Hospitals: Prime Targets For Hackers

In The Crosshairs of Cybercriminals 

As technology and the internet-of-things (IoT) becomes increasingly omni-present, so too does the threat of cyber-attack. Unfortunately, these vulnerabilities will affect many industries, but healthcare institutions have become an especially lucrative target. Protected health information (PHI) has proven to be some of the most valuable information, fetching anywhere from $250-$1000 per piece on the Dark Web. To compare, credit card information is worth approximately $110 and a social security number fetches only $1. Then there’s the fact that hospitals rely on technology to administer life-saving care, making a successful ransomware particularly grave.

What Is Protected Health Information (PHI)?

Protected health information (PHI) refers to any data related to an individual’s health or medical history. In other words, any health care services, insurance specifics, or payment for health care that can be linked to a specific person. PHI typically includes a wide range of information, such as:

• Medical records (e.g., test results, diagnoses, treatment plans)
• Health insurance information
• Doctor's notes
• Billing information
• Identifiable details like name, birthdate, address, and Social Security number
• Prescriptions

Regulations Concerning Protected Health Information

In the United States, patient health information is protected by the Health Insurance Portability and Accountability Act of 1996 or HIPPA. According to the United States Department of Health and Human Services, there are no restrictions on the use or disclosure of de-identified health information. However, protected health information is not to be disclosed except in following situations:

• (1) To the Individual (unless required for access or accounting of disclosures)
• (2) Treatment, Payment, and Health Care Operations
• (3) Opportunity to Agree or Object
• (4) Incident to an otherwise permitted use and disclosure
• (5) Public Interest and Benefit Activities
• (6) Limited Data Set for the purposes of research, public health or health care operations
  
   

Should a security breach occur, federal law requires healthcare providers to notify the potentially effected parties of the breach. If the security breach affects more than 500 residents of a jurisdiction or state, prominent media outlets serving that jurisdiction or state must be notified by the healthcare provider.

Why Protected Health Information Is So Valuable

In the beginning of this blog, we noted that PHI is significantly more valuable to criminals than other forms of data. Unlike credit card data, which can be easily changed, canceled, or reissued, PHI is more permanent. The nefarious agents then use this data to conduct identity theft, insurance fraud, and other malicious activities – likely without the victim noticing as soon as they would fraudulent activity on a credit card. The permanence of PHI can also mean it can be more difficult to change, if it can be changed at all, and criminals may be able to exploit the information for long periods of time.

Other Cybersecurity Risks

In our blog “Cybersecurity In Hospitals: Are You Prepared?” we reference an IBM report showing that data breaches cost the healthcare industry twice as much as they do the financial industry – a 53% increase since 2020.

These attacks aren’t restricted to stealing Protected Health Information, however. Bad actors know that hospitals rely on a multitude of interconnected applications – like Electronic Health Record systems, remote patient monitoring platforms, telehealth platforms, pharmacy medication tracking software, medical imaging technology, pneumatic tube system controls, etc. – and that holding one or more hostage can affect the hospital’s bottom line.

In fact, a Verizon report states that 70% of cyberattacks employ some form of ransomware. Depending on the type of ransomware and the system affected, a ransomware attack can wreak havoc on hospital workflows – costing the facility thousands if not more in lost efficiency.

How to Protect Your Organization

Even with modern encryption technology, vigilant IT teams, and two-factor authentication enacted, breaches occur because sometimes it can be less difficult to deceive a human than a computer. Criminals understand that employees are busy completing tasks and that they don’t always have the time to investigate the authenticity of an attachment, email, or landing page.

Couple that with the fact that hackers have been able to create very official looking media. One hospital in Ontario, Canada experienced an attack like this in 2021. A pharmacy employee received an official looking email asking them to download a zip file. When that employee completed that action, the hackers were able to seize control of multiple hospital applications, demanding $2 million to restore them. As a result, the hospital spent years containing the breach and repairing the damage that had been done.

To ensure this doesn’t happen at your organization it’s important to focus on the following:

• Regular Staff Training: Conduct frequent training sessions on identifying phishing emails, using strong passwords, and following secure protocols.
• Multi-Factor Authentication (MFA): Implement MFA for all staff members to add an extra layer of security to sensitive systems.
• Data Encryption: Ensure all patient data is encrypted both in transit and at rest to prevent unauthorized access.
• Access Control: Limit access to sensitive data to only authorized personnel, using role-based access controls (RBAC).
• Regular Software Updates: Keep all software, including Electronic Health Record (EHR) systems, up to date with the latest security patches.
• Secure Network Infrastructure: Use firewalls, intrusion detection systems (IDS), and virtual private networks (VPNs) to secure hospital networks from external threats.
• Incident Response Plan: Develop and regularly update an incident response plan to quickly address potential security breaches.
• Backup and Disaster Recovery: Maintain regular backups of critical data and ensure a robust disaster recovery plan is in place.
• Regular Audits: Conduct frequent security audits and vulnerability assessments to identify and mitigate risks.
• Device Security: Ensure all medical devices are secured and patched regularly to prevent exploitation of vulnerabilities.

The Potential For Cybersecurity Attacks Will Only Increase

As hospitals become more reliant on technology, the potential for hospital cyberattacks will only increase. Now is the time to collaborate with your IT team and internal leaders to create a plan of action that optimizes data security, increases patient safety, and minimizes the potential of a cyberattack. Healthcare leaders who take the time to invest in a culture that recognizes the importance of cyber security will ultimately be better protected in the long run.