Cybersecurity for Healthcare—Diagnosing the Threat Landscape and Prescribing Solutions for Recovery

On Thanksgiving Day 2023, while many Americans were celebrating, hospitals across the U.S. were doing quite the opposite. Systems were failing. Ambulances were diverted. Care was impaired. Hospitals in three states were hit by a ransomware attack, and in that moment, the real-world repercussions came to light—it wasn’t just computer networks that were brought to a halt, but actual patient care itself.

Cybercriminals are more brazen than ever, targeting smaller healthcare organizations for big payouts. Sure, it would be nice to believe thieves once lived by a code of conduct, but if one ever existed, it’s been torn to shreds and tossed into the wind. Sophisticated hacker groups are now more than happy to launch cyberattacks on medical clinics, nursing homes, and other health service providers. Small- to mid-sized healthcare organizations have, unfortunately, become vulnerable targets from which cybercriminals can easily steal sensitive data, extort heavy ransoms, and, worst of all, diminish critical patient care.

Ransomware and Phishing Attacks are Spreading at an Unhealthy Rate

If you work in healthcare, everything you do is important. That’s why the frequency by which healthcare organizations now come under attack is so concerning. According to the U.S. Department of Health and Human Services (HHS), there’s been a 93% increase in large breaches from 2018 to 2022. In that same period, there’s been a 278% increase in breaches involving ransomware.

Ransomware doesn’t just hold your pocketbook hostage, but also your patients’ safety. At best, you’re locked out of your systems for a moment. At worst, patient care is radically compromised. This is especially alarming if you service smaller communities, where the local population relies on your clinic, cancer center, or physician’s office as the first and last lines of critical care.

Your patients are obviously your top priority, but you also have to consider the dollars at stake. The HIPAA Journal notes that in 2021, the average ransomware payment in the healthcare industry was $197,000. And that’s an increase of 33% from the prior year!

Phishing—fraudulent emails disguised as legitimate sources attempting to solicit personal information—is now the most popular means of attack. In fact, The HIPAA Journal cites that more than 90% of cyberattacks on healthcare organizations are phishing scams. That means carelessly clicking on one email can have dire consequences for your staff, your patients, and your operation.

Aside from the potential financial burden inflicted by cybercriminals, Health Insurance Portability and Accountability Act (HIPAA) fines can also be debilitating. If you fall prey to data breaches, you can potentially be fined tens of thousands of dollars per violation. Case in point, a medical group in Louisiana recently paid a staggering fine of $480,000, settling the first-ever cyberattack investigation conducted by HHS’ Office for Civil Rights. This was all the result of a basic phishing scam where a cybercriminal gained access to the medical group’s Microsoft 365 environment, the storage point for their patients’ protected health information (PHI).

More Endpoints and Fewer Resources Make Healthcare Easier Targets

Simply put, effective cybersecurity needs both advanced technology and human expertise. However, according to the report, The State of Cybersecurity for Mid-Sized Businesses in 2023, Huntress discovered over 60% of respondents didn’t have any dedicated cybersecurity experts on staff. That’s because many small- and mid-sized businesses (SMBs) are constrained, struggling to attain just one of these core components. Due to a variety of economic factors, SMBs—both within and beyond healthcare—have had to reduce budgets, which means foregoing much-needed investments in cybersecurity products and people.

According to the Healthcare Information and Management Systems Society (HIMSS), healthcare organizations typically spend less than 6% of their overall IT budgets on cybersecurity. Making matters worse, there’s a profound shortage of cybersecurity talent, so filling internal roles with qualified candidates has become a rising challenge. And with top talent being few and far between, the best candidates are commanding top-level salaries, which at times are out of reach for smaller healthcare organizations.

Aging tech isn’t helping matters either. Outdated equipment and legacy operating systems have become easy points of access for cybercriminals. Therefore, smaller healthcare organizations are ideal targets due to weaker defenses. With limited budgets and less manpower, your IT team may be stretched thin or may not possess the cybersecurity expertise to manage evolving cyber threats.

Adding to the chaos, there are more endpoints to protect than ever before. Over the past decade, most notably throughout COVID, remote work and telehealth have grown significantly. The good news is patients can now receive care from the comfort of their own homes, and providers like you can monitor and assist them from off-site. However, this level of care demands more avenues to access data, specifically via tablets, laptops, and mobile devices. Conversely, this also means there are now more attack surfaces for unscrupulous actors to access your data.

The Threat Landscape is Evolving, for the Worse

One reason threats are becoming more frequent is because cybercriminals are becoming more organized. And more ruthless. It’s no longer a mischievous loner in a dark basement, hunched over a monitor, hiding behind a black hoodie. These are sophisticated criminal entities that can carry out carefully choreographed heists. Imagine Ocean’s Eleven, but with less style and far less remorse.

U.S. intelligence has even uncovered hacking groups tied to hostile nations. Also known as advanced persistent threats (APTs), these state-sponsored cybercriminals have the means to debilitate everything from water-treatment plants to natural gas pipelines to electric grids. If these groups have grown powerful enough to take out military and civilian infrastructure, your small- to mid-sized healthcare organization is no challenge. For them, you’re just a drive-by ATM.

In the Huntress report, The State of Cybersecurity for Mid-Sized Businesses in 2023, it was revealed that nearly 25% of SMBs have either suffered a cyberattack or didn’t even realize they had suffered one in the past year.

Cybercriminals are now hiding in plain sight. They’ve advanced beyond the point of standard ransomware tactics, and they’re “blending into” your normal IT operations to exploit built-in system functionalities. This makes it easier for them to gain control over legitimate applications, such as remote monitoring and management (RMM), to manipulate your systems. For instance, cybercriminals can use living-off-the-land binaries (LOLBins)—trusted executables pre-installed on your operating systems—and exploit them for malicious intent. If these threat actors are no longer just relying on custom malware, then your standard spam filters or anti-malware solutions just aren’t enough. Therefore, you need visibility into your entire security system.

You Can Take Action Now with a Few Solutions

When it comes to healthcare cybersecurity, there’s a lot on the line—including lives—so it’s important that organizations like yours are vigilant and proactive. Because no single layer of your security is completely safe anymore, you must adopt a defense-in-depth approach.

This entails creating layers to your defenses with solutions such as intrusion prevention, data encryption, threat detection, patch management, and more. So if a threat bypasses one of these countermeasures, there’s another layer to stop it from slipping through the cracks. A layered approach, however, likely requires ongoing monitoring and fine-tuning. If you happen to lack the in-house resources and expertise to manage your cybersecurity, rest assured there are a variety of simple solutions you can still implement to achieve effective protection, with one of the most potent being a managed EDR.

Security Awareness Training (SAT)

Introduce SAT to educate your staff on cybersecurity best practices. These programs can include phishing simulations and relevant cyber threat lessons that can guide them to make smarter decisions to keep your organization and your patients safe. When it comes to SAT programs, it’s advised you introduce engaging, story-driven lessons, as those are proven to be more effective for knowledge retention.

Multi-Factor Authentication (MFA)

MFA adds an extra layer of protection by requiring your staff to use a second verification factor, such as a personal phone or a security token, to gain access to an account. You’ve likely seen MFA used when logging into your banking app or even your go-to streaming service. The benefit of MFA is it goes beyond usernames and passwords, which can easily be lost, forgotten, or stolen.

Managed EDR

This can be the most powerful and cost-effective solution for your healthcare organization. By coupling advanced technology with human-led analysis, a managed EDR performs critical cybersecurity tasks on your behalf, namely:

• Monitoring and collecting endpoint data
• Detecting and investigating threats
• Triaging alerts
• Providing actionable remediation steps, including one-click solutions

Easy to deploy, Huntress Managed EDR is fully managed and monitored by a 24/7 Security Operations Center. These cybersecurity experts have your back from the first signs of suspicious activity all the way to remediation.

Huntress Safeguards Healthcare’s Cybersecurity Needs

As healthcare organizations sit in the crosshairs of cybercriminals, it’s absolutely vital you keep your defenses up. This is especially important in a world marked by ever-expanding threats and shrinking budgets.

Cybercriminals are now smarter, more coordinated, and definitely more unforgiving. They don’t care who they hurt, just so long as they can turn a quick profit. Therefore, it’s critical you bolster your cybersecurity in order to protect your organization, your staff, and your patients.

Building a thorough defense infrastructure, however, requires sizable capital, resources, and expertise. While smaller healthcare organizations can find it difficult to prioritize these, there are solutions. Evaluate potential risks. Educate your staff on cyber threats. And adopt a managed EDR. Just like in medicine, even the most basic preventive measures can stop the spread of something far more harmful.

Schedule a Trial Today

Huntress can help healthcare organizations like yours remain secure from ever-evolving cybersecurity threats. Schedule your free trial today.

Attending HIMSS 2024?

In Orlando, from March 11 to 15, you can visit Huntress in Booth 1616. Come learn more about how Huntress can help your healthcare organization thwart cyberattacks.