Ever since Wannacry caused significant operational and financial damage to the UK’s National Health Service (NHS), improving cybersecurity in the healthcare sector has been an urgent priority. Yet even as the threats have escalated in volume and sophistication, investments have not always kept pace. Healthcare spending on IT security is estimated to exceed $125bn globally during the period 2020-25. Yet healthcare organization (HCOs) continued to be breached in significant numbers. To mitigate the impact of such incidents, HCO IT leaders must begin their risk management efforts by focusing on data security.
Why is healthcare a target?
Cybercrime is in most cases a cold financial calculation of risk versus reward. In the case of the healthcare sector, there’s very little risk and a potentially big reward for opportunistic threat actors. Why do HCOs present such an attractive target?
- IT budget is often tight, especially in publicly funded systems, but also in market-driven healthcare systems where margins are small. That means skills shortages, under-investment in security controls, and poor application of policy.
- Staff are under extreme pressure, especially those on the clinical front line. They need rapid access to data and IT systems from different locations. This makes security more complex and shadow IT workarounds more likely. Plus, under pressure users are more likely to make mistakes, like click on phishing links.
- HCOs have relatively large IT ecosystems comprising various hospitals, frontline clinics, pharmaceutical firms, and colleges or universities. This creates more points of access to clinical data and critical systems, and more opportunities for exploitation.
- HCOs have a large attack surface of complex heterogeneous systems, including potentially under-secured desktops and devices, and legacy OT equipment like MRI/CT scanners, which are difficult to take offline to patch. The move to cloud has created yet another surface for attackers to probe, as many HCOs don’t have the skills to properly configure or secure such systems.
- Patient data is a valuable commodity on the cybercrime underground. Electronic health records (EHRs) may contain not just personal details that could be used for blackmail and identity theft, but also financial and insurance information.
- Ransomware actors calculate that HCOs are more likely to pay because IT systems are critical to patient wellbeing and must be kept online. Two-thirds of global HCOs were hit by ransomware last year, up from just a third in 2020, according to one estimate.
- COVID-19 has made everything worse, enticing more ransomware actors whilst putting even more financial and operational strain on HCOs dealing with an influx of patients. Security has sometimes been de-prioritized as a result.
What’s the impact of cyber-threats on HCOs?
HCOs experience the same reputational and financial impact from security breaches as any organization. These include customer churn, legal costs, IT overtime and forensics charges, and potential regulatory fines. The NHS breach cost the organization £92m ($115m), while in Ireland, a ransomware attack on the Health Service Executive (HSE) last year could cost several times that.
For the past 11 years in a row, healthcare has been the most expensive sector in terms of data breach costs, according to one report. Average costs per organization increased nearly 30% year-on-year to reach $9.2m in 2021. That’s not to mention the potential impact on patient wellbeing that can stem from operational outages and serious cyber-incidents. It’s not just about ransomware making system unavailable. A 2019 study claimed that even hospital data breaches could increase the 30-day mortality rate for heart attack victims.
Protecting healthcare starts with protecting patient data
Given the challenges facing the healthcare sector, it pays to start with the basics. That means data-centric security: the use of encryption or tokenization to render any sensitive EHRs, corporate data or R&D IP unusable to threat actors. Securing the HCO’s crown jewels in this way could help to reduce the costs associated with compliance and cyber-insurance policies, whilst also lowering related cyber risk. With data put beyond the reach of attackers, HCO IT leaders can focus more clearly on updating cybersecurity strategy for the post-COVID era.
But given the complexity of HCO IT environments, it’s vital that data security partners have the expertise to continuously discover, classify and protect sensitive information wherever it resides—and at scale. As the global population continues to age and healthcare systems come under increasing strain, data-centric security could end up paying for itself many times over.