This post was originally published by (ISC)² Management .
Cyberattacks in the Healthcare Industry are Increasing
The use of technology in the healthcare sector can be both life-saving and life-threatening. Advancements in technology, like 3D printing, virtual reality, robotics, and Internet of Medical Things (IoMT), improve the ability of healthcare organizations to provide better care for their patients.
At the same time, criminals leverage this new technology to execute their malevolent causes by either stealing protected health information (PHI) and other sensitive data or disrupting the operation of healthcare providers. The recent COVID-19 pandemic serves as a good example of the attack vectors criminals are using. Taking advantage of the people’s increased need for timely and accurate information about the pandemic, cybercriminals launched an unprecedented campaign of ransomware and phishing attacks against hospitals and other healthcare organizations aiming at the disruption of the public health system.
However, this phenomenon is not something new. Reports show that the healthcare sector is one of the most targeted industries because of the exposed attack surface and the lucrative personal and medical data. The latest Verizon DBIR report indicates that financially motivated criminals are using ransomware and email phishing as their preferred attack vectors to infiltrate the online medical systems and steal personal and medical data. This data is then sold very expensively in the dark web.
Balancing Security and Healthcare Operations
However, while a security incident or data breach can result in lawsuits, loss of revenue and a damaged reputation in other industries, in the healthcare can result in the death of patients. This is exactly the big difference in cybersecurity in healthcare and other sectors. Failing to mitigate security vulnerabilities and risks can have a devastating effect on human lives.
On the other hand, the implementation of security controls must balance the nature of healthcare workers’ jobs, where the goal of saving human lives has the highest priority. These controls must provide enough security without disrupting how the healthcare workers operate.
Because of the importance and the complexities involved with real life and death implications, healthcare is a heavily regulated industry. Not only to ensure that drugs are safe and effective, but also to protect the confidentiality, integrity, and availability of the patients’ personal and medical data. Regulations like HIPAA in the U.S., PIPEDA in Canada, GDPR and NIS in the EU mandate the physical and cybersecurity and privacy of health records, whether they are in paper or electronic. Along with security requirements, these government regulations dictate heavy fines for data breaches.
Despite the regulatory framework, healthcare organizations often fail to do their homework. According to the U.S. Department of Health and Human Services, which is responsible for the enforcement of the HIPAA, the majority of the fines imposed on healthcare entities involve impermissible uses and disclosure of patient information and lack of safeguards to protect this information.
The vast majority of security incidents, no matter their scale, could have been avoided if applicable security and privacy controls and professionals were in place. Knowledgeable and skilled security professionals with the use of proper technology and processes can minimize the security risks of any organization and can ensure a robust security posture.
Lack of Cybersecurity Knowledge
However, despite the importance of personal and medical data to the delivery of life-saving services, the healthcare sector suffers from a lack of skilled personnel.
According to a recent survey, one in four U.S. healthcare workers have never received cybersecurity training from their employer. The U.S. Health Care Industry Cybersecurity Task Force revealed that three in four hospitals have no dedicated cybersecurity professional, while another report showed that 49% of hospitals have no CISO.
These reports unveil a significant lack of cybersecurity training among healthcare workers, leaving healthcare information technology systems and electronic protected health information (ePHI) vulnerable. The cybersecurity skills shortage makes healthcare organizations more desirable hacking targets causing direct and measurable damage to these organizations.
Read more here: https://bit.ly/2GCrQBI