Share this article on:
WEDI, the Workgroup for Electronic Data Interchange, has issued a new white paper exploring some of the common cybersecurity vulnerabilities that are exploited by threat adversaries to gain access to healthcare networks and patient and health plan members’ protected health information.
The white paper – The Rampant Growth of Cybercrime in Healthcare – is a follow up to a primer released in 2015 that explored the anatomy of a cyberattack.
WEDI points out the seriousness of the threat faced by the healthcare industry. Cyberattacks are costing the healthcare industry around $6.2 billion each year, with the average cost of a healthcare data breach around $2.2 million.
Cyberattacks and other security incidents having risen sharply in recent years. More records are now being exposed than at any other time in history and the number of healthcare data incidents being reported reached record levels last year.
The Department of Health and Human Services’ Office for Civil Rights received 315 reports of major healthcare data breaches last year and recent research by Fortinet showed that in the final quarter of 2016, the U.S. healthcare industry was being attacked more than 700,000 times per minute.
The healthcare industry is in a unique position. Healthcare organizations hold data that is more valuable to cybercriminals that held by other industries. Healthcare organizations also typically have a much larger attack surfaces to defend and more attack vectors to block.
WEDI points out that “attack surfaces have multiplied as organizations cobbled together a health information technology (health IT) infrastructure comprised of new components, legacy hardware and antiquated software from multiple vendors.”
Yet while healthcare IT systems require increased investment, many healthcare organizations are relying on basic security tools to defend their networks and keep data secure. Those tools focus on “antivirus, malware and firewall vulnerabilities, but lack a deeper set of prevention, encryption, detection, authentication and protection strategies.”
In the report, WEDI explores the most common types of threat adversaries, their characteristics and the level of threat that each poses. The report also details the types of vulnerabilities and attacks that most commonly occur, including zero-day vulnerabilities in software, phishing, spear phishing and whaling attacks, and malicious software such as viruses, worms, malware and ransomware.
WEDI sought advice from industry stakeholders in roundtable discussions between November 2015 and April 2016 and identified best practices that can be adopted by healthcare organizations to mitigate risk and keep networks and data secure.
WEDI suggests a cultural change is required and healthcare cybersecurity must have a higher profile. That process should start by raising awareness and educating stakeholders of the unique threats faced by the healthcare industry and the cost of cyberattacks and other data breaches.
Cybersecurity must become a C-suite matter, not an area dealt with by IT departments. Strategies must be effectively planned and sufficient resources devoted to protecting networks from attack. WEDI suggests healthcare organizations should also adopt cybersecurity frameworks to improve reliance against cyberattacks and apply the lessons learned from other industries.
The white paper can be viewed on this link.