During the pandemic, we have seen a dramatic increase in the volume of personal data being handled by healthcare organizations. Specific regulations like HIPAA and new data protection regulations such as GDPR, CCPA and LGPD are establishing rules for handling personal data, considering it sensitive and establishing that this data be treated differently in relation to others.
All the while, the overburdened healthcare sector has become one of the favorite targets for cybercriminals. Even the President of the International Committee of the Red Cross has warned of the increase in cyberattacks targeting hospitals. More than 22.8 million patients have been impacted by data breaches in the healthcare sector in 2021 alone, an increase of 185% compared to the same period in 2020. This results from a widening of the attack surface, increasing cyber risks and directly affecting business continuity.
According to Tenable, ransomware attacks were the cause of 46% of the breaches in the healthcare industry. In the healthcare industry, the IT infrastructure has been under pressure because of increasing hospitalizations and data traffic, with the security perimeter expanding from inside healthcare facilities. In this case, Information Security teams have to support telehealth services and non-clinical employees now working remotely in addition to the usual infrastructure of connected medical and IT devices. Unprotected networks can be an entry point for malicious actors, who can exploit vulnerabilities to obtain improper access to infrastructure, install malicious software and steal sensitive information.
The recommendation, in this case, is that healthcare providers deploy cybersecurity tools to address security gaps in the organization. Those solutions can perform actions such as vulnerability checks, network monitoring and endpoint protection.
Research from HIMSS shows that 73% of security leaders believe the investment in cybersecurity should be higher than it currently is; however, cybersecurity budgets in the healthcare industry are not keeping up with demand despite the growing data privacy regulations with which healthcare organizations need to comply. The same research indicates that these leaders believe they need to be spending 24% more than their current spend.
The good news is that, because of COVID-19, the healthcare and public health industries expect an increase in cybersecurity spending in the next 12 months. This amount should reach $18 billion in 2021.
The healthcare sector suffers from a lack of cybersecurity awareness from not only employees but also third-party and service providers. According to research conducted by Mimecast, 73% of healthcare professionals use corporate devices for personal purposes, which can be an entry point for malicious actors in their organizations. With email as the most common attack vector for those looking to steal patient data, malicious actors can exploit these devices using phishing campaigns.
For this reason, it is important to develop a cyber awareness program for employees and third parties. This reduces the chances of an employee or third party opening a suspicious document or clicking a malicious link.
It is worth remembering that the financial impact of cyberattacks for healthcare organizations is more than double the average, according to the 2020 Cost of a Data Breach Investigations Report. While the average cost of the data breaches surveyed was $3.86 million, when a breach occurs in a hospital, clinic or medical research institute, this value reaches $8.6 million, an increase of 10.5% compared to 2019.To improve the cybersecurity posture in a medical facility, a good start for those responsible for Information Security is to use frameworks to implement cybersecurity controls. NIST Cybersecurity Framework offers sound guidance to help healthcare organizations evaluate their maturity and develop a risk management program, including aspects such as risk assessment, detection and response of security events, and awareness and training. NIST also offers specific resources that complement the NIST Cybersecurity Framework, allowing healthcare companies to ensure business continuity and continue to perform their main role: saving lives.