What Is the Healthcare Industry?
The healthcare industry is a type of critical infrastructure that is “necessary to maintain normalcy in daily life.”[i] Overall, the U.S. Cybersecurity & Infrastructure Security (CISA) identified 16 critical infrastructure sectors whose assets, systems, and networks help to uphold the national security and public safety of the United States.[ii] Healthcare and Public Health is one of them. This industry is responsible for defending all economic sectors against natural disasters, pandemics, and other hazards and mitigating or +minimizing their impact in collaboration with private entities. In carrying out this mission, all healthcare organizations rely on the services delivered by other critical infrastructure organizations including Energy, Food and Agriculture, Information Technology, as well as Water and Wastewater.[iii]
How Fast Is the Healthcare Industry Growing?
National health spending is projected to rise at an average rate of 5.4% each year between 2019 and 2028, and it’s expected to reach $6.2 trillion by the end of that period. Forecasts show that the health share of the economy will reach 19.7% in 2028, that price growth for medical goods and services will accelerate at an annual average of 2.4% for 2019-2028, and that Medicare spending will surge 7.6% each year during that same period. Additionally, the proportion of insured Americans will drop slightly from 90.6% in 2028 to 89.4% by 2028.[iv]
Looking even further ahead to 2040 the U.S. healthcare system will undergo three “future realities.” First, the country will see a $3.5 trillion “well-being dividend” in the form of ROI for tools, systems, and protocols that enable Americans to take an active role in their health and well-being. Second, most healthcare spending will shift from care and treatment, which was 80% of the total in 2019, to improving health and well-being, which is estimated to cover 60% of the total by 2040. Finally, a new health economy involving a revitalization of the general hospital model, a slowdown in mass-produced biopharma, and a revolution in healthcare financing will drive 85% of revenue by that time.[v]
What Are Some of the Cybersecurity Risks Facing Healthcare?
First, the convergence of Information Technology (IT) and Operational Technology (OT) opens opportunities for attack for healthcare organizations. Connecting IT and OT might help hospitals and other healthcare facilities monitor the performance of their business-critical assets and reduce downtime. But it also introduces an attack vector by which malicious actors can gain access to legacy OT systems, disrupt victims’ operations, and pivot to other network assets for the purpose of exfiltrating sensitive information.
Second, and on a related note, organizations are connecting vulnerable Internet of Medical Things (IoMT) devices to their networks. Sometimes referred to as IoT in healthcare, IoMT allows wireless and remote devices to securely communicate over the Internet to allow rapid and flexible analysis of medical data.6 Many of today’s IoMT manufacturers didn’t design their devices with security in mind. The resulting security vulnerabilities increase healthcare organizations’ attack surfaces by providing malicious actors with additional vectors that they can use to gain access to their victims’ network. If successful, attackers can leverage a ransomware infection to try to exfiltrate patients’ Electronic Health Records (EHRs), a type of information that fetches hundreds if not thousands of dollars on the dark web.
Attackers can do other things with vulnerable IoMT devices, however. For instance, nefarious individuals could use an IoMT vulnerability to produce a denial-of-service (DoS) condition on affected devices. This could result in clinical risk or even loss of life.
What Motivations Do Attackers Have for Targeting Healthcare?
Some attackers are interested in targeting healthcare organizations’ OT systems to undermine the availability and reliability of their services. The resulting disruption could benefit a competitor organization operating in the same geographical region. Alternatively, it could serve the interests of a state sponsor that holds some affiliation with the attackers.
Malicious actors might have other motivations for going after healthcare organizations. With respect to ransomware, in particular, they might reason that healthcare facilities will pay a ransom quickly following an attack so that they can continue providing patient care. They might also reason that organizations in the healthcare sector are more committed to investing in patient services than they are in funding and staffing their IT teams.
Even so, there are certain patterns that now characterize most attacks across the healthcare sector. The sector has witnessed a shift away from malicious insiders to external parties as to the source of most attack campaigns over the past few years, for instance. They’ve also seen more instances of nefarious attackers stealing personal data than medical data. These developments might point to the effectiveness of some healthcare organizations using cybersecurity investments to help to minimize instances of insider threats and to safeguard patients’ EHR.
How Are Attackers Targeting Healthcare?
Let’s examine some of the healthcare attacks that occurred in 2021.
- In February, malicious actors struck a French mutual insurance company and disrupted their victim’s operations.
- It was three months later when Ireland’s health service detected a “significant ransomware attack” on its IT system and shut it down to prevent further damage.
- Later that same month, researchers revealed that they had tracked and recorded 48 ransomware attacks against the U.S. healthcare sector since the beginning of the year.
Healthcare-related security incidents are also making news in 2022. In January, New York Attorney General Letitia James announced a $600,000 settlement with EyeMed Vision Care over a 2020 data breach. In that incident, an unauthorized individual compromised an EyeMed email account and leveraged that access to view messages and email attachments dating back six years. In the process, the individual might have viewed and/or exfiltrated the personal information of 2.1 million Americans including nearly 100,000 New York residents.[vi]
On January 14, news emerged of a ransomware attack affecting Maryland’s Department of Health (MDH). The incident began in early December 2021 when malicious actors infected some of MDH’s systems with ransomware and attempted to perform a distributed denial-of-service (DDoS) attack. The State’s Department of Information Technology responded by isolating and containing the affected systems within a few hours.[vii]
What Standards and Frameworks Apply to Healthcare Organizations?
The most well-known framework that applies to healthcare organizations is the Health Insurance Portability and Accountability Act (HIPAA). The purpose of this framework is to help in-scope entities to safeguard Protected Health Information (PHI). HIPAA defines this type of data as “any identifiable health information that is used, maintained, stored, or transmitted by a HIPAA-covered entity or a business associate of a HIPAA-covered entity, in relation to the provision of healthcare or payment for healthcare services.”
The framework uses “Rules” to help healthcare organizations secure their PHI. For instance, its Privacy Rule creates standards around which in-scope entities can use individuals’ PHI. It also defines the right by which individuals can understand, access, and regulate the use of their PHI by healthcare organizations. HIPAA’s Security Rule then lays out technical and non-technical controls that organizations must put in place to protect a subset of information identified as PHI by the Privacy Rule.
HIPAA is not the only compliance obligation facing healthcare organizations these days, however. For instance, at state-level regulation continues to grow in complexity with the introduction of the California Consumer Protection Act (CCPA), among other pieces of legislation. Additionally, healthcare facilities can be subject to other compliance frameworks such as PCI DSS (assuming they allow patients to pay via credit cards), the European Union’s General Data Protection Regulation, and others.[viii]
What Can Healthcare Organizations Do to Avoid Being Hacked?
All healthcare organizations should consider designing a cyber-risk management program. This will help them to gain visibility of risk in their environments with the help of vulnerability assessments and other exercises. IT and security teams can then assess those risk factors to prioritize how they’d like to reduce risk across and evolve their security strategy over time.
That said, healthcare entities need to do something else first. Specifically, they need to identify their critical systems and sensitive data. Doing so will enable IT and security teams to implement additional security measures around those systems and data. They can then use their risk management program to regularly evaluate the risks confronting those assets.
Third, healthcare organizations need to maintain robust software lifecycle processes. IT and security teams must ensure that they’re monitoring third-party software components for vulnerabilities throughout their lifecycle, for instance. They also need to validate software updates and patches that they can use to plug any identified weaknesses.
Fourth, entities in the healthcare sector should consider instituting company-wide security awareness training. This type of program will help to cultivate employees’ and executives’ familiarity with digital threats such as phishing and ransomware attacks. It’s also essential in advertising individual responsibility for the organization’s security, a recognition which is essential for creating a “culture of security.”[ix]
Finally, healthcare organizations can implement other security practices to safeguard their PHI. These measures include implementing multi-factor authentication (MFA) and isolating PHI within its own network segment.
How Can Healthcare Organizations Achieve a Strong Security Posture?
Organizations can use the above measures, particularly designing a cyber-risk management program, to create a strong security culture. But all this can be difficult to do on their own.
How Can Itegriti Help?
Protecting your IT/OT infrastructure is crucial and recent events demonstrate how a motivated hacker can wreak chaos on well-protected systems. ITEGRITI is a cybersecurity consulting and advisory firm with deep expertise gained through our work in protecting large-scale and distributed National Critical Infrastructure since those Standards first became mandatory in 2008.
The cybersecurity resilience programs we develop will help you avoid hacks, detect breaches, minimize business disruption during an event, and reduce incident recovery time. We work with organizations to align cybersecurity programs with enterprise risks and first consider existing security hardware, software, and security/compliance controls.
ITEGRITI also provides vCISO and vCompliance Team services, and an offering to provide Get Stuff Done (GSD) services.