Improving Cybersecurity for Healthcare Providers

Healthcare providers are one of the top targets for cybercriminals. According to Check Point Research, healthcare organizations worldwide averaged 1,463 cyberattacks per week in 2022, representing an increase of 74 percent compared with 2021. In the United States, healthcare entities suffered an average of 1,410 weekly cyberattacks per organization, up 86 percent from 2021.

According to the Identity Theft Resource Center (ITRC) 2022 Data Breach Report, personal healthcare information appears to be the primary target. US healthcare organizations were the most compromised economic sector by data breaches for the third year, with 344 breaches in 2022.

Healthcare providers are a leading target of cybercriminals for several reasons:

Sensitive Data: Healthcare organizations and providers are targeted more than other businesses because they have access to a wide range of sensitive data, including private health information and payment card information. Since healthcare providers collect much of this data in one location and in the cloud, they become a top target for cybercriminals.

Critical Infrastructure: Groups targeting businesses for ransomware are more likely to target organizations that are likely to pay the ransom. Due to the nature of the services provided by healthcare providers, they are more likely to meet a cyber attacker’s demands due to an increased need to restore normal operations.

Internet of Medical Things (IoMT): Healthcare providers rely more on networked devices to provide care, making them more vulnerable than other businesses. Often, these devices have poor security, are cloud-based, or are managed by third-party vendors, which provides attackers with easier access to sensitive data and the organization’s networks. According to Cynerio’s State of Healthcare IoT Device Security 2022 report, 53 percent of connected devices are at risk of a cybersecurity attack.

Common Cyber Threats to the Healthcare industry

Healthcare organizations and providers face growing cyber threats, with new and more complex crimes emerging yearly. Some of the common attacks targeted at healthcare offices can include:

Data Breaches: Healthcare providers and insurers collect and store large amounts of sensitive data about their patients and research. Stealing this data digitally or physically is a common goal of attackers targeting healthcare entities.

Ransomware: This is the most common attack against healthcare entities today. Introducing intrusive programs to a healthcare provider’s system or the theft of data can hold a provider’s systems hostage until the provider meets the attacker’s demands. This is often effective because healthcare providers rely heavily on their data and networked systems to provide care.

Malware: Malware, or malicious software, is a term used to describe any computer software with malicious intent. Types of malware include computer viruses, worms, Trojan horses, ransomware, and spyware. Malware is designed to steal, encrypt, and delete sensitive data, alter or hijack core computing functions, and monitor end users' computer activity remotely. Malware can enter malicious programs in many ways, including through a USB drive, popular collaboration tools like Microsoft Teams and Google Drive, and drive-by downloads, which occur when malicious programs are automatically downloaded onto a business’s systems without the user's approval or knowledge.

Distributed Denial of Service (DDoS): A DDoS attack is a malicious attempt to disrupt the regular traffic of a targeted business, server, service, or network by overwhelming the target or its surrounding network infrastructure with a flood of Internet traffic. Often, like a ransomware attack, a DDoS attacker may demand a ransom to restore a provider’s network and data operations.

Phishing: Phishing attacks are designed to trick businesses into handing over sensitive data, such as patient health information or payment card data, through fraudulent solicitation in email or on a website. Phishers often masquerade as legitimate businesses or reputable persons. Phishing is a common first step for data breaches, ransomware, or other cyberattacks.

Account Takeover: Account takeovers occur when a cyberattacker takes advantage of weak passwords or passwords compromised via phishing and other attacks. The attackers use this access to legitimate user accounts to access and steal sensitive data, plant ransomware, or launch additional cyberattacks.

* HHS: Top 10 Tips for Cybersecurity in Health Care

1. Establish a Security Culture:  

“But none of these measures can be effective unless the health care practice is willing and able to implement them, to enforce policies that require these safeguards to be used and to effectively and proactively train all users so that they are sensitized to the importance of information security. In short, each health care practice must instill and support a security-minded organizational culture.”

2. Protect Mobile Devices

“Mobile devices — laptop computers, handhelds, smartphones, portable storage media — have opened a world of opportunities to untether Electronic Health Records (EHRs) from the desktop. But these opportunities also present threats to information privacy and security. Some of these threats overlap those of the desktop world, but others are unique to mobile devices.”

3. Maintain Good Computer Habits

“The medical practitioner is familiar with the importance of healthy habits to maintain good health and reduce the risk of infection and disease. The same is true for IT systems, including EHR systems — they must be properly maintained so that they will continue to function properly and reliably in a manner that respects the importance and the sensitive nature of the information stored within them. As with any health regimen, simple measures go a long way.”

4. Use a Firewall

“A firewall can take the form of a software product or a hardware device. In either case, its job is to inspect all messages coming into the system from the outside (either from the Internet or from a local network) and decide, according to pre-determined criteria, whether the message should be allowed in.”

5. Install and Maintain Anti-Virus Software

“After implementation of EHRs, it is important to keep anti-virus software up-to-date. Anti-virus products require regular updates from the vendor in order to protect against the newest computer viruses and malware. Most anti-virus software automatically generates reminders about these updates, and many are configurable to allow for automated updating.

Without anti-virus software, data may be stolen, destroyed, or defaced, and attackers could take control of the machine.”

6. Plan for the Unexpected

“Sooner or later, the unexpected will happen. Fire, flood, hurricane, earthquake, and other natural or man-made disasters can strike at any time. Important health care records and other vital assets must be protected against loss from these events. There are two key parts to this practice: creating backups and having a sound recovery plan.”

7. Control Access to Protected Health Information

“In most computer systems, these credentials (user name and password) are used as part of an access control system in which users are assigned certain rights to access the data within. This access control system might be part of an operating system (e.g., Windows) or built into a particular application (e.g., an e-prescribing module); often both are true. In any case, configure your EHR implementation to grant electronic health information access only to people with a “need to know.””

8. Use Strong Passwords and Change Them Regularly

“Passwords are the first line of defense in preventing unauthorized access to any computer. Regardless of type or operating system, a password should be required to log in. Although a strong password will not prevent attackers from trying to gain access, it can slow them down and discourage them.”

9. Limit Network Access

“Wireless routing is a quick and easy way to set up broadband capability within a home or office. However, because of the sensitivity of health care information and the fact that it is protected by law, tools that might allow outsiders to gain access to a health care practice’s network must be used with extreme caution.”

10. Control Physical Access

“Not only must assets like files and information be secured; the devices themselves that make up an EHR system must also be safe from unauthorized access. The single most common way that electronic health information is compromised is through the loss of devices, whether this happens accidentally or through theft. Incidents reported to the Office for Civil Rights show that more than half of all these data loss cases consist of missing devices, including portable storage media (e.g., thumb or flash drives, CDs, or DVDs), laptops, handhelds, desktop computers, and even hard drives ripped out of machines, lost and stolen backup tapes, and entire network servers.”

Cybersecurity Resources for Healthcare Providers

* Top 10 Tips for Cybersecurity in Health Care

Health Sector Cybersecurity Coordination Center (HC3)

Have You Heard About Protecting Electronic Health Records?

Counter-Phishing Recommendations for Non-Federal Organizations

Ransomware: What It Is and What To Do About It

HHS Cyber Security Guidance Material

Cyber Insurance—From Risk Transference to Organizational Assurance

HHS Cybersecurity Guide: Electronic Medical Records in Healthcare -17-1300-emr-in-healthcare-tlpwhite.pdf  

DHS Cybersecurity Rapid Response Checklist

White House Fact Sheet: Act Now to Protect Against Potential Cyberattacks

White House Fact Sheet: Biden-⁠Harris Administration Announces National Cybersecurity Strategy




LUGPA Policy Alert: CMS Introduce Accelerated and Advance Payments to Providers in the Wake of CHANGE Cyber-Attack - March 2024 

LUGPA Policy Alert: Cybersecurity Threats in Healthcare on the Rise -  March 2024