Emerging Healthcare Cyber Threats & How to Protect Against Them
Ever heard the story about the boy who put his finger in a dike to plug a leak? He did it because he knew a small leak could turn into a major breach—the sea would come crashing through to destroy his town. So, he sat there all night until help came, to ensure everything would remain safe.
The real world is not a fictional Dutch legend, but cybercrime is creating a similar serious burden on the U.S. healthcare system as the sea did on that dike. Electronic protected health information (ePHI) is worth a fortune to cyber criminals and is one of the hottest commodities on the dark web, and the pressure to protect it—to keep “the sea” out—is high.
But it won’t be enough to do as the little boy did and plug a leak with your finger—you need to understand what you’re up against and how to truly protect yourself against the biggest threats. As a cybersecurity assessment firm that often works with healthcare organizations to determine their HIPAA compliance, we’re going to outline where you can start.
Healthcare cybersecurity threats will continue to be a concern in 2023 and so it’s imperative for healthcare CIOs and IT staff to be aware of the latest trends in cybersecurity—this article will jumpstart that awareness.
Top 3 Cyber Threats for Healthcare Organizations
Recently, healthcare organizations have experienced a spike in attacks due to three things:
- Their high propensity to pay a ransom;
- The value of patient records; and
- Often inadequate security.
Hackers are taking advantage of stressed healthcare employees and unprotected networks to infiltrate their systems in many different ways, but here are brief overviews of the healthcare industry’s three biggest cybersecurity threats in 2023:
1. Phishing Attacks
The numbers mean we start here—cybercriminals from every corner of the globe send out over 3 billion phishing emails per day and U.S. healthcare organizations are some of their prime targets.
Phishing is the practice of sending fake emails or creating fake websites that trick users into divulging login credentials or other personal information through malicious links—this attack vector can be used to gain unauthorized access to sensitive information, such as patient records and financial data, and it is the most prevalent cybersecurity threat in healthcare.
Phishing generally succeeds in this sector when a link in an email scam is clicked and users are directed to a decoy web page usually mirroring a login screen for familiar internal software. Once these credentials are submitted, cybercriminals almost instantly use them to gain access to healthcare systems.
2. Ransomware Attacks
Sometimes, phishing scams work in conjunction with ransomware—another incredibly prevalent cyber threat for healthcare organizations. Typically, ransomware infects systems and files when a user clicks on a malicious link that then injects malware into a network to encrypt sensitive data until a ransom amount is paid.
Hackers understand how critical it is for the healthcare sector to minimize operational disturbances, which is why ransomware is such a popular attack—it does disrupt critical systems and affect patient data, but sometimes there are even more serious consequences, including delays in care, lost revenue, and even harm to patients.
In 2022, 70% of malware attacks stemmed from ransomware. The impacted hospitals could not access systems such as EHRs, putting patient care and safety at risk.
3. Business Email Compromise (BEC) Scams
Also known as email account compromise (EAC), these are another popular cyber-attack—and one of the most financially damaging online crimes. (In 2021, BEC scams accounted for nearly $2.4 billion in losses, according to the FBI.)
In a BEC scam, criminals send an email message that appears to come from a known source—such as a high-level employee or executive—asking an employee for sensitive information or financial transfers. In one of the most common BEC attacks, the hacker obtains access and mines the employee’s contact list for company vendors, partners, and suppliers before messaging these contacts requesting payments be sent to a fake account controlled by the cybercriminal.
In a critical difference from the other attacks we’ve mentioned, this type of scam relies on manipulation and trust—rather than malware—to trick victims into completing requested tasks. As employees are often eager to help a trusted colleague or organizational leader, the scam is extremely effective and can have serious consequences, including financial losses, reputational damage, and regulatory fines.
How Can Healthcare Organizations Protect Themselves Against Cybersecurity Threats?
To avoid falling victim to these cyber threats, prevention is the key. Here are some of our recommended best practices:
Ongoing Security Awareness Training |
Educate your employees on the risks associated with opening suspicious emails or clicking on links from unknown sources. |
Enable Multi-Factor Authentication (MFA) |
As MFA requires users to provide two forms of authentication before accessing systems, this will add an additional layer of security to your systems and data, helping to prevent unauthorized access. |
Install Antivirus Software |
Make sure you have up-to-date, comprehensive antivirus and anti-malware software installed on all machines, including anti-malware detection with advanced endpoint protection. Keeping your software current is particularly important because hackers can detect any out-of-date software or hardware that is connected to the internet and then can use those vulnerabilities to infiltrate your computers. |
Install Firewalls |
Often the first line of defense against any incoming external attacks, firewalls can protect against both software and hardware-based attacks—they can filter out and block suspicious data packets from entering your system. Multi-layered security firewalls offer the best ransomware protection with their endpoint security for operational systems, email, and mobile access against malicious upload or phishing scams, for instance. *Those in the healthcare sector must take care that their firewall service also complies with HIPAA requirements. |
Build A Layered Defense With Security Controls |
Implement security protocols that protect against phishing attacks, limit access to sensitive information, and require strong passwords and authentication protocols. |
Regularly Back Up Data |
Many ransomware attacks are crippling because a hospital has completely neglected to back up its data, making it extremely difficult to recover the data without paying the ransom. But when you perform daily backups, you effectively insulate yourself from ransomware, making these attacks a nuisance rather than a disaster. Backups should be tested by restoring them at least once every few months to ensure they’re still capable of being used when necessary. |
Keep Systems Up To Date |
Keep operating systems, software, and security protocols current with the latest patches and updates. |
Conduct Risk And Vulnerability Assessments |
Risk and vulnerability assessments can help you identify and address any gaps in your cybersecurity, and you should perform these regularly to keep ahead of any negative developments. Healthcare organizations must conduct periodic vulnerability assessments because they provide an opportunity for you to learn about potential weaknesses in your security—either from a third party or your internal team. |
Next Steps for Cybersecurity in Healthcare
Healthcare organizations must stay up to date with current security standards and know how to protect their organizations against these threats. It’s not enough to stick your fingers in leaks when they emerge—you need to prevent leaks. Now, you understand three of the biggest threats affecting your sector, as well as some foundational steps toward said prevention.
But you also have HIPAA considerations to keep in mind while you put these security measures in place, and it may benefit you to go through an assessment with a third party. To learn more, check out our other resources that can shed more light on what would best suit your needs:
About Schellman
Schellman is a leading provider of attestation and compliance services. We are the only company in the world that is a CPA firm, a globally licensed PCI Qualified Security Assessor, an ISO Certification Body, HITRUST CSF Assessor, a FedRAMP 3PAO, and most recently, an APEC Accountability Agent. Renowned for expertise tempered by practical experience, Schellman's professionals provide superior client service balanced by steadfast independence. Our approach builds successful, long-term relationships and allows our clients to achieve multiple compliance objectives through a single third-party assessor.