The healthcare sector has long been a major target of cybercriminals, making up nearly 25 percent (210 out of 870) of documented ransomware attacks, but the last couple of years has seen a substantial increase in major data breaches within the industry.
In the first six months of 2023, more than 300 incidents were reported to the Department of Health & Human Services (HHS)—an increase of more than 100 percent compared to the previous year.
The most common types of entities that face HIPAA violations are general hospitals. Notable healthcare giants have found themselves the subjects of headlines.
In fall of 2022, CommonSpirit Health—a network of more than 140 hospitals across 23 states—was hit by an attack affecting more than 623,000 patients.
The following spring, a cyberattack on MCNA, one of the largest government-sponsored dental care and oral health insurance providers in the US, surpassed any healthcare cyberbreach in 2022. Nearly nine million Americans’ data was compromised, such as their social security numbers, driver’s license numbers, addresses, and health insurance information.
When these mass breaches of patient data occur, healthcare organizations face substantial penalties under HIPAA’s Privacy and Security Rules. Fines range from $100 to $50,000 per violation, depending on the level of neglect at play.
However, in an era in which cybercriminals are becoming more advanced by the day, it can be difficult for healthcare organizations to be sure operations are safe from threat actors.
Meet the Expert
Russell Teague, Vice President of Advisory & Threat Operations at Fortified Health Security
Russell Teague is a US Army veteran, entrepreneur, and cybersecurity executive with more than 20 years of experience in the IT sector.
Before joining Fortified Health Security, he held leadership roles such as chief technology officer, chief strategy officer, and executive vice president at various IT companies. He even founded his own, including NGenSec and SRS consulting. His career has revolved around helping large institutions in the finance and healthcare sectors with regulatory compliance, IT design and implementation, and risk management.
Why are Healthcare Organizations so Vulnerable?
Cyberattacks are a concern for virtually every industry. However, healthcare organizations, in particular, are seen as gold mines in the eyes of cybercriminals.
“The data and the sheer volume of data that healthcare [organizations] manage… are the most valuable today on the dark web, even higher than credit card information,” says Russell Teague, vice president of advisory services at Fortified Health Security, a cybersecurity services company that helps clients in healthcare.
As Teague explains, credit card data becomes useless to a cybercriminal once a breach is detected; a person can simply call their credit card company and stop the perpetrator in their tracks.
Healthcare data, on the other hand, remains viable for use and sale long term. Even if a victim realizes their identity has been stolen, requesting a credit freeze, obtaining new government-issued IDs, contacting relevant organizations like the IRS and your police department, and sometimes even requesting a new social security number, can take a substantial amount of time.
“How do you render your social security number useless—your name, data of birth, address?” Teague says. “These are not items that can be easily changed or disassociated with an individual.”
The 12-month period of 2021 saw more identity theft than any previous year since the Identity Theft Resource Center started recording US incidents of identity theft: 14,947 reports. The following year confirmed this trend’s longevity with a similar number of reported cases: 14,817.
This marks a significant increase in this type of crime, which averaged at about 10,600 cases per year between 2015 and 2020.
How Healthcare Organizations Fall Victim to Cybercrime
People often visualize cyberattacks as hackers breaking into computer systems with force, but as any smooth criminal knows, it’s better to enter with a key.
“In general, not just specific to healthcare, security breaches occur the most through the human side, [by] leveraging and exploiting the human element,” Teague says. No matter how high your fences are, your security is only as tight as your gatekeepers are trustworthy. That’s why phishing is the most common form of cybercrime.
Phishing is a type of social engineering, i.e., the act of manipulating, influencing, or deceiving an individual into divulging private information. The hacker typically poses as a person or organization the victim trusts (e.g., a coworker or manager) and sometimes creates a sense of urgency for the victim to provide information quickly.
According to Teague, email is the most common phishing method that perpetrators use to gain entry into a target environment, but it can also be attempted via phone call or text: “Threat actors can target large numbers, and they only need one to click,” he says.
When an unsuspecting employee clicks on a phishing link, it can trigger a download of malware, giving hackers unauthorized access to organizations’ data, network systems, or computer applications.
Cybercriminals have become much more sophisticated in their phishing strategies in recent years. It’s no longer easy to distinguish between a phishing scam and a genuine email from one’s employer, even for employees educated about the dangers of phishing.
Threat actors may include the impersonated sender’s logo in their email signature and mask their email address to include the impersonated sender’s domain name (i.e., the part of the email address that comes after the “@” symbol). These details can make phishing attempts look legitimate even to a discerning eye.
They may impersonate a member of the IT team and prompt an employee with a typical request, such as to change their password or as a member of HR asking an employee to update their personal details.
The Role of AI
The rapid advancement of AI adds another element of complexity to the equation for healthcare cybersecurity that cannot be underestimated.
“AI has the potential to reshape how clinical and patient care is derived with improved efficiency and enhanced decision-making,” Teague says. “However, the rapid advancement and widespread adoption of AI technologies have raised significant concerns about security and governance challenges that need to be addressed to ensure that AI is used responsibly, ethically, and in a manner that aligns with societal values and interests.”
In July, the HHS in coordination with its Health Sector Cybersecurity Coordination Center published a briefing focused on how cybercriminals can use AI to their advantage.
According to the report, threat actors with very low technical knowledge can potentially use large language models like Chat GPT to create malware or ransomware, and/or to optimize cyberattack operations.
The report gives various examples of phishing email templates, which can be created with AI. This is a serious matter of concern, as research has shown that the more customized a phishing attempt is, the more likely it is to fool a healthcare employee.
A 2022 study that simulated phishing on 6,000 healthcare staff at an Italian hospital found that 64 percent of staff did not open a general phishing email, but only 38 percent did not click on the customized phishing attempt.
With services similar to Chat GPT, cybercriminals will no longer have to customize emails one by one; AI will be able to do the job in a fraction of the time, meaning threat actors can target large numbers of employees more quickly.
While Chat GPT and other similar engines are still in their infancy, they will continue to advance as they gather more data on which phishing tactics are effective, meaning they will only become more and more convincing and effective with time.
In addition to phishing, AI also stands to improve intrusive software.
“A new generation of ‘smart malware’ and ‘smart ransomware’ is on the horizon, in my opinion,” Teague says. “Embedded AI and ML [machine learning] logic is being used in creating highly adaptive malware that can consume victim security defenses and make smart decisions on how to thwart or breach those defenses.”
While AI does present new concerns for cybersecurity experts, the technology can also be used to their advantage. According to IBM, AI can protect data across hybrid cloud environments, improve risk analysis, and simplify access for verified users.
“The computer power of AI and ML is also helping bring … the power and understanding of how threat actors operate, what tools, techniques, and how they execute their attacks,” Teague says.
As Teague says, with offensive and defensive efforts evolving in tandem, it will be “a bit of a cat and mouse act, as we watch this play out in real time.”
New Government Standards Amp up Pressure
The road ahead is full of challenges for cybersecurity professionals—and not just concerning cybercrime. Another ball to juggle for healthcare IT professionals is government standards.
While the digitization of the industry has given rise to many positive effects, namely speed and efficiency of healthcare delivery, it also introduced some dilemmas around data accessibility requiring government intervention.
For instance, information blocking became common in the health sector during the digital revolution.
Caused by poorly designed electronic health record (EHR) software for hospitals, information blocking prevents authorized parties from accessing patient data, leading to slow patient processing times and sometimes delayed diagnoses.
The 21st Century Cures Act was introduced to stop this practice. One of its most important features is the requirement for EHR software companies to make products that work compatibly with one another, known as “interoperability.”
The enforcement of the Act began in September 2023, so the industry is getting its first chance to see how it will be enforced and make any further adjustments to ensure compliance. Meanwhile, in addition to raised accessibility standards, the sector will face an increasing level of responsibility for data security.
President Biden’s measures, outlined in the release of the White House’s 2023 Cybersecurity Strategy, have put an even stronger emphasis on the private industry’s share in the responsibility to prevent cyberattacks.
The theme of the President’s message brings to mind legislation like the Protect Access to Confidential Healthcare of 2022 (PATCH) Act, which puts the onus on medical device manufacturers to create cybersecure products and penalizes companies that don’t comply.
While measures like the Cures Act and the PATCH Act are undoubtedly positive moves for patients and the sector at large, maintaining data security while simultaneously making data more accessible for authorized parties is a balancing act.
Teague says that if done securely, the Cures Act can be implemented safely. However, it won’t be an easy task. “Interoperability is just going to help aggregate the data, increasing the likelihood of these data exchanges being key targets for threat actors,” Teague says.
Due to the ever-evolving tactics of cyber criminals, the rapid development of AI and increasing government standards, cybersecurity professionals are increasingly needed in health information management.
According to Bureau of Labor Statistics projections, jobs for information security analysts are expected to grow 32 percent from 2022 to 2032.
As Fortified Health Security states in its 2023 Horizon Report, the hope is that the government might offer incentives, grants, subsidies, or other resources to assist.
Nina Chamlou
WriterNina Chamlou is an avid writer and multimedia content creator from Portland, OR. She writes about aviation, travel, business, technology, healthcare, and education. You can find her floating around the Pacific Northwest in diners and coffee shops, studying the locale from behind her MacBook.