Despite not being obvious targets for cyber-criminals, healthcare institutions are increasingly falling victim to digital attacks, now more so than ever. While at the start of the pandemic, medical institutions thought that cyber-criminals would not dare disrupt their operations - at least not while they take care of the sick and study the virus - that hope has been all but shattered. If anything, malicious actors are taking advantage of the havoc caused by COVID-19 to infiltrate overstretched hospital systems and steal invaluable patient data and critical research information. In the last quarter of 2020 alone, cyber-criminals exposed nearly 10 million records in 88 breaches.
However, while personal patient and staff data remain vulnerable assets for every medical institution, patient health is now at risk from cyber-criminals too. Late last year, a wave of cyber-attacks crippled six hospitals in the US by interrupting their operations for multiple days — a situation that endangered hundreds of lives. Even though a ransomware attack did not, as initially reported, kill someone in Germany last year, it is only a matter of time before a cyberattack on a hospital leads to tragic results.
The Evolving Threat to Healthcare
A key driver of the growing threat level for medical institutions is ransomware's transformation into a widely available and highly destructive criminal tool. As concepts like ransomware as service proliferate, even unsophisticated threat actors can now leverage capable strains of malware. In addition, cyber-criminals are also deploying increasingly sophisticated delivery tactics such as spear phishing to increase their chances of accessing connected network assets.
While the average payment from a successful ransomware attack is now over $100,000, ransom demands can easily stretch into millions of dollars. With the cost of ransom payments dictated by a victim's willingness to pay, the more a successful infection puts at stake, the more cybercriminals stand to gain.
For medical institutions, the inability to tolerate any operational downtime whatsoever makes them particularly attractive targets. Accordingly, nearly 90% of all ransomware infections reported last year occurred in the healthcare industry. The risk that this kind of malware poses to medical institutions has gotten so severe that the CIA, FBI, and HHS recently released a joint advisory statement warning healthcare providers about the risk of ransomware attacks.
Whereas in the past, threat actors either paralyzed entire organizations or threatened them with data exposures, ransomware attacks are now frequently configured to do both.
The Downside of Digitization
While threat actors have become increasingly sophisticated, healthcare institutions have also become more vulnerable.
Digitization in healthcare is nothing new. However, since the pandemic began, technologies such as telemedicine, remote patient monitoring and IoT medical devices have become ubiquitous. Telehealth alone is now on track to become a $250 billion industry by 2021. However, even though the digitization of medical devices and machines may well revolutionize patient care, they also present new entry routes for threat actors into medical networks.
Another side effect of rapid digitization is the increased likelihood of unpatched vulnerabilities accumulating. According to a data breach report by Verizon, over 85% of attacks gained access to victims' networks through known vulnerabilities.
As their operations become increasingly connected, medical technology's proliferation naturally increases the number of endpoints on medical networks. It's telling to note that external actors cause over 70% of network breaches, a figure which emphasizes the importance of endpoint security for medical institutions.
Understanding Inherent Vulnerabilities
Aside from the hidden dangers of digitizing operations, the nature of medical working environments also creates inherent vulnerabilities.
Healthcare workers have to access large volumes of valuable patient data every day, a situation that entails constant network interaction. Unsurprisingly, for incredibly busy healthcare professionals, cybersecurity often falls to the wayside.
According to a recent study, over 81% of healthcare staff use their work devices for personal purposes, while 36% share regulated data through unsecured email accounts. Busy healthcare staff also make vulnerable targets for targeted phishing emails designed to harvest their login credentials.
Protecting Medical Institutions Requires a Proactive Zero Trust Approach
Faced with a threat landscape growing in scope and risk, medical institutions need to be proactive about cybersecurity. The alternative — relying on antivirus software for protection — is ineffective because most attacks today don't have detectable signatures.
Instead, healthcare and medical institutions need to move beyond perimeter-based security and adopt zero-trust. This approach treats every device or individual connecting to their networks as a potential intruder until securely verified.
The most efficient way to make verification possible in a fast-moving medical environment is to remove passwords. Going passwordless means that authorized individuals gain access to an unhackable login procedure, making access both safer and more efficient. A passwordless organization instantly removes the most significant attack vector within its operations. Further benefits of a passwordless approach include improved productivity and reduced operational downtime.
Final Thoughts
For institutions where a network breach can expose confidential information and put patients' lives at real risks, cybersecurity is now a matter of life and death. Instead of relying on surrounding themselves with a protective wall, medical institutions need to make cybersecurity an inherent part of their day-to-day operations.