Cybersecurity and the risks in healthcare are not new. But at the same time, as healthcare continues as a top-three industry at risk for breaches, the risks continue to evolve and get more complicated. Over the past 18 months, many breaches were related to security incidents involving a vendor.
Given the significant risk and business-halting implications of cybersecurity attacks, here we summarize the top five cybersecurity risks facing the healthcare industry as well as five mitigating activities every healthcare organization should be engaging in to keep their patients' data safe and their critical business operations moving.
Top Five Risks
1. Ransomware Attacks
Ransomware attacks are among the most prevalent cyberthreats to healthcare. In fact, 24% of all breaches included ransomware.1 These attacks involve encrypting a victim’s data and demanding a ransom payment to restore access to the data. Healthcare organizations are particularly vulnerable to these attacks, as they often store sensitive patient data that can be used to extort a ransom payment. For more information on ransomware attacks in the healthcare industry, read our FORsights™ article, “Health Providers Warned of New Ransomware.”
2. Phishing & Social Engineering
In 2023, 74% of breaches involved the human element.1 Phishing and social engineering attacks are designed to trick employees into revealing sensitive information or downloading malware. Healthcare employees are particularly susceptible to these attacks, as they often receive a high volume of emails and are busy with patient care.
3. Medical Device Vulnerabilities
Medical devices are increasingly connected to networks and the internet, making them vulnerable to cyberattacks. These vulnerabilities allow attackers to access sensitive patient data or even control the device remotely, potentially putting patient health at risk.
4. Insider Threats
Insider threats are among the most difficult to detect and prevent. In 2023, 19% of breaches came from internal actors.1 These threats can come from employees, contractors, or other insiders who can access sensitive data and systems. Insider threats can be intentional, such as stealing patient data, or unintentional, such as accidentally downloading malware. The Verizon 2023 Data Breach Investigations Report shows that employees are more likely to make an error than to maliciously misuse their access, but this makes a good case to enforce employee cybersecurity training.
5. Third-Party Risk
Healthcare organizations often rely on third-party vendors for various services such as data storage and processing. However, these vendors may not have the same level of cybersecurity as the healthcare organization, creating a potential weak point in the organization’s defenses. For more information on third-party risk in cybersecurity, read our FORsights article, “A TPRM Perspective – Cybersecurity Risk.”
Top Five Risk-Mitigating Activities
1. Ransomware Assessment
Ransomware attacks continue to be one of the most prevalent and ongoing problems within the healthcare industry.1 With a ransomware assessment, our team can exploit vulnerabilities, see how well your organization’s procedures can defend an attack, and help mitigate those risks. This assessment can help an organization identify, protect, detect, respond, and recover from a ransomware attack. Our team has helped healthcare systems protect against and prepare for ransomware attacks.
2. Security Awareness & Social Engineering Test
Phishing and social engineering attacks are common in the healthcare industry. These attacks manipulate employees to give up private information, leading to the release of sensitive information. Social engineering testing can provide insights on best practices healthcare employees can use to help increase security, ultimately keeping patient data top of mind.
3. Threat & Vulnerability Test
Through ethical hacking, our team applies tools and techniques used by hackers, identity thieves, and disgruntled employees to exploit and analyze security issues through a variety of testing and scanning. As medical devices become more connected to networks and the internet, it’s essential to confirm your system has robust security controls in place.
4. Incident Response Plan
Reducing downtime is critical to patient care for a healthcare’s IT system. FORVIS can help you reduce risk with an incident response plan. Whether intentional or not, it’s important to have a plan in place in case a patient data breach occurs or if clinical systems are not available.
5. Third-Party Risk Assessment
Analyzing vendor contracts and independent assessments are two important focus areas for a healthcare system as it assesses and manages third-party cyber risk. An organization’s vendors maintaining effective cyber control is critical to the success of a cyber risk program. Enlisting our cybersecurity professionals to assist with third-party risk assessment can help your organization identify your vendors’ security risks, including the compromise and disruption of patient care systems.
It’s essential for healthcare organizations to implement robust cybersecurity measures to protect against these and other cyber risks. This includes training employees on detecting and responding to cyberthreats, regularly updating software and systems, conducting regular vulnerability assessments, and implementing access controls and monitoring systems. By taking proactive steps to address these risks, healthcare organizations can help protect PHI and strengthen the integrity of their systems to provide a quality patient care experience.
Be sure to also check out our article, “HHS Releases New Cyber Framework for Hospitals,” on HHS’ new framework and the impact it may have on your organization.
At FORVIS, our cybersecurity team offers services to help combat these risks, including ransomware assessments, social engineering testing, threat and vulnerability testing, incident response planning, third-party risk management, and IT and security risk assessments. For more information, please reach out to a professional at FORVIS.