Cybersecurity in Healthcare

Healthcare systems are under increasing cyber threat. Cyberattacks on hospitals and other healthcare providers are growing in frequency and scope. In 2019, over 500 security breaches of healthcare systems compromised more than 40 million patient records. That makes 2019 the worst year ever for healthcare security breaches and second worst for data exposures. And 2020 is already looking like another record setting year for healthcare security breaches.

These attacks come in a variety of forms such as phishing, spoofing, and other hacking techniques designed to gain unauthorized access to systems; malware that corrupts systems and data; denial of service (DoS) attacks, which flood systems with traffic rendering them unavailable; and ransomware, which blocks access to systems and data until a ransom is paid.

Cyber Threats on the Rise

Although awareness of cybersecurity threats is growing across the healthcare industry, the reality is not enough is being done to protect against attacks. Frankly, the conventional approach of installing an antivirus program will not protect a hospital system from cyber threats such as ransomware attacks, sophisticated malware intrusions, or targeted DDoS attacks.

Ransomware attacks are growing dramatically. A big reason for this is that it works ‒ targeted institutions often do pay. A standout example is a 2017 WannaCry ransomware attack that targeting Britain’s National Health Service (NHS) and businesses in 150 countries. The ransom demands netted the attackers more than £108,000 in bitcoin.

Malware attacks on the healthcare sector are rising too, particularly those from trojan malware such as Emotet and Trickbot. For example, Russian hackers carried out a ransomware attack on Milwaukee Wisconsin-based Virtual Care Provider Inc. (VCPI), which provides cloud-based hosting and IT services to nursing homes and other long-term care facilities. The hackers demanded $14 million in bitcoin for a decryption key to unlock the impacted VCPI servers. The ransomware attack blocked access to data at over 100 nursing homes, preventing retrieval of electronic health records and medication administration data. The Ryuk-type ransomware was triggered by the TrickBot virus. Trojan malware attacks on healthcare institutions rose more than 60 percent in 2019. 

Phishing email attacks are also on the rise. A phishing attack on an email account at Cancer Treatment Centers of America exposed the records of 3,904 patients in its Philadelphia Pennsylvania Eastern Regional Medical Center, and 4,559 patients in its Atlanta Georgia Southeastern Regional Medical Center. The exposed information included patient addresses, phone numbers, dates of birth, medical record numbers, other patient identifiers, medical information, and health insurance information.  In fact, many see phishing email threats as the number one cybersecurity threat to healthcare systems. 

Spear phishing emails are becoming a particular concern to healthcare providers. Cyber criminals are increasingly turning to spear phishing emails as a way to get a specific individual in an organization to inadvertently disclose sensitive information.  Some ingenious approaches are emails that impersonate a company executive or ones that masquerade as a password check.

But you don’t have to be a cyber criminal to pose a security threat. Human error from negligent insiders accounted for more than thirty percent of all security incidents reported by healthcare organizations in 2019. Take the case of University of Washington Medicine (UW Medicine), a Seattle Washington-based healthcare system. Due to internal human error, medical files of over one million patients were visible on the Internet for three weeks. The files contained records that UW Medicine uses to document when it shares patient information, for instance with public-health authorities or law enforcement. The files contained patient names, medical-record numbers, a description of the information shared, and a description of who it was shared with.