Healthcare Cybersecurity Challenges

By June Ramli

In an exclusive interview with DailyStraits.com, Aaron Bugal, Field CTO for the Asia-Pacific and Japan region at Sophos, discusses the increasing cybersecurity challenges facing healthcare organisations.
With the rapid digitisation of the healthcare industry and a growing shortage of security talent, these organisations are becoming prime targets for cybercriminals.
Bugal provides insights into why the sector is particularly vulnerable, the types of sensitive data at risk, and the potential consequences of cyberattacks.
He also offers recommendations for strengthening cybersecurity frameworks and strategies for adapting to the evolving threat landscape.

Why are healthcare organisations more vulnerable to cyberattacks, and what types of sensitive data are most at risk?

Several reasons, organisations’ digitisation in the healthcare industry has caused expanding attack surfaces, and an ecosystem of interconnected medical devices distributed across physical locations. We have also seen a growing security talent shortage in the industry.
However, healthcare organisations are a particularly tasty target for hackers due to the sheer volume and value of the data these organisations hold.
The sensitive data held by healthcare companies is in high demand on the black market, and many organisations, particularly hospitals, opt to pay ransoms given the importance, or life and death nature of the data. This makes them prime targets for criminals, who will generally sell patient information on the black market or hold it hostage for a ransom.
Contact information, dates of birth, digital signatures, driver’s licence numbers, financial information, health data, insurance information, medical identification numbers. These place patients at greater risk of identity theft or fraud.
How have recent high-profile cyber attacks on healthcare organizations, like those on UnitedHealth and Ascension Healthcare, highlighted the sector’s vulnerabilities?
It has highlighted just how many people these attacks can impact, how much systems rely on technology, and the difficulty and length of recovery. Thousands of medical personnel have turned to manual methods after a cyberattack on Ascension.
Doctors and nurses have resorted to paper and handwritten treatment orders to chart patient illnesses and track them because they can’t access the detailed medical history of patients.
Patients have waited for long stints in emergency rooms, and their treatments and prescriptions have been delayed due to makeshift lab results and readings from machines are lacking the speed of electronic uploads.
According to the OAIC report, healthcare was the most breached industry in the second half of 2023. What factors contribute to this high incidence rate?
Healthcare companies hold a huge amount of sensitive and personal information relative to other industries, and in the event of a successful ransomware encryption event, there is more at stake than the average attack.
The at-stake data on an individual’s private medical history is a refined source of information that any attacker can use to conduct further social engineering attacks. A scammer takes a great deal of time to build ‘trust’ with their victim, having medical history at the ready to use to convince their would-be victim makes for an easy shortcut to a pay day.

The State of Ransomware Report indicated an increase in ransomware attacks in the healthcare sector from 60 per cent to 67 per cent in 2023. To what do you attribute this increase?

The report showed that hackers are getting more tactical with who they choose to target, hoping to target organisations they believe will pay a lot of money or have valuable information. The fact that there was an overall decrease in attacks, but healthcare attacks have gone up shows that the industry is one of the prime targets for criminals due to key vulnerabilities.
Typical vulnerabilities in unpatched devices, operating systems and software have allowed attackers an easy access path. However, with mass amounts of data that need to be readily shareable internally to help facilitate quick triage, diagnosis and treatment of ailments are a double-edged sword. These pools of sensitive information are ripe for exfiltration and cyber criminals know this, and are actively seeking them out to exploit.

What are the potential consequences of a successful ransomware attack on a healthcare facility?

Apart from the obvious financial losses, ransomware can potentially cut off access to important tools like electronic health records, and, as we saw with the attack on United Health, it can impact key tasks like billing, eligibility checks, and prescription fulfilment.
The impacts of this could be severe, hospitals might need to suspend patient care operations and divert patients to other facilities.
Although the short-term effects will be devastating, the longer term effects will persist, indefinitely. Medical record information once leaked onto the internet is no longer under the protected control of the healthcare provider. The ramifications of your ailments being ‘public record’ can expose you to additional cyber-attacks, especially social engineering and subsequent fraud.

What do hackers typically do with stolen healthcare data?

Generally, hackers want to use the stolen data as a ransom, commit identity theft, sell it on the dark web or impersonate the victim to receive medical services. Even if the organisation pays the ransom, there is no guarantee that the data will not be leaked, or they get the data back at all.
What specific steps can healthcare organisations take to strengthen their cybersecurity frameworks?
At the very least is to start the process of understanding how patient information is recorded and stored, and then question the business on how much of the data is relevant and needs to be kept once a patient has been treated and released. Information should have a finite shelf life; it should not be permanent. Many organisations today have defaulted to asking for and collecting information that, in some cases, is extraneous to what is needed. By creating a data lifecycle policy, we can ensure that data is stored correctly, and only data points needed are stored.
Much of this is covered in numerous information security frameworks and is regularly audited.  As such, if this is something that hasn’t come up for discussions recently, it is time to table it as a discussion within your management, executive and even board meetings.

Can you discuss any technological advancements or tools that healthcare organisations should consider implementing to safeguard against cyber threats?

Technology alone won’t improve any situation when being considered as one thing to change or do. It requires an advancement in processes, especially around breach preparedness.  Once an organisation fully understands the impact that data loss, especially healthcare information, has on a business and its customers can it truly address any fundamental deficiencies in its technological controls. Healthcare providers are often turning to managed risk and detection and response providers to first understand where their weaknesses are. And then implementing changes to data collections and data control tools to help manage and record the flow of data into and out of the business.

In light of the urgency to improve cybersecurity, what immediate actions should healthcare organizations prioritise?

It’s ok to ask for help and to employ experts who understand the risks and threats that most healthcare providers face daily. To expand on a previous point, if there’s uncertainty in your ability to identify where risk hasn’t been correctly identified or managed correctly, then look to the experts that have specialisation in managing cyber risk. However, this needs to be continuous and ingrained as part of your overall tactical and operational models.

Looking towards the future, what long-term strategies should healthcare organisations adopt to ensure their cybersecurity measures evolve with the changing cyber threat landscape?

Keeping pace with changes in cybersecurity is a never-ending journey. A sound strategy is to be adaptable and accept that risk is fluid. As the business grows and adapts to new sources of revenue streams, careful consideration should be made around what technological changes will be realised and in turn, the threat and risk of operating them in the current environment. Any growth should automatically trigger a review and adjustment to defensive capabilities, or at least test how an incident would play out and incorporate the new systems. Changes would naturally need to be made.