Technological advances in the healthcare sector have led to increased interconnectivity and Cloud-based infrastructures in order to maintain physical distance due to COVID-19 and address the urgent need to deal with overwhelming patient volumes through online care.
According to data from Global Markets Insights, the healthcare Cloud computing market was valued at over $29 billion in 2020 and is expected to be worth $79.3 billion by 2027, with a CAGR of 13.4%. We are therefore facing a major industry and migration process to the Cloud, which has not gone unnoticed by cybercriminals.
What are cybercriminals looking for when they attack the healthcare sector?
Health records are highly valued data because there are many ways to exploit this information on the dark web and hackers can gain large sums for them. For example, this data can be used to buy prescriptions, receive treatments or make false medical claims and bring widespread chaos, which will affect the people whose data was stolen in the long run.
The results of Verizon's Data Breach Investigation Report indicate that among the motives threat actors find to attack this sector are, primarily, financial (95%), followed by espionage (4%), convenience (1%) and, finally, grudge (1%).
Once hackers gain access to a healthcare center's system, compromised data typically includes personal data (58%), medical data (46%), credentials (29%) and other (29%).
Main types of cyberattacks on the healthcare sector
In addition to the value of sensitive personally identifiable information (PII), the healthcare sector is often a relatively easy target for black hat hackers. Many things make a system more vulnerable, including the rise of the Internet of Medical Things (IoMT), insufficient protection (such as the use of portals to share patients' medical information that can serve as a gateway through weak passwords), not making use of MFA, not having cybersecurity solutions capable of stopping advanced threats, the use of legacy systems and ineffective employee training.
In a survey conducted in March of this year, Health-ISAC identified the top five cybersecurity threats to the healthcare sector between 2021 and 2022:
Third-party data breaches
Proprietary data breaches
Likewise, the findings of the 2021 HIMSS Healthcare Cybersecurity Survey confirm this data, with phishing and ransomware as the top results with a 45% and 17% share respectively. They are followed by data breaches (7%) and social engineering (5%).
Multi-factor authentication (MFA): essential in healthcare systems
If healthcare professionals access a patient's electronic health record through a clinical portal, it is crucial that they follow a protocol that ensures access is limited to those authorized to view it. Healthcare data should be restricted to essential personnel and access should be reviewed frequently.
In addition, if Cloud access is involved, implementing an MFA solution is strictly mandatory. Data privacy is so critical that MFA should be flagged up within your networks too. Some companies remove the MFA requirement when users are physically inside the network, ignoring the risk of attacks and lateral movements. For example, in 2021 a Dutch hospital was fined €440,000 by the Dutch Data Protection Authority (DPA) due to inadequate protection of patient records between 2018 and 2020, as they failed to implement sufficient security to prevent unauthorized access to records from users inside the network.
Notwithstanding, HIMSS revealed in its global survey results that only 34% of respondents claimed to have implemented the use of multi-factor authentication in their organization. In contrast, other respondents indicated that this type of authentication is applied to a lesser extent in their institutions. This poses unnecessary risk to the confidentiality, integrity and availability of information.
As an MSP, it is important to establish the use of this solution and to advise healthcare clients on which solution is most appropriate for them. Healthcare systems manage highly sensitive data, such as user medical information, and deploying MFA to access it is critical, as well as being a long-standing regulatory requirement. Medical organizations that have included it are in compliance with the regulations, as in this case study for the Generalitat Valenciana, while failure to deploy this protection can result in penalties and major security breaches.