Hospitals are set up to fight infections, but not necessarily the kind that has been plaguing healthcare institutions lately – malware. A new report estimates that cyber threats against healthcare targets increased 60% since January, surpassing the total number of threats identified in all of 2018.
The most common threat targeting the healthcare industry is Trojan malware, which increased 82% in the third quarter from Q2, according to the report by Malwarebytes, Cybercrime Tactics and Techniques: The 2019 State of Healthcare. Most of the Trojan attacks involved Emotet and TrickBot, which are the two most dangerous Trojans around since 2018.
For now, healthcare is the seventh most targeted industry, according to Malwarebytes, but that may change as a result of the increasing intensity of threats targeting healthcare institutions. “Overall malware detections in this industry are on the rise. Threat detections have increased for this vertical from about 14,000 healthcare-facing endpoint detections in Q2 2019 to more than 20,000 in Q3, a growth rate of 45%,” the report says.
The preferred attack method over the past year has involved exploiting vulnerabilities in third-party software. Cybercriminals take advantage of negligence and weak security postures by looking for unpatched vulnerabilities to give them entry into networks. They’re also employing social engineering tactics such as phishing and spear phishing to deliver malicious emails.
“The healthcare industry is a target for cybercriminals for several reasons, including their large databases of patients’ personally identifiable information, lack of sophisticated security models, and high number of endpoints and other devices connected to the network,” the report says. “The sensitive nature of patient data that threat actors can easily swoop up lends itself to a high return on investment.”
Building a Stronger Posture
The uptick in threats against healthcare signals a dire need for reinforcing security policies and tools at hospitals, clinics, doctors’ offices and other healthcare organizations. Increasing reliance on Internet of Things (IoT) devices to deliver care is exacerbating the need, according to Malewarebytes. While the use of IoT devices delivers benefits, “none of these devices have been properly developed with security by design.”
This suggests a rethinking in device design is needed, but in the meantime healthcare organizations have to take steps to protect themselves. Because they are so focused on patient care, research and adding new medical technology, healthcare institutions have not invested in cybersecurity as much as they should have, according to Adam Kujawa, the director of Malwarebytes Labs.
One decisive step healthcare institutions can take to strengthen security is to ensure their cybersecurity teams have the knowledge and skills to keep up with, and defend against, cyber threats as they grow and evolve.
(ISC)2 offers a certification specifically tailored to the needs of cybersecurity professionals in healthcare. The HCISPP certification has been a mark of healthcare security and privacy proficiency since 2013. (ISC)2 recently refreshed the certification program to ensure it stays relevant to current cybersecurity needs and regulations in securing healthcare environments and data.
As cybercriminals intensify their attacks on healthcare, organizations will need to build up their defenses. Skills-building and training for cybersecurity teams will be a critical part of their security strategies.