Cybersecurity blog Cybersecurity blog
Can We Avoid Cyberattacks On The Healthcare Industry?
Facebook Twitter LinkedIn

Can We Avoid Cyberattacks On The Healthcare Industry?

blank
Sindri Bergmann
6 min read ∙ Nov 12, 2020
blank

Perhaps the most important lesson from the most recent cyberattacks on the healthcare industry is this: Hackers have no shame! We knew that already but recently we were rudely awakened to just how low they will go.

Cyberattacks On The Healthcare Industry in Finland

Thousands of psychiatric therapy patients in Finland reported getting extortion notes from a hacker, or hackers in 2021. The hackers had breached a private healthcare company called Vastaamo. During these attacks they stole confidential treatment records, including recordings of doctor-patient sessions. Extorting clients is an unprecedented method for hackers. Usually they only demand ransom from the company from which they’ve stolen the data. When Vastaamo refused they sought out the patients themselves.

The cyberattack against Vastaamo makes it crystal clear that the healthcare industry is more vulnerable to cyberattacks than any other. 

One of the reasons why healthcare data is more valuable to cyber-criminals than social security numbers or credit card info is the fact that the owners of the data are in a much more vulnerable position.

The Healthcare Industry Is Vulnerable

It is believed that the first cyberattack on Vastaamo’s healthcare facilities happened in 2018. The data is got leaked or used for extortion of patients much later. There’s a reason why healthcare data is more valuable to cyber-criminals than social security numbers or credit cards. The owners of the data are in a much more vulnerable position. It’s not just their money or credit score that’s at risk, it’s their peace of mind. Their health. Their most intimate privacy. Something that they can never get back if it leaks out. It is therefore more important for the healthcare industry than any other sector to keep data safe. 

Healthcare data is sensitive data that are even more valuable to hackers than credit cards.
Healthcare data is more valuable to hackers than credit cards.

Patient data is not the only thing at risk. Devices and important machines, such as pacemakers, ventilators and surgical robots, are now connected. This means they are under threat too. Hospitals are being sabotaged by cyber attacks and lives are at risk. 

Covid-19 Increased the Risk of Cyberattacks on the Healthcare Industry

The Covid-19 pandemic carried along with it another kind of infectious risk. A cyber-risk in the form of viruses, scams and social media disinformation. Hackers used phishing emails which promised news about the pandemic or vaccines. They will always use such hot topics to trick people into clicking false links or attachments. What does that mean for the healthcare institutions that we need to keep us safe? 

Doctors and other healthcare workers were and still are working under extreme pressure and in unprecedented circumstances. They rely more than ever on their own private devices for communication and search for the latest news and research on treatments. For this reason they are easily scammed if they have not been trained in cyber security awareness. And with everybody wearing masks and protective gear within healthcare facilities, tailgating is now an even bigger risk than before.

A physical attack on a Croatian covid-hospital left doctors and patients in the dark and without electricity for a few hours after someone broke in and turned off the main switch. This kind of breach focuses our attention on the importance of physical security too, and the importance of having a strong security culture. 

Healthcare facilities tend to run on old legacy software, that's why cyberattacks on healthcare are more frequent.
Healthcare facilities tend to run on old legacy software.

Are Cyberattacks on the Healthcare Industry Inevitable?

For years cybersecurity experts have been pointing out the fact that both public and private healthcare facilities are using outdated and poorly maintained systems. Healthcare facilities tend to run on old legacy software. Some even use software that has been discontinued and is therefore not updated anymore. This puts patient data in a lot of risk. Covid-19 introduced a massive collaboration between the public and private sectors. Patient information is being collected and shared like never before. This further increases the opportunity for hackers to find and exploit weak links. If nothing is done to minimize the risk we will see even more cyberattacks on the healthcare industry.

Patient information is being collected and shared like never before. This further increases the opportunity for hackers to find weak links and chinks in the proverbial armor.

Pharmaceutical companies are also a target. Especially during a pandemic. They may have stronger security systems and better software in place but they still experienced attacks and security breaches. This is most likely due to a lack of security culture. Their employees might accidentally click on phishing emails or accept downloads from compromised websites. Yet another reason why healthcare employees need rigorous security awareness training

How To Avoid Cyberattacks on the Healthcare Industry

So why is the healthcare industry still more vulnerable to cyberattacks than any other sector? Although there’s money in healthcare it is often prioritized towards what is perceived as “most critical”. We’re talking about life-saving equipment, staff, medicine etc. This is understandable. The healthcare industry is often working under pressure with little time or funds to spare. However, helping people in their time of need should not come with the risk of their personal health care data being stolen and used for extortion later. Part of patient care should be caring for the patient’s data and privacy as if their lives depended on it. Because they do. 

The first step to any cyber security resilience plan is to remember the “holy trinity” of cyber security:

  • People
  • Processes
  • Technology

Healthcare facilities need to invest in the right technology to keep their sensitive information safe. This is technology like cloud based anti-virus software and spam-filters. This also means upgrading to a software that is patched regularly. Healthcare facilities need to train all their employees in how to use email and the internet safely and create a strong security culture among their employees.

Part of patient care should be caring for the patient’s data and privacy as if their lives depended on it. Because they do. 

AwareGO offers a ready made cyber security awareness training program for healthcare. It consists of 25 training subjects that cover both physical and cybersecurity threats. Cyber security awareness training goes hand in hand with HIPAA and GDPR compliance as well. A free trial of the AwareGO training platform (LMS),cybersecurity content, and the Human Risk Assessment is available with no credit card or commitment needed. 

Cybersecurity for beginners free book

Finally, there need to be processes in place that help keep data safe. Rules that apply to all. And plans on how to respond should a security threat arise. For those who want to know more about cyber security resilience we recommend our short and concise guide: Cybersecurity For Beginners. Read up on the fundamentals of cybersecurity and help make your workplace a more cybersecure place. 

Try AwareGO’s complete cybersecurity solution for free

Sign up for a free trial and find out if AwareGO’s training videos, human risk management and cybersecurity platform is what your organization needs.

blank
blank
Sindri Bergmann
6 min read ∙ Nov 12, 2020

Become cyber secure

You and your employees are going to love AwareGO. It’s a modern, cloud-based system for managing human risk, from assessment to remediation. We’ve made it super easy — schedule your first assessment or training in minutes.

Get started for free and give it a go right now.

You’ll love the way AwareGO can fit into your existing infrastructure. Our robust APIs, widgets, and content available in SCORM format make sure that the integration is seamless. We also integrate with Active Directory, Google Workspace, and popular tools like Slack and Teams.

Contact us and our experts will recommend the best way to integrate.

Upgrade your cybersecurity business by adding human risk management to your existing portfolio of services. Increase your deal size by leveraging Human Risk Assessment or offering Security Awareness Training to your current customers and creating a new revenue stream.

Contact us to become an AwareGO partner, and we will support you every step of the way.

Join top companies worldwide in the mission to make workplaces cyber-safe

Get started free
blank blank blank blank blank blank blank blank blank blank