While every industry is affected by cybersecurity risks, the healthcare sector has a unique component that makes safeguarding against these especially critical: patients. If a healthcare organization’s systems are compromised, it can directly impact patient care. This makes cybersecurity not just a business issue, but a true safety imperative.
Why Is Healthcare a Target for Hackers?
Both independent threat actors and nation-state-sponsored hackers target healthcare organizations because of their perceived value. Hospitals, clinics, private medical offices, and other businesses and providers within this industry typically house a large amount of information that’s valuable both monetarily, and for intelligence purposes. This can include personally identifiable information (PII), such as names, Social Security numbers, and addresses; protected health information (PHI), like medical records; and intellectual property from research.
The Role of HIPAA in Cybersecurity for Healthcare
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulates how healthcare providers, plans, and clearinghouses should manage PII and PHI. To this end, HIPAA includes a Security Rule requiring technical, administrative, and physical safeguards to secure private information. The technical aspects of this tie back to cybersecurity, specifying the following:
- Access Control
- Unique user identification
- Emergency access procedure
- Automatic logoff
- Encryption and decryption
- Audit Controls
- Integrity
- Mechanism to authenticate electronic protected health information
- Person or Entity Authentication
- Transmission Security
- Integrity controls
- Encryption
If a cyber incident occurs, the organization must:
- Execute its contingency plan, response, and mitigation procedures
- Report suspected crimes to law enforcement agencies
- Report any cyber threat indicators to federal authorities and relevant information-sharing and analysis organizations (ISAOs):
- The Department of Homeland Security
- The HHS Assistant Secretary for Preparedness and Response
- Private-sector cybersecurity ISAOs
- Report the breach to the Office for Civil Rights (OCR) as soon as possible.
- Breaches must be reported within 60 days of discovery.
Cybersecurity Incidents Can Cause Patient Safety Risks
Any cyberattack that impacts your organization’s ability to access patient records and continue normal operations is a safety risk. Without medical records, mistakes can happen. Even if your data is restored, you must exercise caution, since it may have been inadvertently or purposely altered.
In 2017, Britain’s National Health Service was hit by the WannaCry ransomware attack. Threat actors exploited a weakness in older Windows operating systems and computers without a critical patch installed. The computers at state-run medical facilities across the United Kingdom were rendered unusable. As a result, countless appointments and operations were canceled.
Similarly, a 2020 Ryuk ransomware attack against Universal Health Services (UHS), which operates more than 400 healthcare facilities in the United States and United Kingdom, left locations without phone or computer access. This required diverting ambulances and relocating patients.
In any industry, similar attacks would be expensive and time-consuming, but in healthcare, they can be truly devastating.
Those in healthcare should also be aware of the cybersecurity risks presented by medical devices that connect to the internet. These could be vulnerable to security breaches, and affect performance. While the FDA does not have reports of purposeful attacks on such equipment or any incidents where a patient was injured or killed, it is important to take precautions against this possibility.
COVID-Related Cybersecurity Concerns
The novel coronavirus (COVID-19) pandemic had significant ramifications for the healthcare industry as a whole, along with major implications for cybersecurity.
Telehealth exploded in popularity, presenting major cybersecurity risks. Video appointments faced unwelcome intruders, requiring enterprise-grade healthcare software with enhanced security features.
Additionally, the rise in ransomware-as-a-service (RaaS) has empowered threat actors with minimal skill to launch attacks. With COVID-19 test results a popular commodity on the dark web, healthcare providers have become logical targets.
Sophisticated attacks orchestrated by nation-state-sponsored hackers are also increasing. It’s believed that these threat actors are backed by Russia and China and seek to gain access to COVID-19 data and research, interrupt the vaccine supply chain, and disrupt healthcare operations.
Trust Cybersafe To Protect Your Systems & Patients
Our expert team understands the ins and outs of HIPAA, and we’re here to help safeguard your healthcare company’s systems, and ensure you remain compliant. From continuous security monitoring to breach & attack simulation, we offer a robust suite of services to protect the safety of your networks and patients. Contact us today to learn about how we can bolster your defenses.