Despite hospitals and other healthcare facilities beefing up their cybersecurity efforts throughout the course of the COVID-19 pandemic, the industry remains vulnerable to these types of attacks. In 2021, the healthcare industry was the most common victim of ransomware attacks, accounting for 33 percent of incidents.
Attackers were able to infiltrate networks and steal data by exploiting weak passwords and gain access to unauthorized networks, according to a report by Black Kite. Because of these vulnerabilities, the personal information of 1.5 billion users was leaked via third-party breaches.
“Threat actors have become more agile over the years, particularly with increased ransomware attacks revealing a sense of heightened agility and skill,” says Bob Maley, chief security officer with Black Kite. “This is not just a change from 2021 but an overall message. Attack methods are becoming more clever, more detailed, with flexibility and dexterity. If agile attack methods are improving, our response must match, if not counter their growth.”
Even the biggest names in healthcare are vulnerable to cyberattacks.
Earlier this month, the Red Cross announced that its systems were compromised, with more than 500,000 people’s data exposed. According to the release, the data originated from at least 60 Red Cross and Red Crescent National Societies around the world. At the time of this publication, the organization has no indication on who carried out the cyberattack, and there is no indication that the compromised data has been leaked or shared publicly.
“This cyberattack puts vulnerable people, those already in need of humanitarian services, at further risk,” says Robert Mardini of the International Committee of the Red Cross in a press release. “Your actions could potentially cause yet more harm and pain to those who have already endured untold suffering. The real people, the real families behind the information you now have are among the world’s least powerful. Please do the right thing. Do not share, sell, leak or otherwise use this data.”
Every second counts once an initial threat is made. Still, many hospitals and other healthcare facilities do not have the proper means to thwart these attacks. The average time between an attack and its disclosure date in 2021 was 75 days, according to the Black Kite report. The longer an attacked company delays disclosure, the more negative impact the organization faces as it risks losing trust from its patients or large sums of money.
As previously reported by Healthcare Facilities Today, 54 percent of healthcare systems believe a data breach would be critical to its reputation. It is up to IT managers to ensure that patients’ and residents’ private data is secured. Hospitals and other healthcare facilities must be transparent and regularly communicate with patients and residents on ways their information is being used, stored, shared and protected.
Even though cybersecurity risks surround IoT medical devices, more of this technology has been implemented in facilities since the start of the pandemic. Almost 80 percent of these IoT devices get used frequently, according to a report by Cynerio, allowing little opportunity for hospital security teams to analyze them for risks and attacks. Often, these devices are connected to default passwords and settings that attackers can easily obtain. The lack of updates could eventually disrupt workflow or harm a patient.
Without a cybersecurity program in place, hospitals and other healthcare facilities are at risk. These attacks can take down a majority of IoT infrastructure, and most of these devices now in hospitals have a risk factor that is considered critical, according to the Cynerio report. Devices with critical vulnerability can greatly affect patient safety, data confidentiality, and service ability. It is up to managers to remain vigilant and perform regular maintenance on IoT devices. If not, lives could be at stake.
Mackenna Moralez is assistant editor with Healthcare Facilities Today.