Cyber-attacks on healthcare organizations have been on the rise over the past decade. Especially in the last few years, headline after headline reflects the particular vulnerability of the healthcare industry to hackers. But what’s fueling this war on healthcare data? Why is cybersecurity important in healthcare in 2022, and what can leaders do to make sure they’re ready?
Why Is Cybersecurity Important in Healthcare in 2022?
Whether it’s old-school physical or modern-day digital, security is always a business concern. In the healthcare industry, however, it’s become absolutely critical.
That’s due to a number of reasons: (1) Data in healthcare — i.e., patient information — is more profitable to hackers than other industries. (2) Meanwhile, the methods of attack are more sophisticated than ever, and hackers are growing bolder. (3) Factors unique to the healthcare industry, like the widespread use of medical devices connected to a larger EHR hub, make the industry more vulnerable than others. (4) And the growing reliance on third-party vendors is only giving hackers more opportunities to attack.
The good news: There are solutions to each of these challenges. But before a problem can be solved, it needs to be fully understood. With that in mind, let’s take a look at each of these 4 key cybersecurity lessons for healthcare leaders in 2022.
Lesson #1: Healthcare data is uniquely valuable.
The nature of healthcare data is more profitable to hackers than in other industries. That’s because it includes lots of sensitive, highly personal info that goes beyond protected health information (PHI) to frequently include social security numbers and financial info like credit card and bank accounts. There’s also an incentive to steal intellectual property data, particularly among state-based hackers.
Stolen health data “may sell up to 10 times or more than stolen credit card numbers on the dark web,” writes John Riggi, senior advisor for cybersecurity for the American Hospital Association (AHA). On top of that, Riggi notes, compromised health records cost an average of $408 each — “almost three times that of other industries.”
And because of the value of the data, attacks on healthcare providers aren’t limited to larger entities, like in some other industries. Organizations of all sizes are at risk — the smaller ones perhaps more so, given that they may seem easier targets for hackers.
> What’s the action item? If you haven’t yet, it’s time to take this seriously. Patient data is highly valuable — and vulnerable. It’s time to update your cybersecurity plan for 2022.
Lesson #2: Attacks are bolder, more sophisticated and more effective.
Hackers have plenty of incentives to seize healthcare data. And unfortunately, they’ve also gotten pretty innovative about their methods, using ever-more sophisticated and deceitful methods to get around standard digital defenses. Many have found that, in healthcare, the most effective attacks are ransomware attacks — e.g., holding data hostage, or threatening to disrupt critical infrastructure.
“Ransomware attacks can bring hospitals and other healthcare facilities to a grinding halt,” writes Steven Briggs at Scrubs Magazine. “Hackers may hold digital files or databases for ransom. In other cases, an attack can cause the entire EHR or billing system to collapse, leaving administrators scrambling to find a solution.”
Having a higher vulnerability to ransomware means also having a higher need for security than other industries. And this variety in tactics means that the work of cybersecurity is never done — standard defenses need to be continuously reconsidered. This is all hard work, and it requires expert assistance.
> What’s the action item? Don’t skimp — invest in a strategy that fully covers your risk. And for most organizations, first step should probably be hiring an expert consultant to help you track that risk, down to the last operational detail.
Lesson #3: Each medical device is a unique vulnerability.
Healthcare has another vulnerability that other industries don’t: Data that’s commonly transmitted through third-party devices, of all types, across a huge, patchwork telecommunications systems. Each of those devices is a potential backdoor for a hacker. And as those devices age, the risk only grows worse.
“When hackers target a medical device, health systems pay the ransom to save a human life.” as Madeline Lauver writes for Security Magazine. And eventually, “each device will become legacy, and health systems need to create a bridge program determining how to manage these devices before they can be replaced.”
Devices require their own separate cybersecurity strategy. For best results, a top-to-bottom approach can help leaders map out the security liabilities for each device before purchase. And that can not only help bolster security but also save money by informing and guiding major decisions related to other operational factors like supply and order.
> What’s the action item? Devices present a unique, serious risk to most healthcare organizations. Leaders can best get a grasp of this challenge by managing device cybersecurity proactively and persistently, keeping a vigilant watch for new vulnerabilities. And that means factoring cybersecurity into purchasing decisions “from the very beginning,” as Lauver puts it.
Lesson #4: Third-party vendors represent an added risk.
One of the industry’s biggest security vulnerabilities is its widespread dependence on third-party vendors. Especially among larger health centers or hospitals, but also increasingly among SNFs, LTACs and other post-discharge providers, the use of vendors has become essential to help meet the many administrative demands faced by a modern healthcare facility.
Because healthcare data is so valuable, hackers are quick to seize any secondary path to access it — and a third-party vendor can provide the ideal back door. The reality, too, is that many of the vendors used by healthcare providers aren’t as up to speed on security as they should be. And that makes for an attractive target for hackers.
As Briggs points out, targeting third-party vendors via billing systems or EHR networks has been an effective tool for some hackers. One hospital outside of Chicago suddenly found itself under attack via its payroll provider. It was an indirect attack, but an effective one, leaving nurses without pay for weeks and compromising quality of care as well as operational integrity.
> What’s the action item? Don’t assume your partners are secure! Take the time and effort to check — or find a vendor management service (VMS) provider who can ensure top-level cybersecurity across all the vendors you use.
We Can Help You Improve your Cybersecurity Strategy
The importance of cybersecurity shouldn’t be taken for granted! Partnering with a trusted provider of healthcare vendor management services (VMS) or managed services programs (MSP) can help make sure you’re keeping your data safe, and your organization protected.
At CareerStaff Unlimited, we’re proud to offer proven, comprehensive MSP and VMS services that are expertly designed and regularly reviewed to ensure security — a key factor in our Joint Commission Certification. Contact us today for a free consultation, and see how we can help you keep your data safe during a challenging time.