Cyber criminals are always eager to take advantage of emergencies to further launch their nefarious actions. Such was the case with the COVID-19 pandemic. Besides dealing with the public health pandemic, healthcare providers must deal with another pandemic: cyber-attacks.
An expanding attack surface
Hospitals and healthcare organizations were an attractive target even before the coronavirus pandemic. Patient records were always valued by attackers for launching sophisticated insurance fraud schemes, purchasing medical supplies or drugs, or committing other types of fraud including identity theft. Financially motivated actors target medical records because they are lucrative assets on the dark market.
In a drive to provide better care to patients, save costs, and facilitate faster time-to-market for treatments, healthcare providers have spent the last few years focusing on:
- Adopting hybrid and cloud-based workloads, with IDC reporting that 93% of pharma and 72% of biotech organizations now rely on the cloud for core applications
- Expanding the use of telemedicine, transforming healthcare access for remote patients
- Increasing the use of advanced IoT devices
- Digitalizing health records for portability and patient accessibility
The deployment of new devices—especially those categorized as IoT that use wireless networks and sensors to collect and exchange information—is a double-edged sword. While these devices offer medical environments tremendous capabilities to care for patients and increase efficiencies, each device increases an organization’s attack surface. That is a problem, as cyber-attacks against hospitals can disrupt health services (inaccurate medication schedules, unavailable laboratory and radiology records, phone systems offline, etc.) and thereby significantly affect the quality of healthcare provided in a hospital.
According to a recent report, Central Europe experienced the biggest rise in cyber-attacks on its healthcare organizations during the pandemic (145%), followed by East Asia (137%) and Latin America (112%). Overall, there was a stunning increase of 55% in the number of cyber-attacks targeting hospitals and other healthcare providers. This increase impacted the medical records of some 26 million people in the United States alone.
On the need to protect vaccine records and research
Once COVID-19 arrived, the healthcare organizations found themselves confronting a new digital security threat. There were attempts to steal COVID-19 vaccine technology, clinical trials data sets, and individual vaccination records, as well as attempts to disrupt the vaccine distribution supply chain. These attacks posed a serious threat to life in a world changed by the pandemic.
Today, there is a need to protect the authenticity of individual vaccination records. With vaccination rates growing throughout the world, there could be the need to show proof of vaccination for many everyday activities – e.g., airline travel, hotel stays, border crossings, etc. For instance, many American universities are requiring students to provide proof of vaccination so that they can return to campus and resume in-person classes. A vaccination record may soon be the golden ticket to bring our lives back to normal. Protecting this information appropriately will be important to make sure that we are properly managing through both this, and future pandemics.
Additionally, there is a strong need to protect collaborative data on vaccine research not only for COVID-19 but also for future virus threats. This research needs to be secure; if malicious actors were able to access it, they could change crucial details that could put untold numbers of people at risk. Maintaining innovation and creativity is key in rapidly finding cures to new medical issues, however the appropriate data protection must be in place to protect this critical research data.
Compliance adds to cybersecurity challenges
Adding to the complexity of these security challenges are the strict requirements for compliance with regulatory frameworks such as GDPR and the NIS Directive in Europe as well as HIPAA in the United States. While these regulations are enacted to protect systems and sensitive data, healthcare organizations face multiple moving targets for managing controls and meeting these requirements.
Going beyond privacy regulation, governments are now making explicit cybersecurity recommendations. For instance, the White House’s Executive Order on Improving the Nation’s Cybersecurity order gave Federal Civilian Executive Branch (FCEB) agencies 180 days to “adopt multi-factor authentication and encryption for data at rest and in transit...”and to “…prioritize identification of the unclassified data considered to be the most sensitive and under the greatest threat.” This directive is targeted at government agencies, but it explicitly mentions that it provides “the private sector with a template for its response efforts,” as well.
However, despite the worrying increase of cyber-attacks and this growing regulatory environment, healthcare providers are falling behind in implementing robust data protection and cloud security best practices. In fact, the Thales 2021 Data Threat Report reveals that:
- Only 33% of healthcare providers encrypt 41-50% of their data in the cloud, much better than the global 17% of survey respondents.
- 55% of healthcare organizations have deployed a key management solution to secure their cryptographic keys.
- 40% are implementing a Bring-Your-Own-Key (BYOK) strategy, and 31% use a cloud-based service.
What needs to be done?
To face these challenges, healthcare organizations should implement solutions that allow them to:
- Discover and classify all sensitive data.
- Protect data at rest and in transit while securing access across the entire computing stack.
- Centralize data security governance.
- Adopt a zero-trust policy.
- Authenticate every medical IoT device.
To learn how Thales can help healthcare providers and life-science organizations protect themselves and their data against cyber-attacks, Protecting life-sciences and healthcare data against a cyber-attack pandemic - Solution Brief, or learn about Healthcare Data Security.