Healthcare data breaches remain critical
The healthcare sector, whether public or private, has long been a prime target for cybercriminals. As an industry, it represents the perfect combination of valuable data and vulnerable systems. It is no wonder healthcare data breaches remain critical.
The majority of cyberattacks are financially motivated. Having captured data, cybercriminals are able to leverage the details for account access, identity theft, blackmail or simple resale. The more sensitive the types of data stored, the higher the potential value. The nature of healthcare records is that they contain a variety of sensitive, and therefore high-value, data. In several healthcare breaches this year, data as diverse as names, addresses, dates of birth, insurance information, social security numbers and diagnostic/treatment records were compromised.
The potential for financial gain puts the industry firmly on cybercriminals’ radar, but what really makes it attractive is the apparent ease with which healthcare infrastructure can be breached. The healthcare industry has been subject to a tsunami of digital transformation initiatives – accelerated by the global pandemic. As a result, customer data is being pushed out to a wide variety of IoT connected devices to support mobile and telehealth solutions. This introduces myriad points of weakness and makes effective data protection very challenging.
The issues surrounding data accessibility are complicated further by legacy equipment in use. Some of the older devices in medical facilities are running outdated operating systems and software that has not been security patched. These vulnerabilities are ripe for exploitation. Add to this a lack of cybersecurity training for most healthcare professionals and a “relaxed” attitude towards password policy enforcement and multi-factor authentication and it is little wonder that 2021 was a record-breaking year for data breaches. (In the US, HIPAA recorded 712 healthcare data breaches – a 10.9% increase on the previous year).
The Accellion FTA hack in the US exploited legacy technologies and poor security patching policies to impact over 100 companies, with the healthcare sector being hit particularly badly. A failure to patch several zero-day vulnerabilities in the file transfer application exposed the records of over 3.5 million patients. At the start of this year, Accellion reached an $8.1 million settlement in its class-action lawsuit.
Supply chain vulnerabilities are a common point of ingress for cybercriminals and the healthcare sector is not immune to this type of attack. In 2019 a healthcare data breach at AMCA, a company providing billing services to the healthcare sector, exposed the personal and financial information of over 20 million patients. In the same year, over 2.7 million records and 170,000 hours of call recordings to Sweden’s healthcare hotline were lost as they were stored on a web server with no encryption or authentication. The breach was blamed on a subcontractor. The last example is, unfortunately, typical of the industry; where negligent breaches occur almost twice as often as malicious ones.
Prevention is better than cure
For an industry that has been hit this hard for this long, you would have expected cybersecurity to be a mandated priority. After all, a data breach in the healthcare sector costs three times the global average. Despite this, cybersecurity training and awareness within the sector remain low, with large numbers not able to recognise the common signs of malware. Despite this, the sector continues to underinvest in cybersecurity.
Digital transformation is a tide that will not be turned. Over the next few years the healthcare sector will continue to embrace mobile apps and remote diagnostics, further exposing itself to an evolving threat landscape. Whilst many healthcare IT departments feel they may be over-worked and under-funded, there are some cybersecurity essentials that can be implemented to help prevent unauthorised access to the network and protect data in the event of a successful breach.
Trust nothing, encrypt everything
Any cybersecurity strategy, regardless of industry vertical, should begin with the principle of zero trust. This means leaning into solutions that were built from a security first perspective. Networks are not inherently secure, nor is the data that traverses them. Remote working means users need to be able to enjoy the benefits of secure file sharing and collaboration.
The growth of malware as the weapon of choice for many cybercriminals means every file gateway is a potential point of ingress and every file type is a potential carrier. Zero trust means scanning every file as it crosses your network threshold and utilising proactive anti-malware to protect against the most persistent of threats, including undisclosed or zero-day exploits.
Finally, if prevention technologies fail, the best last line of defence against data theft, injection or manipulation is high-assurance encryption, it is the best way to prevent a high profile healthcare data breach. As with the other technologies mentioned, peace of mind doesn’t need to come at the cost of convenience or user experience. Security can be both effective and transparent to the user.
If you’d like to discus any of Senetas’ cybersecurity solutions, contact us now.