Key cyber risks that healthcare organizations need to prepare for include ransomware, botnets, cloud misconfigurations, web application attacks, phishing, and smart device-related threats.
Cyberattacks against the healthcare industry have risen significantly since the pandemic, especially in the context of the rapid growth of telehealth services. Security vendors and researchers have seen a significant increase in phishing attacks, ransomware attacks, cyber-application attacks, and other threats targeting healthcare providers.
The increase in ransomware in the healthcare industry this year, especially the data breach at Change Healthcare, has sparked widespread concern among healthcare executives and has become a wake-up call for the industry.
This trend is putting tremendous pressure on healthcare safety organizations. Terry Ray, Senior Vice President at Imperva, said: "The healthcare industry is facing a complex set of security risks, with cybercriminals searching for sensitive and valuable data held by healthcare organizations, including patient data and corporate data. ”
Many organizations struggle to meet these challenges because they are under-resourced and rely on vulnerable systems, third-party applications, and APIs to deliver services.
In addition, IT systems are increasingly being used to optimize clinical interactions and patient care. For example, ambulance teams can access detailed patient records via tablet devices in the field, and the United Kingdom's National Mobility App (NMA) is being introduced to modernise and standardise all NHS ambulance services.
Implantable devices, such as loop recorders, are increasingly being used to aid in diagnostics, such as arrhythmias, and like wearable devices, they support telemetry and are capable of transmitting patient data. Important medical decisions made based on this data have enriched patient data as a result of advances in IT.
The increased use of IoT and IT in healthcare has had a positive impact on improving clinical efficiency and decision-making accuracy, but it also means that a deeper focus on risk assessment must be placed. Stuart Morgan, Principal Consultant at WithSecure, points out that the days of storing patient data in locked filing cabinets are long gone.
"The impact of patient data being tampered with or compromised is obvious and well known, but the risk of service disruption – whether malicious or accidental – can have extremely serious consequences," Morgan said in an interview. can have a huge impact on their communities, as most of the processes are written on the premise that these systems are working properly. ”
Imperva's Ray and other security experts have identified multiple issues that currently pose a significant threat to healthcare organizations. Here are the six main threats.
1. Ransomware threats are on the rise
Ransomware has become one of the biggest cyber threats in the healthcare industry today. The attackers found that medical institutions that provide life-saving treatment are more likely to be extorted than victims in almost all other industries. Many healthcare organizations are also more vulnerable due to the launch of new digital applications and services, such as telehealth services.
Since the pandemic, there has been a steady increase in ransomware attacks in the global healthcare industry. According to a study by the Office of the Director of National Intelligence of the United States, medical ransomware victims increased by 81% from 2022 to 2023. Security vendor SonicWall reports that as of 2024, 91% of malware-related medical data breaches involve ransomware.
There are numerous publicly disclosed examples of ransomware attacks targeting healthcare services and hospitals.
For example, in May 2021, Ireland's public health system was hit by a ransomware attack, causing administrators to cancel or reschedule thousands of appointments and surgeries as attackers targeted around 2,000 patient-facing systems.
In February 2024, Change Healthcare suffered a devastating ransomware attack that severely disrupted insurance claims processing, prescription drug distribution, and financial settlement, impacting hospitals, clinics, and pharmacies across the United States. In August 2024, Michigan-based McLaren Health Care suffered its second ransomware attack in 12 months.
Caleb Barlow, president and CEO of CynergisTek, said electronic health records (EHRs) and related systems are the biggest risks facing the healthcare industry today. "Past attacks have shown that when hospitals suffer a ransomware-induced shutdown, access to EHRs is shut down and patients may need to be moved elsewhere for treatment," he said. "Such an attack could prevent access to critical prescribing information and dosage for people with complex chronic diseases, such as those with diabetes or cancer," he said. To make matters worse, hackers may even further manipulate health record data to disrupt patient care. ”
Historically, healthcare organizations have typically shifted this risk to cyber insurers, but now it's becoming increasingly difficult as insurers require organizations to have specific controls in place, such as multi-factor authentication and endpoint detection and response technology, before they are allowed to purchase ransomware protection, Barlow adds.
2. Cloud vulnerabilities and misconfigurations
Many healthcare organizations have adopted cloud services as part of a broader digital transformation initiative, a shift accelerated by the pandemic and increased demand for telehealth services, with patient health information (PHI) and other sensitive data increasingly hosted in vendors' cloud environments.
Anthony James, vice president of product at Infoblox, said this trend has broadened the attack surface for healthcare organizations, making them more vulnerable to attacks on PHI, insurance information and other sensitive data, noting that healthcare organizations often use multiple cloud vendors and services with varying security standards and practices, making it difficult to implement consistent data protection policies across cloud environments.
According to a 2021 survey conducted by CyberRisk Alliance Business Intelligence for Infoblox, 53% of healthcare IT professionals said their organization had experienced a cloud-related data breach in the past 12 months. In March 2021, PeakTPA, a provider of health plan administration services, disclosed that PHI for approximately 50,000 Medicare and Medicaid plan customers was accessed and extracted from its two cloud servers. Another well-publicized case occurred in 2020, when it was discovered that the sensitive data of more than 3.1 million patients was exposed to an unprotected cloud database believed to belong to a patient management software vendor.
More than a third (34%) of victims surveyed by Infoblox said their breach cost the company $2 million or more, 47% said they had experienced a malware attack against a cloud-hosted asset, and 37% said they had experienced an insider attack involving PHI and other data stored in the cloud.
According to a February 2024 report by healthcare software developer KMS Healthcare, 61% of healthcare companies recently reported experiencing a cloud cyberattack in the past 12 months, with 86% of the attacks resulting in financial loss or significant damage.
3. Network application attacks
Cyber app attacks against healthcare organizations have increased dramatically in recent years, especially during the pandemic, with researchers at security provider Imperva observing a 51% increase in cyber app attacks against hospitals and other healthcare targets in December 2020.
In 2021, healthcare organizations experienced an average of 498 attacks per month, with cross-site scripting attacks being the most common, followed by SQL injection, protocol manipulation attacks, and remote code execution/remote file inclusion attacks.
"From a technical standpoint, cyber application attacks are extremely challenging for under-resourced healthcare organizations," Ray said. To address this, healthcare organizations must implement controls that improve visibility into third-party applications and API connections, he noted, and only then can security teams understand who is trying to access critical data and whether such activity should be allowed.
Web apps became the top route of medical data breaches in 2021, based on an analysis of 849 incidents, 571 of which involved confirmed data breaches, according to a study by Verizon.
SonicWall expects that by 2024, about 60% of attacks against healthcare organizations will target Microsoft Exchange.
4. Malicious bot attacks
Traffic from malicious bots – such as those trying to scrape data from websites, send spam, or download unwanted software – poses another significant challenge for healthcare organizations. This is especially urgent as governments around the world begin to build new websites and digital infrastructure to support COVID vaccine registrations and appointments. Bad actors are attacking these new, under-tested websites in large numbers, causing a spike in malicious bot traffic.
Imperva said that in the first year of the pandemic, malicious bot traffic on medical websites increased by 372%.
"The increase in traffic can lead to downtime and disruption for legitimate users when trying to access critical services on a healthcare provider's website, which can also lead to increased infrastructure costs for institutions as they deal with constant high traffic pressures to stay up and running," Ray noted. ”
According to research by security vendor Barracuda, malicious bots accounted for 30% of internet traffic from January 2023 to June 2023. Imperva's latest 2024 Malicious Bots Report estimates that malicious bots account for nearly one-third (32%) of internet traffic.
Imperva reported an increase in malicious bot traffic in the healthcare industry, with 33.4% of website traffic coming from malicious bots, compared to 31.7% in the previous year.
Malicious bots can lead to medical data breaches, such as through credential-stuffing attacks on patient accounts, or scraping sensitive health information.
Imperva warns that cybercriminals target confidential health information, such as patient records, medical history, and insurance details, as the stolen data can be sold on the dark web for profit or used for fraudulent activities.
5. Increased volume of phishing attacks
Phishing attacks pose a significant threat to the healthcare industry, similar to other industries. Once again, the pandemic has provided a unique backdrop to the increase in the volume of phishing attacks in healthcare settings. A recent analysis by researchers from Palo Alto Networks' Unit42 team revealed a 189% increase in phishing attacks targeting pharmacies and hospitals from December 2020 to February 2021, with vaccine-related phishing attacks surging 530% over the same period.
According to vendors, in the early days of the pandemic, many phishing lures involved detection and personal protective equipment (PPE). The attack then shifted to stimulus measures and government relief packages, and finally to vaccination rollouts.
During the pandemic, a survey of 168 healthcare cybersecurity professionals conducted by the Society for Medical Information and Management Systems (HIMSS) found that phishing is the typical initial point of attack for most security incidents.
In its report, HIMSS noted: "Phishing attacks were the main type of major security incidents reported by respondents. It also states that phishers are the primary threat actors that lead to major security incidents in healthcare facilities.
Statistics compiled by the United States Department of Health and Human Services (HHS) show that from October 2009 to the end of 2021, a total of 4,419 patient health information (PHI) breaches were reported, 18% of which involved phishing attacks or hacking of email accounts, according to the HIPAA Journal.
Phishing is also the initial vector of several high-profile attacks against healthcare facilities, such as Anthem (2015) and Magellan Health (2020).
A study in the United Kingdom medical journal BMJ found that about 3% of emails sent to hospital employees were suspected of being a threat over a one-month period.
While many employees seem to be aware of the risks of phishing and have responded appropriately, BMJ advises that ongoing education is needed, especially about the risk of leaking potentially valuable information for attackers through social media.
6. Smart Devices
Wearable and implantable smart medical devices are proving to be a potential cybersecurity risk, and these technologies are indeed able to provide better analytics, help diagnose diseases and support independent living, but lapses in securing these medical technologies can expose vulnerable users to potential attacks.
The 2011 hack of the late Barnaby Jack into an insulin pump via Bluetooth, with the maximum range of the attack being about 300 meters, was a landmark moment.
Since then, security researchers at Pen Test Partners have discovered "closed-loop" insulin trial data on the public internet.
Ken Munro, managing director of Pen Test Partners, told reporters: "In one case, we could have modified the data read by a continuous glucose monitor worn on the body and automatically and remotely injected lethal doses of insulin into about 3,000 trial users. "Luckily, the vendor involved responded very quickly to our report and fixed the system on the same day.
Pen Test Partners has also found safety issues with other connected medical devices, including devices such as skull stimulators, medication delivery pumps, and medical robots, but fortunately, the threat of smart devices has been taken seriously and regulators are taking action.
For example, the United States Food and Drug Administration (FDA) introduced FD&C 524b last year to promote cybersecurity for connected medical devices.