Hospitals and other healthcare facilities are under attack from cyber criminals. In 2019 healthcare was one of the most targeted industries. In the first half of 2019 alone, there were 168 attacks that breached more than 30 million health care records. And according to IBM research, the average cost of a breach at a healthcare facility was $3.92 million. And as hospitals continue to go digital, these stats are on track to get even worse.
Attackers Love Healthcare
So why do attackers love healthcare? The answer is pretty obvious isn't it? Stolen healthcare records are a goldmine for hackers. On the typical dark web marketplace, medical records and PII, or Personal Identifying Information, can sell for up to $1000 per record, depending on how much information is included per record set.
Today, medical records are more valuable than credit card numbers and social security records, as they allow attackers to pull off potentially devastating medical identity theft. Most medical records sets contain the patient’s aforementioned social security number, full name, and DOB. This information together allows attackers to pull off grand identity theft scams and in some cases, can be used as black mail. This was the case in 2018 when SingHealth, Singapore’s largest healthcare provider was hacked and the medical data of over half the population of the tiny nation state was stolen. In particular, the healthcare records of the Prime Minister were stolen to be used as black mail.
Another reason attackers go after healthcare is the sheer complexity of the industry at large. There are just so many factors that make healthcare more complex and therefore more attractive to attackers than other industries:
Legacy applications and no room for downtime - Most hospital networks were built years ago and new technologies are layered on top of older, less integrated and less secured technologies. And while some industries can deal with the small amount of downtime involved in patching and upgrading systems, medical facilities often cannot tolerate any downtime, as a loss of functionality could have dire consequences. Thus they continue to work with buggy, unsupported operating systems and legacy applications, making them an easy target for attackers.
Medical devices are scarily vulnerable - Today we have access to incredible devices that make patient care so much easier and more effective, such as Internet-connected insulin pens and catheters. But these single-purpose devices are not built with security in mind, so they often use hard coded passwords and cannot be updated. Though they don’t usually hold data on the patient, they can be used by attackers to get a foothold into the hospital network.
Overwhelmed and undereducated (about security threats, anyway) staff - Healthcare workers, including doctors, nurses, and IT staff, tend to be some of the most overworked, busiest employees. Medical staff have to contend with pressing and stressful decisions all day; and while they know how to deal with these emergent situations with grace and ease, technology is rarely their forte, leaving them unaware of the human factor they pose in regards to cyber risk. IT and security teams are left to deal with the risks and threats but changing employee habits is tough work.
Smaller hospitals may lack proper funds - According to a recent study by Moody’s, many smaller and regional hospitals are not able to put more than 5% of their budget towards security programs. They also often lack highly trained security staff, putting them at even greater risk.
Fixing Cyber Security in Healthcare
So here we have one of the most vulnerable industries holding some of the most potentially damaging data; what can be done to fix this dangerous pattern?
Zero Trust has risen to stardom as the best candidate for the potential savior of cyber in the last few years. A Zero Trust strategy assumes that the perimeter of old is dead and that attackers are at your door. Thus, no one is trusted, and everyone—and everything— must be verified before it’s allowed to access applications and resources.
This approach has made great strides in securing areas like Finance and the corporate world. With Zero Trust, organizations have been able to move away from the porous perimeter-based approach to a clamped-down security stance that fits today’s modern hybrid cloud and on-prem environments. Adopting such a stance in healthcare, with its many layers and complexities would help rout out the blindspots that exist between those layers and ensure that only the right level of access is given to the right people exclusively. And anything that cannot be verified is denied access.
Here’s a practical example of how adopting Zero Trust strategy can help restore order and security to healthcare; As we mentioned above, the typical health care facility—hospitals, outpatient clinics, rehab centers, and doctor offices—have lots of IoT devices in use. Problematically, these devices are often not even taken into account when it comes to considering the elements trying to access resources and applications. Implementing a Zero Trust strategy forces security and IT teams to address and account for every IoT device running on their network.
Want another example of how a Zero Trust strategy can fix healthcare’s security problems? According to a recent study by Accenture, 18% of healthcare workers polled said they would be willing to sell PII to unauthorized parties if the price were right. Moreover, “accidental insiders”, i.e., well-meaning employees who fall prey to outside attacks, can expose data without meaning to. Such scenarios are made all but impossible in a Zero Trust environment as workers cannot access data that’s outside the exact scope of their needs.
Putting it all Together
So Zero Trust is the answer to re-establishing security in healthcare. But in order to create that strategy, you need the right set of solutions to implement it. A Software Defined Perimeter solution (SDP) is one of the primary ways to start your journey towards Zero Trust. Following the tenets of Zero Trust, using SDP to provision access to resources and applications means that no one is granted access until they have been authorized. It also tracks user behavior to rout out insider threats before they can do damage. And with cloud-based and on prem deployment options, even the most risk-averse organizations can make use of SDP.
The “trust but verify” security model is dead. More than that, it survived long enough to do untold amounts of damage which we’re still reeling from today. Zero Trust is the way forward—in security at large and in health care in particular.