Tech & Innovation in Healthcare

Remember to stay vigilant against threat actors.

Data breaches, ransomware, and phishing attacks are commonplace in all industries, but especially healthcare. Tech & Innovation in Healthcare has gathered commonly held cybersecurity myths to get to the bottom of the misinformation.

Can you separate the facts from fiction?

Myth 1: We cannot experience a data breach since we are a small practice and have strong cybersecurity measures in place.

While having strong cybersecurity measures in place is a great start, it’s important to understand that data breaches can originate from several areas. For example, according to the HHS Office for Civil Rights (OCR) data breach portal, data breaches from business associates of healthcare and public health (HPH) entities increased from 250 in 2021 to nearly 400 in 2022. This is in direct contrast to the number of healthcare provider-caused data breaches, which decreased over the same time period.

Threat actors most commonly used hacking or an IT incident to gain access to patient records, and the malicious actors often aimed their attacks at network servers, email, and databases, like electronic medical records (EMRs) to access the sensitive data.

Note: The OCR data breach portal includes data breaches of 500 or more records.

Healthcare data breaches consistently increased from 2012 to 2021, with the case numbers doubling between 2018 and 2021. Last year saw a slight decrease in the number of data breaches, but the overall cost of an incident increased by nearly $1 million, according to the IBM Cost of a Data Breach Report for 2022. An average healthcare data breach cost $10.1 million in 2022. Healthcare faces the highest costs for a data breach out of any industry for the 12^th year in a row.

Myth 2: The larger the organization, the longer ransomware will need to encrypt the files.

On the surface, this myth appears to be true. However, technological and malware advances have rendered this statement false.

According to the 2023 IBM Security X-Force Threat Intelligence Index report, there was a 94 percent reduction in ransomware deployment time between 2019 and 2021. In 2019, threat attackers needed approximately 68 days for the ransomware to complete its encryption. By 2021, the same process was executed and completed in only four days.

A 2022 Sophos State of Ransomware report found that 66 percent of healthcare organizations surveyed reported they had been victims of a ransomware attack in the previous year. Also, the health sector was found to be the victims with the lowest ransom payments, which averaged under $200,000. However, Sopho’s State of Ransomware in Healthcare study also found that healthcare ranked second in ransomware attack recovery costs at $1.85 million.

The old adage of “time is money” rings true when it comes to ransomware attacks in 2023. The dramatic evolution in ransomware deployment speed requires a proactive approach to better securing data . IT and cybersecurity professionals need to take on a “when, not if” mentality to protecting your organization. By remaining vigilant against possible attacks, your cybersecurity team will help protect your organization’s bottom line.

Myth 3: I just need to keep my team aware of ransomware and data breaches since those are the most popular threats.

While data breaches and ransomware attacks garner headlines and news reports, traditional threats remain and will continue to operate throughout 2023 and beyond.

Threat actors have used these tried-and-true methods for years and will continue to do so:

• Phishing
• Exploiting remote access functions
• Exploiting known vulnerabilities, such as in legacy devices
• Compromising managed service providers

“The truth is that healthcare organizations don’t need some magic plan to stay ahead of threats in 2023,” says Funso Richard, CISA, CISM, CDPSE, CCSFP, information security officer at Ensemble Health Partners in Cincinnati, Ohio.

Educating and training your staff on everyday threats will help them stay aware and proactive against any incoming malware or devious tricks from threat actors. Plus, your cybersecurity team should enforce best practices to ensure your practice or organization is compliant and safe.

“The secret of effective cybersecurity lies in what the security team and the organization do daily. Essential best practices, such as security awareness, data protection, email protection, effective monitoring, patching, risk assessment, and incident response will keep healthcare systems secure,” Richard adds.