A pandemic side effect? More cyberthreats in health care. Here are 4 reasons whyMarch 16, 2021 | By Dorothy Pomerantz
In the middle of a pandemic, the last thing any hospital wants to do is make life even more complicated for its staff and patients. But that’s exactly what happened in France last month, when two separate hospitals were hit with ransomware attacks, forcing them to shut off internet service. One was forced to postpone patient surgeries and redirect emergency room care and the other resorted to paper charts, record-keeping and appointment logs.
These sorts of attacks have been a growing problem for the health care industry and are increasing in frequency during the pandemic. In 2020, health care data breaches were up 25% in the U.S. over the previous year. Here’s why:
Medical data is everywhere. Over the past decade, the industry has digitized, meaning there is now electronic data on just about every aspect of health — from an individual’s blood pressure to global vaccine research — and on many kinds of connected devices. Data moves from medical offices to pharmacies to the patient and insurance companies. While this easy flow of communication is a boon for patients and doctors, it creates potential weak spots that hackers can exploit.
“There are plenty of security gaps,” says Beth Griffin, who leads health care cyber and intelligence efforts for Mastercard. “There can be gaps in how the data is being stored. There are vulnerabilities in people accessing data from mobile phones. There can be gaps in relationships with third-party vendors.”
Ransomware attacks can be lucrative. Ransomware attacks, in which cybercriminals hold an entire hospital system’s IT hostage, can bring care to a screeching halt. Delays in sending and receiving information can mean the difference between life and death. With people’s health at stake, organizations are motivated to pay up quickly.
Health care scams are constantly evolving, feeding the need for more data. Breached medical records, including stolen credentials and medical files, are increasingly available on the dark web. That’s where medical records can be 50 times more valuable than payment card information. Criminals can use it to set up fake medical businesses or file false claims with insurance companies. Stolen troves of data can include personally identifiable information for patients and their relationships with their health care providers, which could be harnessed for phishing or ransomware scams.
Overburdened health care organizations are underprepared for cyberattacks. The financial world has adjusted to dealing with fraud — stopping a potentially bogus charge as quickly as it’s made. But the health care industry is still adjusting to new levels of digitization. Hospital systems are also trying to operate during COVID-19 with overworked staff and many administrators working from home. They might be easy prey for a phishing attack, for example – when someone opens an authentic-seeming email and unknowingly downloads malware that can infect an entire company. “The pandemic is stretching personnel who are paying less attention to details,” Griffin says.
All these digital touchpoints mean health care organizations need to continuously monitor and implement security measures along every step to diagnose potential weaknesses.
One of the biggest concerns is outside vendors who have access to critical data and systems to help keep their organizations running. While essential, this creates what is known as “third-party risk,” in which hospital or medical office data may be exposed if those supply chain vendors are attacked.
Organizations need to constantly think about impact a supplier failure could have on their operations. That’s why at the start of the pandemic, RiskRecon, a Mastercard company, offered free access to its services for health care organizations through the end of 2020, helping them assess their digital footprint and identify weak points, creating a risk heat map of potential vulnerabilities. RiskRecon was also recently selected as the first global ambassador for the Health Information Sharing and Analysis Center (Health-ISAC), a nonprofit forum for health care companies to collaborate on cybersecurity.To tackle these cyber security challenges – from ransomware to fraud to complex supply chains – staying ahead of the threat is more important than ever. Tools like RiskRecon and information sharing through Health-ISAC are just some of the ways an organization can improve its security posture.“
The cyber threats facing the healthcare sector are challenging, and as part of any risk management program, they need to be addressed through strategic planning and thoughtful investment,” says Errol Weiss, Health-ISAC’s Chief Security Officer. “It’s literally the equivalent of spending thousands now to prevent something that’s preventable or paying millions later to recover from a catastrophe. ”Call it preventative medicine.“
The more insights we can share into the shifting cyber landscape, and the more actionable they are, the better prepared we all will be to keep ahead of the criminals,” says Simon Hunt, executive vice president for security and cyber innovation at Mastercard. “We may be able to see the end of the pandemic, but the need to safeguard and protect patients, staff and systems will never end.”