Modern healthcare relies on sharing patient data, while also striving to keep it secure. In a technology heavy sector such as healthcare that handles sensitive data, security must be paramount. Yet those on the frontline – by the very nature of their life-saving roles – don’t necessarily have the time or inclination to always act in the most security-conscious way. According to Jonathan Whitley of WatchGuard Technologies, they need to rely on security technology, but don’t want to be bothered with complexity in terms of access, use and data sharing.
“In such a broad IoT environment patient data is always in transit, leaving endpoints vulnerable to cybersecurity threats,” he says. “The adoption of new technologies is also rapid in the healthcare sector, adding to the risk. Patient care often trumps security concerns, certainly at treatment level, but having a strong cybersecurity posture is critical to ensure the delivery of quality care across the board.”
There’s seemingly a daily barrage of news articles reporting the cyberattacks. Reports suggest the number of ransomware attacks on healthcare organisations increased 94% from 2021 to 2022, with the rise in cases due to cyber attackers’ awareness of the deadly consequences of an attack, and the need for urgent response on the organisation under attack. Most of those victims of ransomware in healthcare pay the ransom.
“There is work to be done, and that starts with ensuring greater awareness of security gaps, issues, and threats,” says Whitley.
The health of the healthcare sector
Gartner Peer Insights and Watchguard recently surveyed 100 IT and security professionals in healthcare to learn if companies are taking the necessary steps to enable a strong password security culture and posture.
“The survey revealed that almost half the respondents have experienced a data breach in the last two years,” said Whitley. “53% said they use tools targeted in software supply chain attacks – but were able to patch before an issue was detected. 78% said they have experienced service disruptions due to malicious activity and/or fell victim to a ransomware attack.”
End-of-life systems are identified as a root cause, while phishing attacks are an overwhelming shared concern, followed by ransomware.
When asked what unique security challenges make the healthcare industry more vulnerable to an attack, the top threats were seen as:
- Legacy tech/systems (81%)
- Talent gaps (58%)
- Outdated security (51%)
“The survey also underlined the range of issues an attack creates,” says Whitley. “Most said a security breach led to operational outages, followed by lawsuits, loss of IP and loss of patient data. But there are also crucial matters such as critical operating data loss, revenue loss and erosion of patient trust, not to mention reputational harm, data corruption, downtime, and recovery time. There is also the potential to reduce the level of patient care and outcomes.
“Despite people being the common denominator in all data breaches – whether intentional or not – credential protection methods, such as MFA, are not broadly adopted in healthcare. Only 24% of respondents said they have MFA authentication policies in place. Only 35% of healthcare leaders are utilising identity security to address security events – a critical point of entry in most attack scenarios.”
Many healthcare providers offer a plethora of integrated health solutions and this increasingly connected environment leaves them more vulnerable to attack.
“Beyond the firewall, 61% of healthcare leaders reveal they are most concerned about the vulnerability of cloud storage. Only 26% consider smart medical devices, intelligent tools and wearable devices as vulnerable to cyber risk.”
In terms of protocols employed to protect patient data, 68% follow specific protected health information (PHI) protocols, while 64% encrypt all patient data.
“Some 60% of those surveyed comply with all HIPAA requirements, and 43% say they follow privacy guidelines such as GDPR,” continues Whitley. “While 53% say they undertake consistent security risk assessments, just 24% employ risk-based authentication policies to control who accesses patient data. While a majority of respondents 58% say their organisations have web-connected medical devices, more than half of those 57% outsource cyber security threat monitoring to an MSP.”
Cybersecurity attacks, data integrity and high latency are the top three concerns the healthcare leaders surveyed have regarding web-connected medical devices.
“In the last year, the survey respondents suggest that third-party security management 54%, resource constraints 45% and mobile device security 39% are the biggest challenges in managing patient data security,” said Whitley.
To encourage employee adoption of security measures, healthcare IT professionals revealed they are taking measures including:
- Sending test phishing emails (68%)
- Increasing IT security training (62%)
- Adopting compliance policies (52%)
- Making corporate security certification mandatory for employees (49%)