Threat actors continue to target the health care industry. IBM’s Threat Intelligence Index for 2022 rates the industry as the sixth most targeted. That puts it close behind the energy and retail and wholesale sectors. Certain regions seem to be more prone to attack as well. The Asia-Pacific region accounted for 39% of all health care-related attacks, while North America trailed next at 33%. Coming as no surprise, ransomware is the leading known method of attack, representing 38% of cases.

Some other noteworthy attack methods are:

  • Business email compromise
  • Vulnerability exploitation
  • Server access
  • Credential harvesting
  • Misconfigurations
  • Phishing
  • Stolen credentials.

These methods should not shock readers; many of them are responsible for most cybersecurity incidents. But what makes the health care industry different? Specifically, what are the unique challenges the industry faces?

Unique Needs for the Health Care Industry

Health care attacks are particularly expensive for the victim. However, the consequences go far beyond cost. Health care organizations are particularly at risk because of: 

  • The need for a fast response
  • Types of data handled
  • Types of devices used and service delivery methods
  • Investment, awareness and business drivers.

As with everyday operations, knowing your risk tolerance is vital to successful decision-making and execution. With lives at stake, risk tolerance could be expected to be low, but attacks keep happening and they are successful. Many of the health care industry’s unique challenges are, in fact, non-technical. Let’s take a look. 

Need for Speed

A perfect example related to preparedness comes out of an Immersive Labs study, the Cyber Workforce Benchmark 2022. The study found health care lags far behind in cyber crisis exercises versus other industries. Tech companies might hold up to nine exercises a year. In health care, there are often only two. The gap is wide and the results reinforce that: the health care industry had some of the poorest tabletop scores.

Simply having an incident response plan is not enough. Testing and training are essential, too. When you stress test the plan, stakeholders know what is expected of them during a crisis. Finding gaps and building mental muscle memory is crucial.

Why? Loss of service may directly result in loss of life. A health care provider cut off from offering acute or ambulatory care has lives on the line. Recovery point and time objectives – critical outcomes and data points of business continuity and disaster recovery planning – need to align with operational expectations. In this case, that means the time it takes to save a life.  

Therefore, not only do incident responses in health care have less time to respond, they may need different types of process requirements, such as shutting down primary systems as a precautionary measure. They also might require other contingencies, such as operating a backup system as a temporary production environment until the threat has been contained and eradicated. A Ponemon study found that 71% of 597 health delivery organizations said a successful cyberattack resulted in a longer patient stay. The costs are real.

Data Handling

Health care data carries a different level of data sensitivity. It’s full of personally identifiable information (PII) and personal health information (PHI), which is becoming all the more detailed and personal with biometric technologies on the rise.

Depending on where in the world you operate, you may have different legal or regulatory requirements for data handling and incident reporting or disclosures. It’s also important to define whether you’re simply handling an incident or whether you have been breached, as the latter has legal implications. Do not underestimate the importance of strong and clear definitions as part of your program governance. A strong privacy program can also bolster your security program, as they work well together.

Ensuring that incident responders are well aware of these requirements is essential. Your security planners need to know where your data is and how it is tagged. If your organization does suffer an incident, you do not want to be running around trying to figure out what types of data have been impacted. As incident responders put out the fire, rest assured that the lawyers are thinking about disclosure requirements and the possible lawsuit.

Devices Used and Service Delivery Methods

Medical internet of things devices come with perils. After all, it’s not only the device but the medium of delivery that matters. Think of how much PHI is floating over telehealth platforms now. Not only do incident responders have to contain and eradicate an event or incident, but each issue will also need a definitive tie-off because of the PII or PHI implications (regardless of severity). And when they are not doing that, they are probably trying to patch up and upgrade systems across disparate devices, operation systems and applications!

Investment, Awareness and Business Drivers

While health care organizations aren’t always entirely profit-driven, they still need to be concerned about money. According to the Threat Intelligence Index, three industries account for nearly 60% of cyberattacks: manufacturing, finance and insurance, and professional and business services. The important connection here between these industries and the health care industry is business drivers.

The first three are very much profit-driven, making them attractive targets for malicious actors. Being profit-driven also shifts priorities. If successful, it allows for more resources to be invested in information, infrastructure, security and privacy measures.

Some sectors of the health care industry are very profit-driven, too. However, their situation is not nearly as clear-cut, or across the board, as the others. For example, companies focused on research and development (such as the pharmaceutical industry) are very profit-driven, and more specifically, product-driven. They want to protect their intellectual property.

Other health care organizations have an element of profit but are in general more service-driven. (Think of those administering care). These industries face staff burnout and limited resources. Incident response handling and preparedness can make a world of a difference in someone’s life.

Keeping Manageability and Emotions in Check

Perhaps the most unique challenge for incident responders in health care is the small margin of error. Next-generation technologies, such as artificial intelligence and improved monitoring capabilities should definitely be examined and integrated where possible. They could lighten the load of incident response staff through automated response and orchestration.

Because of the small margin of error, health care providers need to look closely at their overall resilience posture. It’s about more than just an incident response plan. It is crisis communications, input and collaboration from legal, and practice to build up the response muscles. Attacking health care services gives threat actors a chance to use one of their favorite tactics: preying on emotions. If you are calm and cool in your response, well-resourced and prepared, an attacker may just find you are not worth their time.

More from Healthcare

Increasingly Sophisticated Cyberattacks Target Healthcare

4 min read - It’s rare to see 100% agreement on a survey. But Porter Research found consensus from business leaders across the provider, payer and pharmaceutical/life sciences industries. Every single person agreed that “growing hacker sophistication” is the primary driver behind the increase in ransomware attacks. In response to the findings, the American Hospital Association told Porter Research, “Not only are cyber criminals more organized than they were in the past, but they are often more skilled and sophisticated.” Although not unanimous, the…

4 min read

Reporting Healthcare Cyber Incidents Under New CIRCIA Rules

4 min read - Numerous high-profile cybersecurity events in recent years, such as the Colonial Pipeline and SolarWinds attacks, spurred the US government to implement new legislation. In response to the growing threat, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) in March 2022.While the law has passed, many healthcare organizations remain uncertain about how it will directly affect them. If your organization has questions about what steps to take and what the law means for your processes,…

4 min read

Healthcare Breaches Costliest for 12 Years Running, Hit New $10.1M Record High

8 min read - IBM Security and the Ponemon institute release an annual report known as one the most significant industry benchmarks. The Cost of a Data Breach analysis examines real-world breaches in great detail, producing insights into the factors that impact the cost of cyber-attacks. In the 2022 report just released, the healthcare sector stands out for extremely high breach costs on the global average chart. Furthermore, the sector has kept its leading position in that respect for the 12th year in a…

8 min read

Hospital Ransomware Attack: Here’s What a Cybersecurity Success Story Sounds Like 

3 min read - Major ransomware attacks are scary, but against hospitals, they are even worse. One notable attack in August 2021 forced Ohio’s Memorial Health System emergency room to shut down (patients were diverted to other hospitals). In all hospital attacks, the health, safety, privacy and lives of patients face risk. But this incident also shows that whether targets are hospitals or any other kind of organization, the time and money spent preventing attacks is almost always worth it.  But what do you do…

3 min read