Pre-July 4th weekend, Professional Finance Company (PFC USA) notified the patients of 657 country-wide healthcare providers of a data breach. Healthcare providers seem to be constantly in the news, being hit one after the other, by breaches, cyberattacks and ransomware.
In case you think that may be overstated, take a look at the news. In the last month, healthcare firms in Alabama and Colorado experienced data breaches affecting half a million patients, Illinois suffered an email breach affecting another 500,000 patients, Supercare Health data breach impacts over 300,000, healthcare tech-company Omnicell was hit with a ransomware attack, Eye Care Leaders shouldered a cyberattack, and MCG Health announced compromised data of 1.1 million individuals.
Just today, CISA put out a warning regarding Maui ransomware being used by North Korea to specifically target the Healthcare and Public Health (HPH) sector.
What makes healthcare a prime target for threat actors around the world?
- Impact: Let’s get the obvious out of the way. Healthcare is a critical sector in every country and therefore, the perfect target for those wishing to do harm.
- Multiple Access Points: Medical devices are easy prey. They run on networks, but weren’t built with security in mind. They provide multiple (often unsecured) access points for hackers to attempt to infiltrate.
- Data Sharing: It is critical that healthcare professionals share patient data, often with urgency, for the benefit of the patient. This need to be open and shareable overshadows the importance of security and access management. The many devices used to distribute and share the data are often not properly secured, and one hacked device can expose an entire organization.
In short, the attack surface is huge and the security is lacking.
The difficulty in updating healthcare information systems is real. Information is in constant use, the scale of such an undertaking is huge, and it is simply a challenge to keep up with persistently escalating vulnerabilities. Large scale solutions can be implemented, but are not for the faint of heart (excuse the pun).
Meanwhile, there are steps that healthcare providers can take to decrease their risk of falling victim to a cyberattack.
- Compliance with HIPAA. The US government has done the thought work and established a compliance framework to ensure you are doing everything you can to secure patient data.
- Authentication. Risk-Based Authentication (RBA) should be implemented with unusual activity flagged and monitored. Multi Factor Authentication can ensure data doesn’t fall into the wrong hands.
- Vulnerability management. Technology is available to alert healthcare security teams to vulnerabilities and patches unique to medical equipment and software.
Stop the row of healthcare dominoes. Take a full risk-assessment with Centraleyes and see where your organization can strengthen its security.