Health Care Cybersecurity: Costly Data Breaches, Ensuring PII Security and Beyond

March 22, 2021
| |
4 min read

As hospitals get smarter, threat actors have more routes inside. IBM’s recent research on the health care industry shows how smart tools, which could be very valuable for today’s medical facilities, also need healing of their own. What should hospital IT security teams look out for? Our overview of the state of cybersecurity in the health care industry shows what threats are out there and how you can mitigate them.

Why Are Health Care Cyberattacks Significant?

Who counts as part of the health care industry? It’s a wide field, from companies that offer clinical services, manufacture drugs and medical equipment to related support services, such as medical insurance. These services operate in a web of partnerships including doctors, nurses, medical administrators, government agencies, pharmaceutical companies, medical equipment manufacturers and medical insurance companies.

The industry is broken down into three segments:

  1. Health care providers – hospitals, nursing homes, rehabilitation centers and teaching, research and training centers.
  2. Health care payers – government and private health insurance policies and health care fund services.
  3. Life science – pharmaceutical firms, biotechnology firms and medical equipment manufacturers.

Health Care Cybersecurity Challenges: Costly Data Breaches and a Range of Threat Actors

Figure 1 by IBM. All numbers are in millions.

The average health care data breach costs its victim $7.13 million, the highest cost in 2020 across all industries. That’s almost double the global average. Of these incidents, 80% resulted in the exposure of customers’ personally identifiable information, according to IBM’s Cost of a Data Breach report. Just 23% of health care organizations have fully deployed security automation tools. On average, it takes six months to detect a data breach. Beyond that, it takes 280 days on average for an organization to identify and contain the breach.

Figure 2 by IBM, with reference to Statista. All numbers are in millions.

With many organizations unprepared, threat actors see several advantages to launching cyber attacks. In health care, they’re mostly after money or secrets. Overall, the top five motivations behind any cyberattacks are financial, espionage, disruption, political and retaliation. Information, data and user credentials can be sold on the dark web. That’s why those are the most common things threat actors are looking to steal during an intrusion: they’re after the money.

The second most common motivation is espionage, and it is on the rise. It’s becoming more common mainly due to ongoing geopolitical and commercial tensions.

Cybersecurity Threats to Smart Hospitals

Hospital cyberattacks, like a recent one on the Brno University Hospital in the Czech Republic, are especially dangerous in the middle of the COVID-19 pandemic. This forced the hospital to reroute patients and postpone surgery. This incident highlighted how disruptive such attacks can be, since this hospital is one of the Czech Republic’s biggest COVID-19 testing laboratories.

Balancing protection against health care cybersecurity attacks with today’s ‘smart’ technology standards comes with challenges. What makes a hospital ‘smart?’ Essentially, the critical assets in smart hospitals are connected through a network and can be controlled remotely. This increases the possibility of cyberattacks. Highly critical assets for smart hospitals, such as an interconnected clinical system, networked medical devices and a remote care system, can be at risk. In addition, in order to achieve improved medical care and enhanced diagnostic capabilities, the hospital may replace legacy systems with Internet of things (IoT) components and devices. This means those systems become directly critical not only for individual patient safety but also for the overall functioning of the hospital.

In most cases, the root cause of a data breach at a health care organization is one of three factors: a malicious attack (52%), system glitch (25%) or human error (23%).

Likelihood and Criticality of Cyberattacks to Smart Hospitals

Let’s take a closer look at those three major threat factors impacting smart hospitals. As one might expect, malicious attacks are deliberate attacks by a person or organization. System glitches are highly relevant in the health care sector, particularly due to the increasing complexity and dynamics of the systems they affect. Human error can occur during the configuration or operation of devices or information systems, or the execution of processes.

Figure 4 by IBM

Health Care Threat Actors and Threat Vectors

By defending against threat actors from outside, hospitals and other health care organizations can cut down on the most likely source of an attack. Threat actors in a smart hospital can come from a variety of sources and have a variety of motivations. They could be insider threats: physicians, nurses or administrative staff with a reason to hurt the organization. Or, threat actors could be malicious patients and guests. Lastly, threats could come from remote attackers: people who for any reason use equipment to attack without being physically inside the hospital.

These potential attackers have several different approach vectors in a smart hospital to choose from. First, they could physically interact with IT assets. Another very common technique is to use wireless communication to access IT assets within range. Attackers can use wired communication with IT assets through related online tools including cloud services and online health care information systems. Finally, attackers can get in by using other people to unknowingly help them. Social engineering attacks are very common in the health care sector. They are usually where ransomware attacks start.

How to Improve Your SOC

Threats toward the health care industry are increasing year over year as hospitals get smarter. The industry has been a top target for cyberattacks in terms of both information technology and operational technology (OT). This is a critical time for hospitals and other health care organizations to invest and mature their security operations center (SOC).

One way to do this is to bring IoT and OT into the scope of the SOC’s responsibilities. Next, you can assess the existing SOC in terms of finding gaps in its capabilities.

Threats are always evolving, but information security is evolving along with them. By keeping up to date on your existing security and SOC capabilities, health care organizations can work toward smooth operations and making sure patients get the best care possible.

Asheesh Kumar
Security Architect and Consultant, IBM Security
Asheesh Kumar is a contributor for SecurityIntelligence.