Europe, in general, has been ahead of the United States when it comes to cybersecurity regulation at the governmental level, such as healthcare cybersecurity. Still, regarding industry-specific cybersecurity protocols, the record is more mixed, with some industries ahead of the United States and others not.
Healthcare is a vulnerable vertical on both sides of the Atlantic, and a new report by the European Union Agency for Cybersecurity (ENISA) highlights some fascinating insights into the state of the cybersecurity healthcare sector.
“Studying trends in other parts of the world is good for everyone. If you are in Australia, you should study what goes on in the States. If you are in the States, you should look at cybersecurity in Europe; from a cybersecurity perspective, we’re all connected,” says Andrew Craig, a healthcare cybersecurity consultant in Houston.
The fact that ENISA generated the report gives the report a lot of credibility and weight. “Private companies come out with reports all the time, and while they have some value, anytime you can get the resources of a government entity to study something, the results are worth poring over,” Craig adds.
Findings point to key vulnerabilities
Fifty-four percent of all cybersecurity breaches in Europe in 2022 hit the healthcare sectors, with hospitals bearing the brunt.
“Protected health information (PHI) continues to be the most sought-after data for cybercriminals. PHI is far more valuable for resale on the dark web than credit card numbers, bank account information, or social security numbers,” Craig points out. The ENISA numbers certainly bear that out, showing that electronic health records were the most targeted assets.
The ENISA report also highlights the healthcare supply chain and its vulnerabilities from vendors. “Supply chain remains the `soft underbelly’ of the whole healthcare ecosystem. A hospital can be a fortress, but if the company that launders their linens has weak cybersecurity, the whole system can be compromised,” warns Craig. Also, the explosion of portable medical devices is increasing vulnerability levels.
According to Craig, a government report is better about spotlighting state actors, which was an issue in Europe in 2022.
The ENISA report states: Geopolitical developments and hacktivist activity led to a surge in Distributed Denial of Service (DDoS) attacks by pro-Russian hacktivist groups against hospitals and health authorities in early 2023, accounting for 9% of total incidents. While this trend is expected to continue, the actual impact of these attacks remains relatively low.
Threat actors are actively present
“While we don’t think state actors greatly disrupted healthcare in Europe, it still shows that they have a presence, and one can never really let down their guard,” Craig says. Other significant concerns highlighted in the report include:
- Cost of breaches. The median healthcare attack costs around $300,000.
- Ransomware defense. Despite the threat, only 27 percent of surveyed organizations have a dedicated ransomware defense program. Ransomware is the biggest cybersecurity threat hospitals face. “This is a gaping hole in healthcare cybersecurity. There is also a huge opportunity for managed security providers (MSPs) to be selling their services up and down the healthcare ecosystem,” he says.
The ENISA report also highlighted patient safety. “For a long time, the focus was on PHI, but there is now the real possibility, and in fact, there have been incidents where patient safety is compromised: medication dosage, pacemaker function, and sensor monitoring,” Craig advises. “This is a serious threat.”
Best practices for MSPs to improve defenses for healthcare cybersecurity
Meanwhile, the ENISA report offered several recommendations to shore up healthcare defenses, which Craig advises should be part of every MSP’s arsenal.
- Offline encrypted backups of mission-critical data with confidential information (data at rest) can mitigate the risks of data leaks.
- Awareness-raising and training programs for healthcare professionals can play a role in mitigating social engineering attacks and improving security practices among users.
- Regular vulnerability scanning can identify and address vulnerabilities, especially those on internet-facing devices, and should be undertaken to limit the attack surface.
- Regular patching and implementing the latest available updates to software and operating systems.
- Good practices for authentication methods for remote access should be followed.
- Create, maintain, and exercise essential cyber incident response plans to ensure patient care is unaffected. These may include contingency plans in each department or service, improved communication channels, and support for the mental and physical well-being of healthcare professionals.
Craig, however, emphasized that buy-in from senior management at healthcare organizations is crucial for any of the recommended steps to work. “An MSP or a CISO can have the best cybersecurity plans, but if the management doesn’t provide support, it’s going to be a rough road.”
Photo: LeoWolfert / Shutterstock