It’s a common misconception that hackers are only after financial information, such as payment card details or login credentials for online bank accounts. This assumption that it’s the only thing hackers are interested in is leading other organizations and departments to lower their guards.
Businesses in the healthcare industry are often seen as easy targets and, as a result, cybercrime has a direct impact on patients. That means a cyberattack can be the difference between life and death, and hackers are taking every opportunity to exploit that urgency.
How much is patient health information (PHI) really worth?
Dark-web marketplaces might be overflowing with stolen financial data, but the most valuable information is actually anything that can be used for identity theft or held for ransom. In healthcare, data breaches cost more than they do in any other industry, with one recent study by Healthcare Informatics placing the total cost per stolen record at $408. Aside from being prime data for blackmail, records may also include financial information or personally identifiable data that may be used for targeted scams.
The most famous example of a healthcare organization being targeted by ransomware was when the UK National Health Service was infected in May 2017 amidst the WannaCry epidemic. Since healthcare staff being locked out of critical systems quite literally became a life-or-death matter, hackers knew they could expect ransoms to be paid quickly and without any resistance.
Cyberattack victims in the healthcare industry often cough up the ransoms demanded of them to regain access to their compromised systems as soon as possible, even if they have data backed up. Victims don’t have enough time to recover records by conventional means, which is why so many ransomware scams targeted the healthcare industry.
How hackers exploit healthcare organizations
Healthcare organizations are known for being easy targets since they rely on so many networked devices, external users (e.g., patients), and outdated software. Worst of all, most healthcare IT infrastructures lack an effective and overarching approach to security.
When hardware or software is no longer supported by a vendor, security updates and patches for new types of malware aren’t released. For example, extended support for Windows Vista expired in 2017, which means that no more security updates are being released for it. This greatly increases the chances of unpatched vulnerabilities occurring in any computers running that operating system.
Other vulnerable devices that frequently have outdated or unsupported firmware are network routers, mobile devices, and internet of things (IoT) devices. These types of vulnerabilities are especially problematic since hospitals often work with hundreds of technology vendors, which inevitably leads to a fragmented infrastructure and vulnerabilities going unnoticed.
There’s a problem regarding how many healthcare practitioners are poorly trained when it comes to cybersecurity. Although healthcare managers are all aware of the Health Insurance Portability and Accountability Act (HIPAA) and its regular security and privacy awareness training requirements, the legislation is vague with regards to exactly which measures healthcare businesses must observe to be compliant. The necessary expertise doesn’t always exist within the organization, despite the fact that cybersecurity is everyone’s responsibility.
To overcome the overwhelming security challenges in the modern healthcare environment, hospitals need the right blend of technology solutions and expertise. Safebit Solutions helps organizations address this challenge with tailor-made strategies that align with your goals. Get in touch today to find out how.