Perhaps the most important lesson from the most recent cyberattacks on the healthcare industry is this: Hackers have no shame! We knew that already but recently we were rudely awakened to just how low they will go.
Cyberattacks On The Healthcare Industry in Finland
Thousands of psychiatric therapy patients in Finland reported getting extortion notes from a hacker, or hackers in 2021. The hackers had breached a private healthcare company called Vastaamo. During these attacks they stole confidential treatment records, including recordings of doctor-patient sessions. Extorting clients is an unprecedented method for hackers. Usually they only demand ransom from the company from which they’ve stolen the data. When Vastaamo refused they sought out the patients themselves.
The cyberattack against Vastaamo makes it crystal clear that the healthcare industry is more vulnerable to cyberattacks than any other.
One of the reasons why healthcare data is more valuable to cyber-criminals than social security numbers or credit card info is the fact that the owners of the data are in a much more vulnerable position.
The Healthcare Industry Is Vulnerable
It is believed that the first cyberattack on Vastaamo’s healthcare facilities happened in 2018. The data is got leaked or used for extortion of patients much later. There’s a reason why healthcare data is more valuable to cyber-criminals than social security numbers or credit cards. The owners of the data are in a much more vulnerable position. It’s not just their money or credit score that’s at risk, it’s their peace of mind. Their health. Their most intimate privacy. Something that they can never get back if it leaks out. It is therefore more important for the healthcare industry than any other sector to keep data safe.
Patient data is not the only thing at risk. Devices and important machines, such as pacemakers, ventilators and surgical robots, are now connected. This means they are under threat too. Hospitals are being sabotaged by cyber attacks and lives are at risk.
Covid-19 Increased the Risk of Cyberattacks on the Healthcare Industry
The Covid-19 pandemic carried along with it another kind of infectious risk. A cyber-risk in the form of viruses, scams and social media disinformation. Hackers used phishing emails which promised news about the pandemic or vaccines. They will always use such hot topics to trick people into clicking false links or attachments. What does that mean for the healthcare institutions that we need to keep us safe?
Doctors and other healthcare workers were and still are working under extreme pressure and in unprecedented circumstances. They rely more than ever on their own private devices for communication and search for the latest news and research on treatments. For this reason they are easily scammed if they have not been trained in cyber security awareness. And with everybody wearing masks and protective gear within healthcare facilities, tailgating is now an even bigger risk than before.
A physical attack on a Croatian covid-hospital left doctors and patients in the dark and without electricity for a few hours after someone broke in and turned off the main switch. This kind of breach focuses our attention on the importance of physical security too, and the importance of having a strong security culture.
Are Cyberattacks on the Healthcare Industry Inevitable?
For years cybersecurity experts have been pointing out the fact that both public and private healthcare facilities are using outdated and poorly maintained systems. Healthcare facilities tend to run on old legacy software. Some even use software that has been discontinued and is therefore not updated anymore. This puts patient data in a lot of risk. Covid-19 introduced a massive collaboration between the public and private sectors. Patient information is being collected and shared like never before. This further increases the opportunity for hackers to find and exploit weak links. If nothing is done to minimize the risk we will see even more cyberattacks on the healthcare industry.
Patient information is being collected and shared like never before. This further increases the opportunity for hackers to find weak links and chinks in the proverbial armor.
Pharmaceutical companies are also a target. Especially during a pandemic. They may have stronger security systems and better software in place but they still experienced attacks and security breaches. This is most likely due to a lack of security culture. Their employees might accidentally click on phishing emails or accept downloads from compromised websites. Yet another reason why healthcare employees need rigorous security awareness training.
How To Avoid Cyberattacks on the Healthcare Industry
So why is the healthcare industry still more vulnerable to cyberattacks than any other sector? Although there’s money in healthcare it is often prioritized towards what is perceived as “most critical”. We’re talking about life-saving equipment, staff, medicine etc. This is understandable. The healthcare industry is often working under pressure with little time or funds to spare. However, helping people in their time of need should not come with the risk of their personal health care data being stolen and used for extortion later. Part of patient care should be caring for the patient’s data and privacy as if their lives depended on it. Because they do.
The first step to any cyber security resilience plan is to remember the “holy trinity” of cyber security:
- People
- Processes
- Technology
Healthcare facilities need to invest in the right technology to keep their sensitive information safe. This is technology like cloud based anti-virus software and spam-filters. This also means upgrading to a software that is patched regularly. Healthcare facilities need to train all their employees in how to use email and the internet safely and create a strong security culture among their employees.
Part of patient care should be caring for the patient’s data and privacy as if their lives depended on it. Because they do.
AwareGO offers a ready made cyber security awareness training program for healthcare. It consists of 25 training subjects that cover both physical and cybersecurity threats. Cyber security awareness training goes hand in hand with HIPAA and GDPR compliance as well. A free trial of the AwareGO training platform (LMS),cybersecurity content, and the Human Risk Assessment is available with no credit card or commitment needed.
Finally, there need to be processes in place that help keep data safe. Rules that apply to all. And plans on how to respond should a security threat arise. For those who want to know more about cyber security resilience we recommend our short and concise guide: Cybersecurity For Beginners. Read up on the fundamentals of cybersecurity and help make your workplace a more cybersecure place.
Sign up for a free trial and find out if AwareGO’s training videos, human risk management and cybersecurity platform is what your organization needs.