Increasing Cyberattacks On Healthcare Institutions Shows Immediate Need For Greater Cybersecurity
While the pandemic brought about inspiring displays of solidarity and compassion, as with any tragedy, bad actors took advantage of the situation for personal gain. While hospital workers set up field hospitals in parking lots and clinicians risked their health to combat the frightening virus, hackers, ransomware gangs, and financial scammers doubled down on their mission to obtain valuable patient data.
The number of hacking incidents reported in healthcare climbed for the fifth straight year in 2020, according to my company’s report, jumping 42% in 2020. Hacking incidents comprised more than half of all last year’s patient data breaches — 62% — up from 2019.
Crisis Loosens Protections
Unprepared for Covid-19 surges, many hospitals were forced to reallocate resources from administrative functions to patient care. The necessary pivot resulted in important data protection measures going by the wayside, exacerbating the vulnerabilities that hackers have worked tirelessly for years to exploit.
With more staff working remotely, the operation of mass Covid-19 testing and vaccination sites, and soaring telehealth utilization, many health systems watched their defenses against patient data exposure crumble. All the while, they were flooded with requests to share data with the media and the public. Then came elective procedure standstills, which choked off a critical revenue stream.
Having weathered this chaotic environment for more than a year now, healthcare workers are understandably weary. Details related to password complexity, connection security, and compliance protocols may not be top of mind for workers with so many priorities competing for their attention. Of course, the industry-wide fatigue — and the opportunities it creates — are well understood by bad actors looking to profit off of stolen patient data.
Statistics Don’t Lie
A data released by Armis uncovered that the lack of knowledge and general awareness of major cyberattacks on critical infrastructure and an understanding of security hygiene. The survey of over 2,000 respondents from across the United States found that end users are not paying attention to the major cybersecurity attacks plaguing operational technology and critical infrastructure across the country, signaling the importance of businesses prioritizing a focus on security as employees return to the office. In the past year, 65,000 ransomware attacks occurred in the United States. In other words, approximately 7 attacks per hour, a rate that is expected to continue to rise. As the U.S. looks at its vulnerable industries, the responsibility is falling on businesses to ensure that they are keeping the organization and employees safe and secure.
Impact of Cyber Attacks
Impact of cyber-attacks on critical infrastructure has been evident. It was observed that ransomware hit healthcare in a major way, with attacks on Scripps Health’s technology systems and a chain of Las Vegas hospitals. Despite the spotlight on these attacks, the data shows that many consumers are simply not taking notice — and the responsibility of security falls on the businesses themselves.
As the risk of attack continues to rise, and businesses move toward a hybrid in-office/work from home model, it is imperative that businesses are considering security and ensuring the proper policies and protections are in place. Thinking critically about security early on, and weaving it into your company’s everyday practices, can be the difference-maker as employees return to the office.
“The attacks on our critical infrastructure are clear evidence of the need for cybersecurity and assurance to all our utility providers and players,” said Curtis Simpson, CISO at Armis. “It is also an unfortunate example of the huge vulnerability of an aging infrastructure that has been connected, directly or indirectly, to the internet. Organizations must be able to know what they have, track behavior, identify threats, and immediately take action to protect the safety and security of their operations. This data shows that there is less consumer attention on these attacks as we might expect, and so that responsibility falls to businesses to shore up their defenses.”
Cyber Threats on US Healthcare
Some of the most noted finding of Armis’ survey disclosed that:
Education and Awareness Of Cyberattacks Is Still Lacking: Despite these major attacks making headlines on the national stage, respondents showed a lack of awareness of these attacks and their impact on consumers and businesses. Over 21% of respondents have not even heard about the cyberattack on the largest U.S. fuel pipeline, and almost half (45%) of working Americans did not hear about the attempted tampering of Florida’s water supply.
The Severity Of The Attacks Is Not Sticking: Despite the complete shutdown of the Colonial Pipeline following the attack, and the halting of production at JBS, consumers don’t see the lasting effects of these attacks. 24% of respondents believe that the Colonial Pipeline attack will not have any long-lasting effects on the U.S. fuel industry.
Healthcare Could be The Next Frontier For Hackers: According to a commissioned study conducted by Forrester Consulting on behalf of Armis, 63% of healthcare delivery organizations have experienced a security incident related to unmanaged and IoT devices over the past two years. Yet today’s data shows that when it comes to device security, over 60% of healthcare employees believe that their personal devices do not pose any security threat to their organization. What’s more, 26% said that their companies do not have any policies in place to secure both work and personal devices.
Employees are Putting Businesses at Risk Through Devices: As COVID restrictions begin to lighten, enterprises are starting to talk about the return to the office, but as we go back, businesses need to be thinking about overall enterprise security, especially as employees have expressed their intention to continue some potentially risky habits. The data shows that over 71% of employees intend to bring their WFH devices back to the office, with over 82% of that group being IT professionals, whose main job function is to ensure the security of the organization. Despite the risks prevalent, 54% don’t believe their personal devices pose any security risk/threat to their organization.
