monitoring of security systems that include antivirus protection, intrusion, vulnerability scanning, detection and managed firewall services. Security providers also help the hospital or clinic to meet HIPAA requirements that ensure patients, clinicians and devices are secured from both internal and external threats like social engineering, data destruction or targeted cyber attacks. In the midst of a growing cybersecurity talent shortage, the presence of a security provider can also help lessen the number of operational staff that hospitals need to attract, train and retain.
Develop Incident Response Plans, Recover and Assess
A quick response to a detected threat is key to mitigating the damage. Because hospitals and clinics provide emergency care, having their assets compromised by a ransomware attack could be catastrophic for daily operations. Having an incident response plan in place allows the organization to map out and practice its response steps before being placed under severe, unexpected pressure. It is also essential for IT teams to implement disaster recovery plans that require routine and testing of cybersecurity programs to ensure reliability, and that anti-virus and anti-malware is continuously enabled and updated regularly.
Regular backups and multi-factor authentication should also be consistently enforced for all accounts. Doing so will also provide much-needed confidence for employees, CISO’s and security teams during an actual breach. Striving for operational excellence is essential to improving the efficiency and efficacy of security processes so that every office can run as smoothly as possible. Establishing a cost-effective cybersecurity defense and training system for clinics and hospitals can provide each institution with the strongest safeguards against future attacks.
Tom Neclerio is a former healthcare CISO and currently serves as the Vice President of Professional Services SilverSky.