Cybercriminals are hitting healthcare hard and with remarkable success. According to research by Checkpoint, the healthcare industry had the highest percentage increase in weekly cyberattacks of any industry sector in 2022, with a rise of 74% from 2021 to an average of 1,463 attacks per week. Undoubtedly, the sector is highly vulnerable as attacks often result in devastating impact, and outcomes are financially lucrative for cybercriminals. Here we dive into the motivations of cybercriminals targeting healthcare organizations. In many of their attacks, the human element takes center stage by creating chaos, shattering trust, and amplifying fear.
Players in the healthcare sector
Before discussing the motivations of cybercriminals, it’s important to reiterate how complex the healthcare sector is. In its simplest form, payers and providers work together to serve patients. Not only do we have physical facilities dependent on IT and OT, but we also have operational processes working behind the scenes performing essential tasks. Here’s just a small list of the various players involved:
- Publicly accessible healthcare facilities
- Research centers
- Manufacturers, and
- The complex public-private information technology systems required for care delivery and to support the rapid and secure transmission and storage of large amounts of data.
In total, there are millions of these entities working together in the healthcare sector. All of them are vulnerable and can be exploited.
The overwhelmed healthcare CISO
Cybercriminals take advantage of the overwhelmed healthcare Chief Information Security Officer (CISO). Security leaders new on the job are often in for many sleepless nights. Healthcare infrastructure can vary from community to community, so a new CISO can’t easily replicate a security strategy that worked for a previous organization. No hospital, manufacturer, or insurance provider is alike. Instead, CISOs must often start from scratch and spend time performing a thorough assessment of their new environment. One of the first priorities of any healthcare CISO is to ensure the entire organization measures and communicates cybersecurity risks using the same standards. Unfortunately, assessment frameworks popularized on the market are not always realistic to implement. We recently spoke with several healthcare CISOs about this matter. They lamented how legacy assessment frameworks are complex and time-consuming to implement while providing limited reporting capabilities. Cybercriminals understand that many organizations simply don’t know where their critical gaps are because it’s been too complex to measure what’s missing, what’s weak, and what’s good enough. This gives them the confidence to exploit basic security controls and processes. As the past few years have shown us, most of the attacks were not sophisticated and could have been mitigated by implementing basic cyber-hygiene principles.
The financial incentives are irresistible
Ransomware attacks are popular because cybercriminals feel healthcare organizations will pay. First- and third-party liabilities are often on the high end of the loss spectrum. Getting systems back up and running is often very time-consuming, and healthcare records have high value on the dark web.
First Party Liability:
IBM research concluded a healthcare data breach now comes with a record-high price tag—$10.1 million on average. This is just the tip of the iceberg, however, as costs can become much larger than they initially appear. Analysis of the Irish healthcare ransomware event in 2021 demonstrated that even if the victim paid $20M ransom, they would have still incurred significant recovery, restoration, and improvement expenses totaling over $100M.
Third Party Liability:
On the dark web, an individual healthcare record can be worth as much as $250. According to a 2021 report by Network Assured, author Aaron Weissman explains, “A complete medical record contains all of someone’s personal identifying information. That information can be used to register identification documents or apply for credit cards. Even incomplete medical records can be aggregated with other stolen information to create a complete individual identity profile.”
Playing into both empathy and fear
Cybercriminals love a good crisis. In the past decade, global pandemics, natural disasters, and political unrest have often been closely tied to an increase in cyber-attacks. In times of uncertainty, it’s much easier to make victims act with a sense of urgency. Some recent examples include fake websites posing as healthcare organizations, charity organizations soliciting donations, phishing emails offering financial benefits, and phony health-testing websites used to steal personal information.
An example of a phishing email offering financial benefits
Using the risk of potential loss of life due to a debilitating ransomware attack is probably the most extreme example of playing into fear. In early 2020, a breach at a German hospital resulted in a patient death because they couldn’t get the proper care fast enough. This event received significant publicity, stirring fear in both patients and providers. Who was liable? What will the costs be? As more and more healthcare facilities depend on IoT devices to monitor and detect conditions, we must be extra vigilant and hope cybercriminals do not add this to their attack toolkit. Hypothetical scenarios include manipulating devices to make sick patients look healthy and healthy patients need critical care. Chaos ensues.
How the community can fight back
Choose a simple risk assessment framework to start. We recommend NIST CSF. Legislative changes such as HR 7898 have incentivized healthcare orgs to adopt a cybersecurity framework such as NIST CSF, resulting in reduced audit cycles, and abated fines.
You can try Axio’s free NIST CSF tool for a single user.
Quantify your priority cyber threat scenarios. How much will a cyber-attack cost us? Are we leaving risks on the table? Will the patient sue the hospital? These are important considerations when building a cybersecurity program for your healthcare organization. Prioritization is dependent on understanding the financial impact of your critical cybersecurity threat scenarios.
You can request a demo of Axio’s cyber risk quantification solution here.
Cyber risk quantification doesn’t have to be a complex endeavor for healthcare security leaders. In essence, you want to focus on speed so you can demonstrate the value of cyber initiatives without significant process implementation and resource dedication.
Aim for continuous improvement. Cyber risk assessments and quantification exercises are not once-a-year exercises. Instead, you need to have a regular cadence to measure your various risks and have a process to prioritize improvement projects, make notes, set targets, document milestones, and publish easy-to-understand reports. Using a risk management platform like Axio360 ensures your entire team works together and isn’t dependent on siloed spreadsheets to take action.
Check out our eBook: Driving Continuous Cybersecurity Improvement with Axio360.
Hospitals, insurers, and providers of medical services are increasingly vulnerable to malicious cybercriminal activity. Private health records may be breached, patient care disrupted through ransomware attacks, and IoT monitoring data manipulated to create chaos and confusion. Healthcare organizations’ cyber risk scenarios must be diagnosed and understood quickly to prioritize remediation and risk reduction.
We are here to help healthcare security professionals.
The nation’s largest healthcare organizations depend on the Axio platform to build an enterprise-wide cybersecurity standard. Axio360 is a complete risk management solution designed to reduce cyber risks continuously. Healthcare organizations can identify priority scenarios and select the most cost-effective controls to protect their crown jewels. Interested in learning more about what we do? Contact us, we’re here to help.