Why is Healthcare Data a Prime Target for Hackers?

Octavio Hernandez

The explosion of healthcare data

The concept of telehealth (or remote health) is not a new one. However, we have seen a rise in adoption levels of telehealth solutions as a result of the recent pandemic. Medical and technology professionals are making use of smartphones, AI and connected devices to boost innovation and deliver better data and ultimately better care for the general public.

The value of personally identifiable information

In our previous blog post, we highlighted how data records containing personally identifiable information (PII) could reach up to $250 per person, in the black market. In addition to medical information, patient data records may contain other details such as home address, social security number, and insurance policy numbers. That makes any organization that collects and stores medical records and DNA information a highly lucrative target.

What makes healthcare a target for hackers?

The innovation in telehealth described above has produced more healthcare data than ever before. Unfortunately, this hasn’t gone unnoticed by hackers and scammers. The healthcare industry has been under increased attack from malicious actors in recent months. In this article, we analyze some of the key drivers behind this trend.

1.     Underinvestment in IT and security infrastructure

When  compared to other highly regulated industries such as finance or insurance, healthcare organizations only spend between 4% to 7% of their IT budget on cybersecurity versus a 15% average for financial institutions. A study published by the Workgroup for Electronic Data Interchange (WEDI) shows that chronic underinvestment in cybersecurity has left many organizations unable to detect cyberattacks when they occur.

However, there is a renewed effort to fund cybersecurity initiatives. Cybersecurity Ventures predicts a 12-15 percent increase year-on-year growth in the cybersecurity market through 2021. In the short term, the US Congress has allocated $200 million in funding as part of the Coronavirus Aid, Relief, and Economic Security (CARES) Act. This fund was set up to assist healthcare organizations provide connected care services to patients at their homes or mobile locations as a result of the pandemic.

2.     The time-critical value of patient data

For hospital staff, having timely access to patient files can make the difference between life and death. In general, the implications of not having access to patient data range from the purely financial ones, to potentially endangering the patient’s safety. For these reasons, criminals are more inclined to strike against these organizations with Distributed Denial of Service (DDoS)  or ransomware attacks and demand higher-than-average ransom amounts to free up the information.

3.     Lack of visibility over healthcare data

In the daily provision of in-hospital patient care, doctors and nurses depend on a wide spectrum of data such as lab results, CT scans, radiology, bedside ultrasounds, etc. Nowadays, there is a myriad of sensors and systems collecting, processing and distributing patient data. From the IT point of view, hospitals are a collection of disparate technologies and equipment with dozens of vendors behind them. This creates issues of visibility and interoperability for IT teams that are exposed when a cyberattack hits them.

4.     Lack of awareness about cybersecurity practices

When it comes to the weakest link in cybersecurity, healthcare is no different to any other industry. The human element brings down the best laid strategies and technologies. In the 2019 edition of the HIMSS Cybersecurity Survey, 59% of hospital representatives and healthcare IT professionals in the US said that email was the most common point of information compromise.

Social engineering attacks have been around for years, and yet, people still fall for them. In a highly pressurised environment like hospitals, it easy to understand how phishing can succeed. For doctors and nurses working long hours under demanding circumstances, it can be tricky to even notice they are under attack. For example, a busy doctor may click on a malicious link disguised as an X-ray image from the radiology department.

Prevention is the key

While an increase in investment in cybersecurity budgets is a promising start towards better security in the healthcare industry, the effort needs to extend to all areas where technology plays a key role in the delivery of patient care. The adage of prevention is better than cure has never been more accurate to describe the situation hospitals face. When faced with the costs of dealing with a data breach or a ransomware attack versus planned expenditure on cybersecurity, the business case for the latter should be clear.

Click here to learn how Asavie can help your organization prevent cyberattacks and improve the security of electronic data records.