How healthy is your data security?
Data privacy and security threats in healthcare are becoming increasingly common. With the massive amounts of sensitive patient data that healthcare organizations store and process, it’s no surprise that medical providers have become major targets of cyberattacks.
Part of the problem is that technologies like medical devices, telemedicine software, and patient data systems are vulnerable to attackers. The other part is that these systems contain highly valuable personal information that can be used for identity theft, double extortion ransomware attacks, insurance fraud, and more.
It’s no wonder, then, that 24% of all cyberattacks in 2019 were in the healthcare industry, or that healthcare is the most significantly affected by data breaches with an average cost of $10.1 million per incident.
Today, we’ll discuss the top five data security threats in healthcare and why they’re so serious. We’ll also offer a way to strengthen data privacy and security in healthcare organizations and mitigate the impact of these attacks.
What are the top five data security threats in healthcare?
From phishing and malware to XSS and DDoS attacks, cybersecurity attacks can cost organizations hundreds of thousands of dollars in just a few hours. Below, we’ll discuss five of the top threats to hospitals, medical offices, and other healthcare systems.
1. Data breaches in healthcare
One of the most common and publicized threats to healthcare organizations is data breaches.
Between 2009 and 2022, over 5,150 breaches were reported to the Department of Health and Human Services’ Office for Civil Rights. That number is only growing, with the healthcare sector experiencing about 337 breaches involving over 19 million records in the first half of 2022 alone.
That said, the most common type of healthcare data breaches has shifted over time. While many data leaks initially involved the loss or theft of healthcare records, the move to digital record keeping, device tracking, and encryption has reduced this kind of incident. Now, the leading cause of breaches is malicious hacking and IT incidents, which have increased significantly since 2015.
Better security measures, security awareness training, and access controls can all help mitigate this problem, but the industry is still a long way from preventing breaches altogether.
2. Ransomware attacks in healthcare
We’ve all read the stats on ransomware. It’s growing, it’s getting more sophisticated, and it’s increasingly expensive to remediate.
But ransomware is especially insidious in healthcare because the data is extremely sensitive. Many organizations and individuals will make significant ransom payments to prevent their private data from being released publicly.
Take, for instance, the attack on the Finnish healthcare firm Vastaamo that exposed the confidential records of tens of thousands of psychotherapy patients. Many patients ended up paying the ransom just to avoid having their treatment records published by the attackers.
Other attacks can be so devastating that they force providers to transfer patients to other facilities, temporarily suspend their services, or even go out of business. Take, for instance, Brookside ENT and Hearing Center in Michigan and Wood Ranch Medical in California, both of which closed permanently in 2019 after experiencing a ransomware attack.
3. Insider threats from healthcare employees
Contrary to popular belief, insider threats aren’t limited to disgruntled employees leaking IP or trade secrets. Many insider threats happen unintentionally and are the result of human error rather than malicious intent. In healthcare, this can be as simple as sending patient information to the wrong email address or via an unsecured account.
Unintentional healthcare disclosures are one of the most common causes of data breaches in the industry, second only to hacking. The end result is also costly: According to the Center for Internet Security, personal health information (PHI) is more valuable to cybercriminals than regular personal identifiable information (PII) or even credit card credentials.
While regulations like the Health Insurance Portability and Accountability Act (HIPAA) exist to safeguard data from this kind of scenario, they are not foolproof. Healthcare providers must implement strict access controls, monitor unusual activity, and provide regular training on security best practices to mitigate insider threats in their organizations.
4. Basic web application attacks (BWAA)
Basic web application attacks, or BWAA, primarily target an organization’s most exposed infrastructure — typically web servers or internet-connected devices. Attackers often use software or commands to cause unintended behavior in the system, usually with stolen credentials or known vulnerabilities.
BWAA includes specific types of attacks like cross-site scripting (XSS), SQL injection (SQLi), and distributed denial of service (DDoS) attacks. The impact can range from downtime in patient portals to disruptions in payroll operations and beyond.
To protect against BWAA, organizations should implement strong web application security and follow other data protection best practices.
5. Third-party security threats in healthcare
Healthcare providers often work with third parties like electronic health record (EHR) vendors to manage patient data. While these third parties can be a crucial part of providing care, they can also pose a significant threat to data security.
According to the American Hospital Association’s HHS Cybersecurity Program, distributed attack vectors are increasingly common in healthcare attacks. This includes third-party threats like managed service provider compromise and supply chain compromise. In 2019, for instance, 400 dental offices were attacked with ransomware via a single compromised managed service provider.
Organizations can reduce the risk of these third-party breaches by employing strict access controls and regularly monitoring vendor activity.
What can we do about data security threats in healthcare?
Data security threats in healthcare can have severe consequences for both patients and healthcare providers. From the sensitive nature of patient information to the vulnerability of medical systems, the industry is highly susceptible to damaging attacks.
Luckily, there are several steps that can be taken to mitigate the impact of these cyber threats and enhance data privacy and security. For instance, providers can implement robust encryption to protect data at rest and in transit, and they can ensure that only authorized and authenticated personnel have access to patient information.
They can also offer comprehensive employee training programs to educate healthcare staff about everything from phishing attempts to good password etiquette. And they can conduct regular risk assessments and vulnerability testing to improve their ability to respond to security events.
Protecting healthcare data with ShardSecure
Another way to implement strong data security for healthcare organizations is with ShardSecure’s Data Control Platform. Our innovative, agentless approach to encryption protects unstructured data against unauthorized users, rendering it unreadable to third parties in on-prem, cloud, and multi-cloud environments. This ensures strong data privacy even if an attacker manages to gain access to a storage location.
Our Data Control Platform also offers strong data resilience, providing high availability and data integrity checks to reconstruct compromised data in the face of outages and attacks. It can be seamlessly and transparently integrated with existing applications, and it works with legacy healthcare systems without the need to redesign workflows.
The cybersecurity research firm TAG Cyber wrote the following in a report about our technology: “The advantage of microsharding for healthcare teams is that sensitive application-level data stored into multiple clouds can be disaggregated, separated, and obfuscated to reduce the back-end threat. In the healthcare sector, this can be a valuable cyber security and framework compliance tool.”
Addressing data security threats in healthcare requires a multifaceted strategy. Learn how ShardSecure can become an effective part of that strategy with our healthcare case study and other resources.
Hospital Cybersecurity Risks and Gaps: Review | Frontiers in Digital Health
Cyberattacks Are Particularly Costly in Health Care. Why? | Advisory Board
DDoS Attacks: In the Healthcare Sector | Center for Internet Security
‘Shocking’ Hack of Psychotherapy Records in Finland Affects Thousands | The Guardian
Healthcare Data Breaches: Insights and Implications | PMC
Data Breaches: In the Healthcare Sector | Center for Internet Security
Web Application Attacks in Healthcare | HHS.gov
Health Sector Cybersecurity: 2021 Retrospective and 2022 Look Ahead | American Hospital Association