Cybersecurity firm, Sophos, found that nearly two-thirds of healthcare organizations were hit by a ransomware attack between March 2022 and March 2023. In 2022, there was an average of 1.94 significant (500+ affected records) data breaches reported daily for the healthcare sector. It is clear from these statistics that cybercriminals are heavily targeting the healthcare industry, but why?
Highly Valuable Data
One of the greatest motivators for malicious actors is data. They steal and sell data online to the highest bidder and the more sensitive the data, the more monetary gain they can receive.
PII, or personally identifiable information, includes information like names, email addresses, date of birth, passport numbers, and more. PHI, or personal healthcare information, encompasses some of the same things as PII such as a person’s social security number as well as elements unique to HIPAA (Health Insurance Portability and Accountability Act) such as biometric data, health plan beneficiary numbers, and device identifiers or serial numbers for medical equipment. This data is considered highly valuable to nefarious characters online because it can be used to facilitate scams like identity theft, insurance fraud, and targeted phishing attacks.
Limited Budgets
The healthcare system’s top operating costs include salaries for employees and contractors, supply costs for medical and surgical items, and fringe benefits. Just as the cost of goods and services has risen quite a bit in recent years for the public, costs for these supplies and other items like pharmaceuticals and medical equipment continue to rise for the healthcare industry. These elements coupled with HIPAA regulations often result in limited budgets available for hospitals.
With many elements that cannot be cut out of the budget due to their crucial need in providing patients with essential care, cybersecurity is a common area where funds are sliced from. This results in weaker security systems and often overwhelmed cybersecurity teams who are trying their best to protect the systems of healthcare entities with limited resources to do so. The frustrating part for many hospital IT professionals is that the price of recovering from a cyber attack is often far more costly than investing in preventative measures. Not only is there a financial impact from the costs associated with an attack, but the time it takes to get back to normal operations is incredibly expensive due to the labor element of things.
Outdated Technology
Another impact of healthcare systems having limited budgets is that there is not as much money to invest in updating technology. This results in outdated technological infrastructure which is more susceptible to attack due to the vulnerabilities that are present in old tech. With an inability to update certain devices, hospitals are at a heightened risk of cyber attack.
Even without the consideration of budget limitations, updating legacy systems can be a very difficult transition in the world of healthcare due to the challenges encountered when integrating new processes into the routines of doctors and nurses. These medical professionals are typically very good at their jobs and a key element of that is knowledge on how to get things done as efficiently as possible, which includes in-depth knowledge on how the systems they use operate. When moving to new systems, there is always a learning curve and in the world of medicine, there is not as much wiggle room available when it comes to time.
Outdated systems and devices can leave the entire hospital’s network vulnerable to cyber attackers who are maliciously learning new and innovative ways to exploit old technology’s weak points,
IoT Medical Equipment
One of the more recent advancements in the world of medicine is the implementation of Internet of Things (IoT) devices. IoT devices are those items that are often called “smart” in our everyday lives such as smartwatches and smartphones. In the healthcare industry, these items include medical equipment such as smart glucose monitors, blood pressure meters, and even futuristic-sounding things like robot-assisted surgical equipment and connected contact lenses. While these pieces of equipment are incredibly useful in the world of health, they, like other IoT devices, pose a risk if not properly protected. IoT medical equipment connects to a hospital’s networks via WiFi connections; these devices often lack robust security measures that other devices connected to the network, such as laptops, inherently have included. With a heightened hackability element, these devices pose a risk to the network overall and therefore make the vital patient data vulnerable to attack.
Regulatory Considerations
While HIPAA is incredibly valuable in protecting patient health data, the many requirements posed by its regulations can make the implementation of new and improved cybersecurity measures more complex. A desire to avoid compliance issues may be an indirect driver of why some hospitals opt to avoid major cybersecurity renovations. Though challenging, healthcare entities should not be deterred from cybersecurity innovations due to HIPAA regulations as prioritizing cyber safety protects hospitals, their employees, and their patients.