Hospitals and healthcare systems have never been more threatened by cybersecurity risks. According to a 2023 survey, 88% of healthcare respondents reported that their organization had experienced one or more cyberattacks in the past year alone.Disclosure 1
With so much at stake, healthcare leaders need to stay on top of the latest threats, continually update their defenses against attacks, and regularly test their response plan for when a breach occurs.
Hacker attack methods and motives
While cyberthreats can take many different forms, attacks on healthcare organizations typically fall into these three categories:
- Ransomware strikes are the most common form of cyberattack endangering healthcare organizations. In this type of cybercrime, hackers enter a system, encrypt data, and lock staff out until a ransom is paid. Ransomware attacks do not always involve the theft of data, but they can hinder—or completely block—an organization’s ability to function until full access to the system is restored.
- Data breaches in the healthcare sector are up more than 30% since 2022.Disclosure 2 It’s become increasingly expensive for hospitals and healthcare systems to respond to and clean up from these attacks—the average per-incident cost to healthcare companies reached $10.9 million in the first half of 2023.Disclosure 3 Breaches that include social security numbers, birth dates, credit card numbers, and health records put patients at risk of identity theft and financial loss as hackers routinely sell sensitive personal data on the dark web
- Financial fraud is the third most frequent category of cyberattack on healthcare organizations and often involves a third party. In one common scenario, a cybercriminal reroutes money by changing a vendor’s payment instructions. Success hinges on an internal lapse or procedural misstep. Perhaps a busy staff member gets an urgent email, purportedly from their CFO, with instructions to change the routing and bank account numbers and immediately send out funds. If the staff member acts without verifying the request, the hackers can collect their windfall and disappear quickly.
As attacks evolve, so must defense tactics
When it comes to cyber defense, the attacker has an inherent advantage: The organization’s defenses must operate at 100% effectiveness to thwart an attack while the cybercriminal only needs to be right once. That leaves hackers free to make multiple attempts and experiment with fresh tactics while the threat defenders must work to protect against every vulnerability.
Social media remains popular among cybercriminals for harvesting both personal and organizational information to exploit. Once they’ve compromised credentials through phishing or other types of social engineering attacks, hackers can get into a system and potentially access personnel, patient, and financial data.
Legacy software—and hardware—provide another potential entry point. Outdated systems and applications lack the modern firewalls and security tools needed to repel attackers. Hospitals and healthcare systems often rely on older systems with software that is no longer supported, leaving security vulnerabilities unaddressed and putting the organization, and its patients, at risk.
Cybercriminals can also target networked devices. The more connected devices a healthcare organization uses, the more cyberattacks it tends to experience.Disclosure 4 Hackers can enter a network and take control of connected devices and healthcare applications including heart monitors, infusion pumps, electronic timecards, and operating room schedules. This type of attack can significantly disrupt clinical operations and threaten patient safety. It’s also difficult to contain.
Mounting a solid defense against these threats is critical. While no strategy can keep hackers at bay 100% of the time, a layered approach to cybersecurity can minimize the risk. Based on their extensive data, insurers prioritize the following security tactics:
- Mandatory multifactor authentication
- Rigorous identity access policies and procedures
- Agile detection, response, and patching capabilities
- Functional backup solutions that allow data and system restoration
- Network segmentation controls that limit lateral movement within the system
- Regular cybersecurity testing to identify potential vulnerabilities
- Robust incident response and business continuity plans
The weakest link: Third-party risk management
As in other industries, healthcare organizations increasingly rely on third parties to deliver services and perform business functions that enhance care, maximize efficiency, and reduce costs. While these arrangements offer financial and operational benefits, relationships with third-party service providers are frequently a point of vulnerability because the outsourcing model inherently involves more individuals and data transfers, thus widening the scope of cybersecurity exposure.
The percentage of healthcare data breaches caused by third party vulnerabilities is rising quickly, more than doubling between 2019 (10%) and mid-2023 (21%).Disclosure 5 If outsourcing is part of your organization’s business approach, prudent risk management requires stringent security standards and rigorous compliance. Verify that all third-party vendors and business associates maintain adequate cybersecurity standards, controls, and programs.
Mitigating your cyber risks
As cyberattacks on healthcare organizations have become more frequent and costly, cyber liability insurance, or cyber risk insurance, has become an important component of comprehensive cyber security plans. This insurance helps protect businesses from the financial cost and liability associated with cyber incidents including losses associated with data breaches, data theft, ransomware attacks, business interruption, and liability resulting from lawsuits, as well as related regulatory fines and penalties.
A security assessment and the level of coverage chosen determines the availability of coverage and the premium cost. Just as homeowner’s insurance rewards policyholders with lower premium costs for burglar alarms, sprinklers, and smoke detectors in much the same way, cyber insurance policies often require—or reward through lower premiums—an array of best practices, such as dual factor authorizations, up-to-date firewalls, and robust testing.
Once insured, your interests are aligned with your carriers to reduce the risk of loss. You might find that your carrier offers valuable educational programs and tools to help you defend against cyber-attack.
A game plan for when cyber-attack occurs.
What happens if you are attacked? There are times when even the strongest defenses against cyber threats aren’t enough, and an attack is successful. Prepare for what to do if a breach occurs. It will help you contain the damage to your health system and its patients and support a quick recovery.
A good place to start planning is with a cross-functional incident response team charged with preparing for a potential cyber event. The Incident Response Team should develop and maintain a comprehensive response plan for potential cyberattacks. This team should include both internal and external members, including internal information security personnel, executive management, external cybersecurity experts, data forensics experts, legal counsel, the cyber insurance broker, and both internal and external communication personnel.
The team’s first order of business is selecting a team leader or project manager who is responsible for coordinating response efforts. It is important that this team meets periodically and tests the plan considering different scenarios. The plan should be updated periodically based on industry best practices and real-world threat assessments.
A step beyond planning is a dry run for a cyber-attack. Practicing your response steps can reduce the time it takes to activate your plans, move to backup systems, respond to community and media inquiries, and ensure your organization stays focused on taking care of your patients.
Actions to take when a cyber incident happens
Set the response plan in motion. Each response may be different depending on the circumstances, however responses to cyber events generally include the following key actions:
- Mobilize the Incident Response Team.
- Identify and isolate the threat. Once a cyber event is detected, attempt to isolate affected systems to prevent further ramifications. Conduct a thorough assessment to understand the extent of the damage.
- Implement the appropriate Response Plan once the threat has been identified and isolated.
- Notify the cyber insurance provider. Work with the insurance broker to report the incident to the cyber insurance provider. Incorporate their recommendations into the response plan as applicable.
- Develop an action plan to mitigate the impact of the breach, repair systems, restore data, and strengthen security measures.
- Preserve evidence. Document and preserve evidence related to the incident for potential legal and law enforcement purposes.
- Engage law enforcement. If necessary, involve law enforcement agencies in the investigation, especially in the case of a serious cybercrime.
- Engage your public relations and communications team. Work with your insurer-approved public relations firm to develop a communication strategy for both internal and external stakeholders. Be transparent and provide updates to affected parties as information becomes known.
- Consult with legal counsel and regulatory compliance. Ensure compliance with data protection and privacy regulations—particularly data involving patient health information. Be especially mindful of the FTC’s Health Breach Notification Rule and the HIPAA Breach Notification Rule.Disclosure 6
Conduct a comprehensive post-incident review and documentation process. Gain a thorough understanding of what happened. Identify vulnerabilities that led to the incident and implement stronger security measures to prevent future incidents. Assess the readiness and response of the Incident Response Team as well as the response plan. Document any lessons learned for future reference and modify the response plan as needed