Cybersecurity threats to healthcare organizations have grown exponentially in the last few years, according a report published Thursday.
Nearly 25% of cyberattacks in 2022 targeted the healthcare industry, according to data cited in a report from managed security company Trustwave. Data security overall is a challenge to healthcare that’s bordering on a crisis, the authors of the report said.
Three of the biggest data breaches since 2010 (see below) have been reported in the past three months. On Monday, Nashville-based hospital system HCA Healthcare reported a data security incident that may have compromised the personal information of approximately 11 million patients. In May, the Health and Human Services data breach portal listed a hack of benefits administrator company Managed Care of North America that affected nearly 9 million people. Also in May, pharmacy services provider PharMerica had a breach listed affecting 5.8 million individuals.
As the threat increases, experts say healthcare organizations need to be more vigilant than ever. Here are four takeaways from the report:
1. The cost of a healthcare cyberattack is higher than for any other industry.
The healthcare industry had the highest average cost per breach for the 12th consecutive year. The cost of a data breach in healthcare averages out to $10.10 million per incident, according data from IBM cited in the Trustwave report. In healthcare, the cost has gone up 42% since 2020.
The threat against providers temporarily halted during the first year-and-a-half of the COVID-19 pandemic. But some of the changes providers made to mitigate virus transmission presented challenges to security efforts and exacerbated the problem, said Karl Sigler, co-author of the report and senior security research manager at Trustwave’s Spiderlabs division.
“[The] administration staff was working from home [and] the hard perimeter of hospital campuses was kind of disappearing,” Sigler said. “That introduces a lot of challenges to an already challenging situation.”
The lagging defense has led many cybercriminals to actively target healthcare organizations, Sigler said.
Healthcare and public health were victims of 210 separate attacks last year, which was higher than for any other industry, according to data from the Federal Bureau of Investigation’s Internet Crime Compliant Center.
2. ChatGPT, other large language models will make certain attacks harder to identify.
Generative artificial intelligence is the capability of algorithms to automatically generate content from user queries such as text, video and images. It’s also a potential threat to data security, according to the Spiderlabs report.
While many companies have already begun investing in their own models, there were initial fears large language models would begin writing malicious code. That threat hasn’t yet fully materialized because the models require someone ro first understand how to code before the models produce malicious results, Sigler said.
But Sigler said AI is making it harder for employees to identify phishing scams or malicious emails.
“When you have an AI engine that speaks that language natively, and understands exactly what you’re trying to say, that becomes a lot more compelling,” Sigler said. “Those red flags, those grammatical errors, those spelling errors tend to disappear.”
The report also said healthcare systems may face an increased risk of exposure due to their reliance on third-party vendors that may incorporate generative AI into their products.
3. Healthcare lacks accurate inventory of devices.
The increased number of connected devices in healthcare further amplifies the vulnerability of the industry’s infrastructure, the report’s authors said. Devices ranging from an employee’s cell phone to medical equipment are all at risk.
Sigler said many providers don’t have an accurate inventory of connected devices.
“I see that as the biggest problem,” Sigler said. “Having a current, proper and ongoingly updated inventory of what you have, and how valuable they are to your organization…is going to help you prioritize the security controls you’ve put in place.”
Once an organization has an accurate inventory, Sigler said organizations should prioritize issuing a value to each area of data. Clinical data, for example, would likely have more controls and greater value within an organization than website analytics or marketing email lists.
“I think a lot of people just put the cart in front of the horse,” Sigler said. “They start setting up all kinds of policies and procedures…without actually understanding the complexities of implementing those policies.”
4. Personally identifiable medical information is available on the dark web
Stolen information potentially taken from U.S.-based healthcare organizations is likely available on the dark web, according to the Spiderlabs’ report.
There were 8,000 logs claiming to have information from U.S.-based healthcare organizations available on the RussianMarket forum, a popular underground marketplace.
For example, on CruptBB, a background forum where hackers sell information, there could be a healthcare attack advertisement that outlines the sharing of personal healthcare data such as medical records, social security numbers, phone numbers, addresses and names. According to Sigler, this is pretty typical of how advertisements on the underground forums look and the types of data offered for sale.
