Last year, 1 in 3 people in the US were hit by healthcare data breaches in a record year for cyber-attacks on the sector, while this year has already seen one of the most serious attacks in history when Change Health was hit by ransomware gang ALPHV. The ongoing digitalization of health services data may bring convenience for providers and patients alike, but it’s clear that security infrastructure is not keeping up with the rapidly increasing risk level faced by hospitals and the vendors that support them.
Such breaches are disastrous for everyone involved. The immediate impact is a delay in medical treatment if health systems are shut down by an attack, while protected health information (PHI) leaking can result in patients becoming targets for further crimes if sensitive data is sold via online black markets. As for healthcare and healthtech companies, they can be hit with hefty fines for HIPAA violations and find themselves on the receiving end of class action lawsuits, not to mention the reputational damage that might ultimately be more costly in the long run.
It’s too late to put the brakes on digitalization, so what can the healthcare industry do to secure its data?
How healthcare became the number one target for cybercriminals
The healthcare sector is the ideal target for cybercriminals. For one, PHI is especially valuable on the black market due to its sensitivity and the intimate details it reveals about the patient. This data is stored and processed in vast quantities, and a single breach can see attackers take off with thousands or even millions of records. Then there is the massive potential for serious, life-threatening disruption, which means that ransomware attacks can demand a higher price to bring systems back online.
Not only is the incentive high for cybercriminals but there are numerous vulnerabilities they can exploit due to the complexity of today’s healthcare systems. Hospitals, clinics, pharmacies, payment processors, insurance providers, and professional and patient-owned medical devices have all been brought online, all transfer data between them, and all provide vectors for attack. One link in this data supply chain might have airtight security but, if the link next to it is weak, then it is still vulnerable.
As healthcare systems become more vulnerable to attacks, cybercriminals are becoming more sophisticated. For example, where typical attacks used to rely on an unwitting victim downloading executable code, we now see a rise in “fileless attacks” where trusted programs running in memory are corrupted to become malware instead, making them much harder to detect.
The barrier to entry for being a cybercriminal has also lowered thanks to the proliferation of ransomware-as-a-service (RaaS). In the same way software-as-a-service (SaaS) has simplified access to various technologies, RaaS allows people with little to no development knowledge to launch ransomware attacks with “leased” malware. Cybercrime has proven to be an innovative technology sector of its own.
Why emails are still the biggest vulnerability in healthcare cybersecurity
The first and most important step healthcare companies can take to protect themselves is fortifying their email security as it is the most common attack vector in cyber-attacks. Healthcare companies must also scrutinize the security of their entire email supply chain; the massive HCA Healthcare hack that exposed 11 million records — last year’s largest healthcare breach — originated at an external location used for automated email formatting.
Phishing — where seemingly legitimate emails are used to trigger an action in the receiver that creates a vulnerability — is the classic email-based attack, but more concerning is the rise in business email compromise (BEC) attacks. Whereas phishing emails can be detected by email security systems if the sender is flagged as suspicious, BEC attacks are launched from compromised or spoofed legitimate organizational emails, making them more convincing to security systems and users alike.
Basic email security relies on blocklists and greylists — constantly updated records of suspicious IP addresses, sender domains, and web domains — to filter out phishing and spam in real-time, but the rise in BEC attacks has rendered this approach obsolete. Blocklists can even be counterproductive, as a legitimate email address being used to launch an attack can result in an organization’s entire email system or even its wider network being blocked.
There are many steps healthcare companies can take to bolster their email security: mandatory multi-factor authentication (MFA) can prevent unauthorized logins; domain key identified email (DKIM) uses cryptography to ensure emails come from authorized servers; access to distribution lists should be restricted to limit the damage of a BEC attack; and removing open relays can prevent hackers from hijacking trusted mail servers.
But even with deploying multi-layered protection controls, email attacks can bypass security programs as they exploit human gullibility through carefully tuned social engineering. Staff training on how to identify and avoid phishing and BEC attacks can reduce risk but it cannot eliminate it; all it takes is one person in an organization to be compromised for cybercriminals to gain a foothold to launch attacks.
AI is the new arms race between email security and cybercriminals
The sheer scale of the healthcare sector — which accounts for almost 10% of employment in the United States and reaches almost the entire population — means that training-based phishing and BEC attack prevention is always going to be a Band-Aid on a bullet wound. Recent advances in AI technology — particularly machine learning (ML) and large language models (LLMs) — can finally provide effective and scalable mitigation against email attacks that exploit human error.
A large part of email security has always involved pattern recognition to detect and block anomalies, and AI takes this principle — usually applied to data signals like IP addresses and domains — and expands it to the body of emails. Apply an adaptive learning engine to an organization’s entire email system, and it can be trained to recognize normal communication, right down to language and syntax, allowing immediate alerts to any emails that don’t align with established patterns.
Of course, it’s not just email security systems that have access to AI, and now that the technology’s genie is out of the bottle, cybercriminals are deploying it as well. AI-generated phishing kits enable rapid, automated, multi-prompt engagements that can closely mimic normal communications, and can even be trained to become more effective over time, while AI-assisted coding makes it easier to develop ransomware tailored to exploit specific systems.
The best defense against AI will be more AI, which sets the scene for the next decade of cybersecurity innovation and where healthcare companies should be investing their resources. Staying ahead in this arms race will be vital to resisting the rising tide of email-based cyber-attacks, and email security systems without AI capabilities are already hurtling towards obsolescence against cybercriminals that are more sophisticated and more incentivised than ever before.
