Public institutions such as hospitals have become a favorite target of hackers in recent years, especially for those deploying ransomware. However, the state of healthcare cybersecurity is affecting the entire industry and challenges are emerging now and in the future that threaten the well-being of all medical organizations. These dangers have not gone unnoticed and global healthcare cybersecurity spending is predicted to exceed $65 billion in the next five years.
The particular vulnerability of the healthcare industry stems from several factors: larger than average amounts of critical and sensitive data, extensive and complex infrastructures, and expanding attack surfaces from new digital technology. Healthcare organizations often manage so many patient files that their databases are overloaded and not properly organized, and larger medical facilities must maintain such high staffing volumes – including outside contractors – that magnify the attack surface available to hackers.
In 2017, healthcare organizations experienced an average of 32,000 attacks per day. It was not uncommon for back-to-back breaches to occur day after day every month of the year. The number of people affected by each attack ranged from several hundred at the lowest to millions of patients whose records were stolen or made public.
Ransomware played a significant part in many attacks between 2016 and 2017, but there was a variety of methods employed by hackers to extract money from their victims. In several instances the attackers simply stole the sensitive data, and some of those files were found being sold on Dark Web forums or in other venues. The ultimate fate of the rest of the data is unknown, but personal health information (PHI) is valuable to cybercriminals (at an average of $20,000 per record) as it not only includes standard identifiers, but also offers insurance details and medical history that can be used for more advanced identify theft and fraud activities.
Regulatory agencies are taking the safety of PHI much more seriously and even accidental exposure of information can be heavily punished. Earlier this year, the New Jersey Attorney General fined Virtua Medial Group (VMG), a regional healthcare network, over $400,000 for a data leak that caused the medical records of over 1600 patients to go public online. Even though the leak was caused by an error committed by an outside contractor, VMG was found liable as the ultimate custodian of those files. This sets precedent for greater scrutiny on healthcare professionals to meet compliance with data privacy regulations that designate medical facilities as the caretakers of PHI.
If you work in healthcare or another industry that is similarly beset by mounting cybersecurity concerns and lacks the scalability to address them, then a Network Vulnerability Test would benefit you greatly in measuring the strength of your network security. Visit our website or contact us to sign up today.