Popular culture often depicts hackers as sophisticated specialists who use advanced coding skills to wreak electronic havoc among their targets. The reality is that hackers, like many other malefactors, go first for the low-hanging fruit that is easy to pick and that guarantees a profit. For all its sophistication, the healthcare industry is a surprisingly easy and profitable target for cyberattacks, and at least for the near term it will continue to appeal to hackers who are attracted to the trove of personal data that is held by healthcare providers.
Information Week’s Dark Reading paints a grim picture of healthcare’s cybersecurity problem. Healthcare organizations reported 93 successful cyberattacks in 2016, which represents a 63 per cent jump from the 57 attacks reported in 2015. A number of factors specific to the healthcare industry are responsible for this increase.
First, interconnected diagnostic and life-support medical devices give hackers an easy back-door entry into a healthcare provider’s networks. Those devices typically do not have strong security measures and hackers can easily load malware into them, which breaches the healthcare organization’s network when the device connects into that network.
Second, by definition, healthcare organizations run life-or-death operations. If their patient care networks go down, their ability to provide care to critically ill patients will be compromised and those patients’ lives will be at risk. Hackers know this, and target healthcare facilities with ransomware that holds a healthcare network hostage until a bounty is paid for its release. Healthcare managers have no choice except to pay the ransom in order to provide necessary services to ill patients.
Third, the attraction of how easy it is to hack into a healthcare organization’s network is further augmented by the high value of the records that hackers can steal once they have accomplished a data breach. An IBM study into healthcare network security breaches observed that health records “contain credit card data, email addresses, social security numbers, employment information and medical history records – much of which will remain valid for years, if not decades. Cyberthieves are using that data to launch spear-phishing attacks, commit fraud and steal medical identities.”
Fourth, medical facilities are notoriously lax in erecting cyber barriers against hackers. In 2013, for example, California-based Cottage Health issued a press release stating that more than 11,000 of the patient records that it stored had been compromised. That information was readily found with a Google search, and no overt hacking, because the organization failed to install any viable cybersecurity measures. In a similar vein, the Indiana State Medical Association lost two physical hard drives to thieves who had simply stolen them while they were in transit to storage. More than 39,000 patient records were compromised as a result of that theft. These lapses are not confined to United States healthcare organizations. The United Kingdom’s Information Commissioner’s Office (ICO) revealed that British healthcare organizations experienced more than 180 data breaches in 2014. The ICO set the blame for more than 90 per cent of those breaches on human error and employee carelessness while managing systems that held sensitive personal data.
For many, if not all healthcare organizations, the first step toward slowing or stopping the growing trend of cyberattacks on the healthcare industry is to significantly tighten security measures to reduce the obvious risks and to make healthcare networks something more than just low hanging fruit. Even the most robust cybersecurity systems can be breached, however, which suggests that healthcare providers should procure data breach insurance to protect themselves from ruinous financial losses that are associated with patient information that is compromised during a cyberattack. Regulatory fines and patient remuneration can run into the millions of dollars when a large pool of patient information is made public. Cyber insurance can protect healthcare organizations from the worst of the financial losses that they might experience.