05. 03. 23
While data breaches against large corporate and government entities garner the most headlines, cyberattacks against the healthcare sector have been surging in recent years. Healthcare providers have proven to be highly lucrative targets for cybercriminals—and small medical practices are no exception.
In this blog, we will explore the key cyberthreats to healthcare, why small practices are especially vulnerable, and what can be done to mitigate the risks.
Data breaches in the healthcare sector had an average cost of $10.1 million between March 2021 and March 2022, according to the IBM Cost of a Data Breach Report 2022. That’s a record high for healthcare, nearly half a million more than the national average ($9.44 million) and more than any other industry. For the past 12 years, healthcare has topped the list for the average cost of breaches.
The high costs that healthcare experiences from cyber events largely stem from regulation. Health Insurance Portability and Accountability Act (HIPAA) laws are incredibly strict and medical providers face major legal repercussions when protected health information (PHI) is compromised. A heavily regulated sector like healthcare tends to see costs amass over a lengthy period of time following a breach; IBM found that 24% of costs accrue over two years after an incident. By comparison, less-regulated industries only accrue about 8% in costs over the same time period.
Unfortunately for the medical providers, PHI is incredibly valuable for cybercriminals. Healthcare records are sold on the dark web for up to $1,000, whereas credit cards only sell for up to $110 on average.
Making matters worse for healthcare is that many threats come from within. According to Verizon’s 2022 Data Breach Investigations Report, healthcare is the industry most impacted by privilege abuse, which is when employees use legitimate access to steal data. In 22% of all privilege abuse incidents, medical data was stolen.
In terms of external threats, ransomware attacks continue to plague the healthcare sector. In February, the ransomware-as-a-service (RaaS) group BlackCat launched an attack against the Lehigh Valley Health Network (LVHN), an eastern Pennsylvania-based health system. LVHN refused to pay the ransom, and BlackCat posted patient information on the dark web, including photographs of cancer patients receiving treatment.
Healthcare payments are also a target; another common scheme involves healthcare providers’ payment processing services. The FBI issued a warning in September 2022 that cybercriminals have been employing social engineering techniques and amassing publicly available personal identifiable information (PII) to impersonate healthcare payment processor employees and redirect payments from providers. Two separate incidents in February 2022 involved fraudsters changing direct deposit information and rerouting payments totaling $3.1 million and $700,000 to accounts they controlled.
Medical providers can also be severely impacted—often through no fault of their own—is through third-party providers. For example, Eye Care Leaders (ECL), which provides ophthalmology-specific electronic medical records (EMR) services, incurred a data breach in December 2021. The breach affected providers ranging from small vision care practices to the Texas Tech University Health Sciences Center, compromising more than 2 million patients.
While cyberattacks at large healthcare systems tend to receive more attention, cyber incidents impacting smaller medical practices also have been dramatically increasing. According to the Healthcare and Public Health Sector Coordinating Council (HSCC), cybercriminals are targeting smaller practices because they are generally less prepared to detect, respond and recover from attacks.
The 2022 NetDiligence Cyber Claims Study, which analyzed nearly 7,500 incidents that occurred between 2017 and 2021, found that small and medium-sized enterprises (SMEs) in healthcare were among the top five business sectors impacted by cyber incidents. Small and midsized medical practices incurred $103 million in total costs, ranging from $1,000 to $11 million and averaging out to $103,000, over the five-year period. Incidents at healthcare SMEs appear to be on a steep incline; the year-over-year average skyrocketed from $168,000 in 2020 to $541,000 in 2021. Ransomware, staff errors and hackers were the listed as top reasons for losses.
Medical providers need to be proactive in protecting their organizations against threats like ransomware. HSCC provided 10 best practices for small medical practices to defend themselves.
Email Protection Systems: While most small practices use third-party email providers, free email systems that fail to meet HIPAA Security Rule requirements should be avoided. Email systems should be configured with antivirus software and multifactor authentication (MFA), and users should be trained to identify common attacks like phishing and ransomware.
Endpoint Protection Systems: Devices like desktops, laptops and mobile devices are endpoints that provide access to your network. Medical practices can secure endpoints through practices like ensuring that only appropriate employees are listed as administrators, keeping all devices patched and updated, and enabling encryption and MFA.
Access Management: Medical practices must identify all users and maintain audit trails that monitor access to data, applications, systems and endpoints.
Data Protection and Loss Prevention: Providers can prevent the compromise of sensitive data by knowing exactly where it resides and how it is accessed. Organizations must establish clear policies, procedures and education around handling this data.
Asset Management: Medical practices should regularly perform IT asset management (ITAM) processes. These processes include capturing key information for each device like asset IDs, purchase orders and IP addresses; establishing standard procedures for procuring new devices; and decommissioning assets no longer in use.
Network Management: Network devices must be managed so they can exchange data safely. When relying on a third-party IT vendor, the medical practice should build effective network management practices into the vendor contract.
Vulnerability Management: Medical practices should establish a process to detect flaws that cybercriminals could exploit. It typically involves scanning devices and systems for common vulnerabilities, like weak passwords and outdated software.
Incident Response: When cyber incidents occur, organizations need to be able to quickly identify and neutralize them. Medical practices must have specific response procedures in place that employees are drilled on regularly. Providers should also join an information sharing and analysis organization (ISAO) or information sharing and analysis center (ISAC) to get regular updates on the latest threats to their industry.
Network Connected Medical Device Security: One emerging threat is the exploitation of vulnerabilities in medical devices, which can put patients in serious danger. Medical devices connected to networks, especially ones managed remotely by third parties, are highly vulnerable and must be carefully secured and monitored.
Cybersecurity Oversight and Governance: Owners and executives at small healthcare practices should establish a culture that emphasizes that cyber risk management is the responsibility of all users. Staff should be carefully trained on cybersecurity best practices to prevent unauthorized entry into the network, as well as their responsibilities around HIPAA laws.
As cybercriminals continue their relentless attempts to intercept PHI and healthcare payments, medical providers have a responsibility to combat these constant attacks. Fortunately, you don’t have to do it alone. Rectangle Health employs the highest levels of security for every payment we process, and we stay on top of policy to ensure compliance with all laws surrounding sensitive data. Cybersecurity is a team effort; you can count on Rectangle Health to protect your practice and your patients.
Learn more about our security and compliance efforts.