The protected health information (PHI) entrusted to healthcare providers is more valuable than credit card numbers to cyber criminals. Why? Because medical records contain a cache of sensitive information. Healthcare attacks are a hot commodity for nefarious actors since that data can easily be monetized through fraudulent billing, blackmail, filing false tax returns for rebates, and ordering prescription medication and medical devices.
A recent Canalys study found the evolving threat landscape will keep pressure on organizations to deepen their cybersecurity defenses, expand detection capabilities, and improve incident response. The delivery of cybersecurity services – including consulting, outsourcing, and managed services – is forecast to grow by 14.1% to $144.3 billion in 2023. MSPs and MSSPs can strengthen a healthcare organization’s cyber posture by locking down all points of compromise. Understanding where these systems are vulnerable and what protections should be in place will help providers establish their credentials in this high-risk/high-reward field.
Poor Cyberhealth and the Seven Deadly Sins
The landing pad in healthcare for cybercriminals is long and wide and they have many ways to creep into the network and cause chaos. Here are seven identified cybersecurity vulnerabilities that can reveal a patient’s data and expose these healthcare organizations to fraud and fines:
- Limited budgets. Funding is one of the largest contributing factors to anemic cyber defenses. Healthcare organizations are spending less on technology than those in other sectors. More than half (53%) invest less than 10% of their budget in technology.
- Lean IT staff. A tight budget often means fewer staff to monitor, prevent, and recover from breaches. The size and complexity of cybersecurity attacks today is forcing healthcare providers to outsource these responsibilities to IT professionals who can maintain a robust defense to ensure the privacy of patient records and compliance with regulatory standards like the Health Insurance Portability and Accountability Act (HIPAA).
- Legacy systems. These outdated systems may be too expensive to upgrade or have compatibility issues. However, a lack of support from the manufacturer could mean the absence of security patches. Here are three immediate steps MSPs can take to offset the risk of a legacy system:
- reduce the number of software versions and vendors,
- segment networks (i.e., remove critical life-support equipment and similar devices off the internet) to isolate an attack or incident,
- create a workflow diagram with specific responsibilities for the Security Operations Center (SOC).
- The Internet of Medical Things (IoMT). Devices linked to cloud platforms that store and analyze patient data create a huge vulnerability. An IBM study found an average of 10 to 15 connected devices per patient bed. Medical device compromises can endanger patient safety and privacy and can also expose entire segments of consumers using these services.
- Fragmented security architecture. Like medical devices, healthcare providers typically rely on several point security solutions. Those disparate systems make it difficult for MSPs to identify the potential for an attack and remediate vulnerabilities before cybercriminals can access sensitive data or deploy ransomware.
- Phishing scams. People are one of the most frequent entry points for cybercriminals and a lack of employee awareness of the risks associated with email and websites can be devastating to medical professionals. The U.S. Department of Health and Human Services (HHS) is currently investigating hundreds of cases associated with these phishing and hacking scams.
- Ransomware. Hospitals are major targets because of the higher probability administrators will pay the ransom. The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the U.S. Department of the Treasury, recently issued a joint advisory warning about alleged North-Korean-backed threat actors using Maui ransomware to attack healthcare and public health (HPH) organizations. A report in Security Magazine found that some medical providers will quickly give in to ransom demands because patients’ lives could be significantly impacted without access to records and internet-connected medical tools.
Cybersecurity Best Practices Checklist
As people are recommended to undergo regular physicals, so too are entities within the global health ecosystem. To improve the cybersecurity posture of healthcare, the HHS encourages enterprise-wide risk analyses and a series of best practices, including continuous vulnerability scans of all systems and devices.
Every organization needs to prioritize security controls – both basic and advanced. Respondents in an AT&T cybersecurity study focusing on healthcare ranked intrusion and threat detection, multi-factor authentication, data encryption at rest, and endpoint and device monitoring as the most efficient and effective security controls at their disposal. These are all areas where MSPs and MSSPs can provide critical support.
The Healthcare Information and Management Systems (HIMMS) identifies basic security controls as:
- Anti-virus
- Backup and restoration of files/data
- Data loss prevention
- Email/web gateway
- Encryption at rest/for archived files/in transit
- Firewall
- Incident response plan
- Security awareness training/policies and procedures
- Vulnerability management
- Mobile device management
Advanced security controls may include:
- Anti-theft devices
- Business continuity and disaster recovery plan
- Digital forensics
- Multi-factor authentication
- Network segmentation
- Penetration testing
- Threat intelligence sharing
- Vulnerability scans
Healthcare providers must make continual investments in IT infrastructure to protect patient’s personal information and remain compliant with all regulatory requirements. MSPs and MSSPs can play a life-saving role by identifying and remediating system weaknesses to put their clients in a better position. Every organization needs to be proactive rather than reactive in tackling cybersecurity.
Partnering with businesses like Acronis gives MSPs and MSSPs those capabilities. Cyber Protect Cloud detects and blocks ransomware with Active Protection, while our backup and disaster recovery solutions can get medical facilities back up and running quickly in the event of system compromise.
About Pat Hurley
Pat Hurley, Vice President and General Manager, Americas at Acronis. Hurley is a Senior Sales executive with experience building and scaling Enterprise, SMB and Public Sector sales teams. Proven leader with experience hiring and cultivating successful sellers and driving accountability across fast-paced organizations. Extensive experience in executing channel GTM strategies across Service Providers, Hosting, VAR, Distribution, OEM, and other lines of business. Persuasive communicator with excellent analytical, presentation, and interpersonal skills.