Many consumers perceive strong web security as a non-negotiable part of dealing with an organization—especially in healthcare. A PWC study found that 85% of consumers won’t do business with a company if they have concerns about its security practices.

The expectation is that organizations must proactively manage cybersecurity and privacy risks – or lose customer trust. And that’s even more true for the healthcare industry.   

What is healthcare cybersecurity?

Technology has completely changed healthcare, but the downside is that technology is vulnerable to attacks.

Any internet-connected system can be hacked, including digital patient records, telehealth platforms, prescription systems, employee computers, email, and websites. Most healthcare organizations also have smart devices like patient monitoring devices, HVAC systems, access cards, etc.—all of which can be hacked.

When hackers attack a healthcare system, the result often leaked personal healthcare information (PHI). But there’s also a very real chance that hackers can freeze hospital systems and devices. When the UK’s National Health Service (NHS) was attacked in 2017, 20,000 appointments were canceled and 1,200 pieces of internet-connected diagnostic equipment affected.

Healthcare organizations must be diligent in protecting not only patient data, but also their physical health and outcomes.

Why is cybersecurity critical for the healthcare industry?

Cybersecurity is important for all industries, but industries that handle sensitive information (like healthcare and finance) have particularly high expectations for getting cybersecurity right.

 There are a few key reasons for why cybersecurity is critical for healthcare in particular.

Reputation

Healthcare organizations deal with immensely sensitive personal information. When patients interact with a healthcare organization, they trust their data will be protected. The reputation of a healthcare organization can be quickly destroyed if they break patient trust through a data breach.

Patient safety

As the healthcare industry relies more and more on virtual platforms and connected devices, keeping up with cybersecurity developments will be extremely important in order to protect patients.

According to the 2019 Data Breach Investigations Report by Verizon, 72% of data compromised in healthcare data breaches is medical information—and 83% of the time the motivation is financial, making it likely that patient medical data is sold or ransomed to bad actors.

That has grievous consequences for patients—financially, physically, and emotionally.

Search engine Optimization

Google and other search engines reward secure sites—especially ones that deal with sensitive information, like healthcare. In order to have a top-notch healthcare SEO strategy, you need to pay attention to web security issues like encryption and SSL certifications on your website.

medical cybersecurity illustration

Why are healthcare institutions a target?

Several federal organizations, including the FBI, FDA, and the Department of Health and Human Services (HHS), have recently warned of increasing attacks against healthcare organizations. Internationally, there have also been increased attacks in Europe and Israel, and all regions experienced increased attacks during the coronavirus pandemic, as healthcare moved more and more online.

But why are these organizations a target?

Obsolete security systems

While medical technology has come far in what it has to offer, unfortunately the security side hasn’t kept up. New technology means new vulnerabilities, so as hospitals add technology, like e-consultations, there must be a security solution to keep the system protected and secure.

Many healthcare organizations run legacy security systems, which means the system is no longer supported by the manufacturer and doesn’t receive automatic security patch updates—leaving the system vulnerable. Replacing legacy systems is often time-consuming and expensive and many healthcare organizations might not have the budget to upgrade to a maintained security system.

Poor training

Generally, medical staff are very poorly trained on cybersecurity, and yet work with extremely sensitive data, which makes accidental insider threats, such as phishing, much more likely to occur.  

According to the 2019 Data Breach Investigations Report by Verizon, 59% of healthcare cybersecurity threats are internal—both accidental and intentional. Much of those incidences could be resolved with proper training on how to operate securely, how to identify potential hacks, and how to spot suspicious internal activity.

Perfect storm for ransomware

The FBI has warned of increasing cyberattacks on healthcare organizations—especially ransomware attacks. Ransomware is software that infects and freezes an operating system until a fee is paid.

Ransomware attacks are especially effective in healthcare, because system disruptions can mean an inability to provide care, so many organizations pay the fee quickly. There have been several cases of ransomware causing hospitals to divert patients to other facilities, which has, sadly, led to deaths and poor patient outcomes.

HIPAA and healthcare cybersecurity

The Health Insurance Portability and Accountability Act came into effect in 1996 with the goal of addressing patient privacy and healthcare security.

There are three main parts of the law:

  • The HIPAA Privacy Rule: Outlines standards for how health information should be protected
  • The HIPAA Security Rule: Establishes security standards for health data that’s electronically held or transferred
  • The HIPAA Breach Notification Rule: Requires healthcare organizations to notify patients if there was a breach and their data was compromised

In the past few years, cybersecurity incidents that violate HIPAA have been on the rise. The US Department of Health and Human Services (HHS) reported by 2016, four out of five physicians in the US had experienced a cyberattack. They also estimated that the cost of a data breach for healthcare organizations was about $2.2 million per breach.

To help organizations maintain HIPAA cybersecurity compliance, the HHS outlined 10 best practices to jumpstart a better healthcare cyber security strategy:

  1. Email protection systems
  2. Endpoint protection systems
  3. Access management
  4. Data protection and loss prevention
  5. Asset management
  6. Network management
  7. Vulnerability management
  8. Incident response
  9. Medical device security
  10. Cybersecurity policies

 

What are the most common healthcare cyber threats?

 

cybersecurity check illustration

 

Healthcare is one of the most targeted industries when it comes to cybercrime. According to the 2020 Verizon Data Breach Investigations Report, healthcare experienced more breaches than any other sector, which is largely driven by the coronavirus pandemic. 

But what does the increased number of attacks look like?

Malicious traffic

Malicious network traffic is the most common healthcare cyberattack—the security firm Wandera found that 72% of attacks on healthcare organizations are malicious traffic.

Malicious traffic is when an insecure connection to your network is created, which allows suspicious files, links, or software to be downloaded. In a healthcare setting, the most common type of malicious traffic occurs when an app accesses bad URLs that connect to servers that can download files with sensitive data or plant malware.

Phishing attacks

Email-based phishing attacks is the second most common healthcare cyber threat—HHS estimates that 42% of healthcare breaches involve email phishing.

Typically, phishing attacks look like trustworthy emails asking employees to click on a link that will take them to a website where they either input sensitive information (like resetting a password) or trigger a malware download. 

Most phishing attempts on healthcare organizations are after PHI or planting ransomware. 

Ransomware

Ransomware is a terrifying and costly threat for healthcare organizations. Hackers essentially take over hospital devices and systems until they’re paid to release them. This makes it impossible for doctors and nurses to provide lifesaving care like CT scans, ultrasounds, and more.  

According to a threat report from Cylance, ransomware attacks grew three-fold in 2017, with healthcare being affected the most by this increase. There have also been high profile cases of  hospitals paying hundreds of thousands of dollars to get their data and devices back.  

Insecure devices

Medical devices

Medical devices are increasingly smart devices, which allows healthcare professionals to treat patients more effectively and conveniently. However, smart devices naturally come with an increased risk of cyberthreats, as the devices can be hacked. In 2017, for example, almost half a million pacemakers needed a firmware update to avoid getting hacked.  

In the US, the FDA is working with manufactures, providers, and patients to create a framework for talking to patients about cyber vulnerabilities in their care and devices.  

Personal devices

Perhaps one of the easiest to understand threats to healthcare organizations is the fact that staff and volunteers access an organization’s systems with personal devices. Those personal devices might run on outdated software or be “jailbroken,” both of which pose security risks.   

It’s impossible for IT to ensure software is updated on all devices or that all devices accessing the network are secure, making the system vulnerable to hackers.  

Content Management System (CMS) attacks

A content management system (CMS), like WordPress or Drupal, helps healthcare organizations easily run and update their websites. However, most CMSs have vulnerabilities that leave them open to attacks. This is especially true if the CMS hasn’t been updated in a while, leaving it without updated security patches.

CMSs can also be vulnerable to brute force attacks, which is when multiple combinations of usernames and passwords are entered over and over again until the hacker gains access to the CMS and all the sensitive data within it. 

SQL injections

The systems that medical records are stored in and run on are usually built on SQL technology. SQL makes managing all that data easy, because you can easily extract and display specific information very quickly—which is key to a fast medical records system.

However, malicious SQL can be “injected” into the system in order to manipulate or delete sensitive medical records.

Improve your cybersecurity and protect your healthcare organization

There’s a lot your organization can do to improve your cybersecurity so you can protect your organization’s reputation, your patients’ data, and stay competitive in the market.

Here are the top ways you can start to improve:

""

Educate your staff regularly

Hold regularly trainings where you cover the importance of secure passwords, how to recognize phishing attempts, how and why to keep software updated, the importance of using secure mobile devices, etc. This will go a long way in getting everyone on the same page so you can reduce the risk of accidental internal threats.

""

Keep your technology and software up to date

When a software system releases an update, there’s often new security patches that keep known threats at bay. Make sure you update software as soon as a new version is available. Avoid legacy systems that are no longer supported by the maker, as they often have glaring security vulnerabilities.

""

Automate your web security as much as possible

Healthcare organizations face endless security threats—you can’t monitor all of them manually. Use a web security tool that automatically monitors your website and systems for suspicious activity, so you can address problems as soon as they come up.

""

Run daily website and data base backups

By backing up your website and database, you ensure there’s a fallback in place if your website is attacked or data is maliciously deleted. This will help you continue with business as usual even when attacked. 

""

Use HTTPS

Your website should be secure and encrypted, which means that any data patients enter or share on your site is safe. To do that, your site should use HTTPS, which requires an SSL (secure sockets layer) certificate. Basically, an SSL certificate ensures that the data passed between servers and web browsers is secure and private, which is very important for any healthcare website. 

""

Monitor medical devices

Medical devices like MRI scanners and pacemakers can have serious vulnerabilities. Make sure you keep their firmware up to date and check in with manufactures to make sure there are no known security risks.

You should also talk to patients about what they can do to keep their medical devices secure. The FDA has many resources to help you stay on top of device security.

Siteimprove Web Security

Exploiting website vulnerabilities is a common first step for cybercriminals. That’s why a strong first line of defense involves proactively identifying, categorizing, and managing your website weaknesses. Fortunately, protecting your website, reputation, and patients is easier with Siteimprove Web Security.   

Siteimprove Web Security simplifies cybersecurity by helping you understand and control your website’s security with regular, automatic vulnerability audits. These cyberhealth checks are then translated into a single, easy-to-understand score, presented in our intuitive user interface.   

web security siteimprove

 Armed with your website security score and actionable fixes (prioritized by severity), your team can find vulnerabilities before cybercriminals do. 

Siteimprove Web Security was built with non-specialists in mind to democratize the process of web security. We believe that everyone on your team should be able to understand web security and do their part to protect your website.  

 After all, web security doesn’t operate in a silo, it’s a critically important aspect of providing a great patient experience.