The healthcare industry is renowned among cybercriminals for being target-rich. That is because patient records, research data, and intellectual property can bring top dollar on the dark web.
While stolen financial data typically has a minimal shelf life, personal health information (PHI) is forever. Victims can get a new credit card after a breach, but they cannot change their blood type or their medical history. That fact alone boosts the value of PHI to cyber thieves, who can hold the information hostage for ransom or sell it to third parties long after it has been stolen.
This is not to say cybercriminals are ignoring opportunities to steal money from healthcare organizations. Healthcare represents nearly a fifth of the U.S. economy, with large sums moving electronically every day between multiple parties and organizations – payers, providers, suppliers, and patients. It can take only one weak link in the chain to create an opportunity for threat actors to strike.
Learn more about the growth in healthcare cyber attacks.
The healthcare industry has been undergoing a transformation to cloud solutions for everything from billing to remote patient care options, online patient portals, and more. While these offer efficiency and scalability, they also increase the risks associated not only with cybercrime but also with inadvertent disclosure events that can expose volumes of sensitive data.
Medical devices are becoming increasingly interconnected, thereby enlarging the attack surface on which cybercriminals can gain access to sensitive data or even disrupt patient care while in progress. This proliferation of IoT devices, along with the increasingly sophisticated tools and techniques that threat actors use to hack them, means that healthcare providers have to secure more equipment than ever before – and the stakes have never been higher.
Given what they do, hospitals, medical practices, and other healthcare organizations can least afford to experience disruptions in essential systems and networks. As they rely increasingly on electronic data exchange, system downtime not only results in huge costs but can also bring delays in accessing critical patient health information and keeping life-saving services operating smoothly.
The Health Insurance Portability and Accountability Act (HIPAA) places additional responsibility on healthcare organizations to protect individuals’ electronic personal health information that they receive, use, or maintain. HIPAA’s Security Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. If healthcare organizations lose control of their data, they are required to provide notification to affected individuals, the federal government, and, in certain circumstances, to the media.
While they focus their time, attention, and resources on the response to COVID-19, healthcare organizations have seen increases in cybersecurity attacks as threat actors seek to exploit the emergency. Since the start of the pandemic, there has been a significant increase in phishing emails and malware distribution using COVID-19 as a lure. Meanwhile, intelligence agencies have reported that hackers are using malware and sophisticated phishing emails to try to gain access to vaccine research and information on medical supply chains.2
See the specific cybersecurity threats that target healthcare organizations.
Crypsis applies HIPAA guidelines and requirements to assess an organization’s overall security posture accounting for their people, processes, and technologies in use to secure the organization and its assets. We gain an understanding of the cybersecurity landscape, mapping where PHI and other sensitive data resides, and how it is stored and transmitted. We also review existing documentation and make recommendations based on healthcare industry standards, as well as conduct stakeholder interviews to get insight into cybersecurity infrastructure, operations, capabilities, processes, and overall practices across the organization. Our HIPAA Assessment includes detailed recommendations to remediate identified weaknesses or gaps in security, as well as a strategic implementation roadmap detailing how identified weaknesses may be addressed, including the perceived level of effort and estimated costs.
Crypsis offers targeted assessments and technical cybersecurity services to test and evaluate cybersecurity posture and overall cyber resilience, and to verify that security controls are performing optimally and efficiently. These include penetration testing – where we simulate a real-world attack to assess the strength of your countermeasures and identify hidden vulnerabilities – web and mobile application testing, targeted security assessments of your current configurations, phishing exercises, and tabletop exercises that include customized scenarios based on threats that are specific to the healthcare industry.
Protection starts with initiating safeguards and implementing continuous monitoring capabilities to ensure the delivery of critical infrastructure services. Examples include identifying management and access control, conducting cyber risk awareness training for employees, and implementing information protection processes and procedures. This involves monitoring cybersecurity developments and events to verify the effectiveness of protective measures.
The Crypsis Group’s data breach and response teams are ready at a moment’s notice to help healthcare organizations investigate, eradicate, and recover from ransomware attacks, as well as from business email compromise, inadvertent disclosures of data, and other types of incidents. Our mission is to immediately stop the attack, expel the intruder, restore systems, and get operations back online as quickly as possible – while leveraging data analytics solutions to investigate the extent of PHI exposure in light of HIPAA obligations.
Our cybersecurity experts have deep experience protecting our nation and our businesses from ever-evolving and intensifying cyber threats. Since we were founded in 2015, we have partnered with hundreds of healthcare companies – including hospitals, medical practices, bioscience companies, long term care facilities and others – to help them respond to and recover from cyberattacks, manage their risks, and harden their defenses.
We fight cybercrime. With many of us having served in law enforcement, the intelligence community, and in the IT security departments of leading corporations and government agencies, we know how cyber criminals operate, we know the tactics they use, and we know where to look for them and how to find them. With access to the latest technologies and techniques for fighting cybercriminals, we dedicate our careers to staying well ahead of them and keeping them at bay on behalf of our clients.
1 The Crypsis Group, 2020 Incident Response and Data Breach Report