The threat to cybersecurity in the healthcare sector has grown so acute, that the United States Senate held hearings in mid-March to discuss what can be done to mitigate the growing menace.
Senator Gary Peters (D-MI), chairman of the Homeland Security and Governmental Affairs Committee tasked with overseeing cybersecurity legislation, opened the hearing with the following statement:
“Cyberattacks on hospitals, and other health care providers, can cause serious disruptions to their operations and prevent them from effectively providing critical, lifesaving care to their patients. Breaches can also lead to the exposure of sensitive personal and medical information of patients and health care personnel.”
Peters cited several recent high-profile attacks in the healthcare vertical. Included are:
- DC Health Link, a health insurance marketplace for residents and lawmakers in the nation’s Capital, experienced a cyberattack that exposed the personal data and information of tens of thousands of people, putting victims at risk of identity theft, scams, and additional cyberattacks.
- Earlier this year, the University of Michigan Health System experienced a cyberattack that temporarily limited access to their public websites. No patient information was compromised, and the issue was quickly resolved.
Protecting healthcare systems is vital
The senators said that the difference between cyberattacks on, say, a school vs. a hospital is that attacks on healthcare can lead to loss of life. A patient could die if medication isn’t dispensed, or oxygen isn’t released.
PHI, or personal health information, is also much more valuable to a hacker because of the multitude of data it usually contains. A stolen credit card number has a short shelf life as the owner will quickly find out it has been compromised and shut it down. But PHI, if harvested carefully by the hacker, can be used in many profitable ways and often without the victim being immediately aware.
Hackers can also use PHI for identity theft, financial fraud, and blackmail. For example, they can use stolen medical records to create fraudulent insurance claims or obtain prescription medications they can sell on the black market. They can also use PHI to blackmail individuals by threatening to expose embarrassing or sensitive health information.
Scott Dresen, vice president of Corewell Health, described the vulnerability of the healthcare sector at the senate hearings:
“Healthcare is digitally dependent; we are in a world where healthcare is highly digital and highly connected. And that makes us vulnerable given the value of the data we manage. We have a responsibility to protect the data of our patients and members.”
Vance Osborne, a cybersecurity expert in Denver that works with hospitals, tells Smarter MSP that MSPs increasingly have a role in the healthcare ecosystem.
“Often large hospitals have their IT in-house, but the healthcare has gone towards a much more decentralized model where there are numerous smaller clinics, private practices, and specialists, from dentists to dermatologists, and all of these are equally vulnerable,” Osborne explains. “People often think of healthcare IT as being a sprawling hospital, but more often it is the corner clinic, or even wearable devices.”
This ecosystem is facing several key threats
Osborne says the smaller healthcare entities are the ones that often turn to MSPs for IT and cybersecurity issues.
“And the senate hearing underscores the threat healthcare facilities are under and the importance the government views this with,” Osborne points out.
He continued by saying that entities in the healthcare ecosystem face several key threats:
- Phishing attacks: Phishing attacks involve using fraudulent emails or websites to steal personal information, such as login credentials or financial data. Healthcare providers are often targeted by these attacks, as they handle sensitive patient data.
- Ransomware attacks: Healthcare providers are a common target of these attacks so hackers can get their hands on the lucrative PHI.
- Insider threats: Osborne believes this threat often isn’t taken serious enough. Insider threats can be intentional or unintentional actions by employees or contractors that can harm an organization’s cybersecurity. Healthcare providers need to ensure that employees have appropriate access to patient data and are trained to handle sensitive information appropriately.
- Medical device security: Medical devices, such as pacemakers and insulin pumps, are increasingly connected to networks, making them vulnerable to cyberattacks. These devices can be compromised, potentially causing harm to patients.
- Data breaches: Healthcare providers are responsible for safeguarding patient data, and a breach of this data can have severe consequences. Breaches can occur due to weak passwords, unsecured networks, or vulnerabilities in software and applications.
Osborne advises that to mitigate these risks, MSPs that work with healthcare providers should implement strong security measures, such as multi-factor authentication, encryption, and regular security audits. They should also educate employees on cybersecurity best practices and implement policies and procedures for handling sensitive data.
“There’s no magic bullet, but MSPs can be a robust first line of defense,” Osborne says.
Photo: Andrew Angelov / Shutterstock