[BreachExchange] The Top 5 Cyber Threats to the Healthcare Industry

Audrey McNeil audrey at riskbasedsecurity.com
Wed Jan 23 16:04:23 EST 2019


https://www.selfgrowth.com/articles/the-top-5-cyber-threats-to-the-healthcare-industry

The financial impact of cyber attacks can be devastating, especially to
small organizations. The HHS points out that the healthcare industry has
the highest data breach cost of any industry, at an average of $408 per
record and $2.2 million per organization. In 2016, the healthcare industry
as a whole lost $6.2 billion to data breaches.

Noting that healthcare cyber security is “the responsibility of every
health care professional, from data entry specialists to physicians to
board members,” the U.S. Department of Health and Human Services (HHS) has
published Health Industry Cybersecurity Practices: Managing Threats and
Protecting Patients (HICP). The four-volume publication, which was mandated
by the Cybersecurity Act of 2015, is aimed at hospital executives and cyber
security professionals in healthcare organizations of all sizes and
leverages the NIST Cybersecurity Framework. It outlines what the agency
considers to be the most common healthcare cyber threats and recommends
best practices to mitigate them.

Email phishing

The overwhelming majority of successful cyber attacks begin with a phishing
scheme. Business email compromise (BEC), a highly targeted spear phishing
technique, is responsible for over $12 billion in losses globally. Although
many people still equate phishing with emails, this healthcare cyber threat
has evolved, with hackers employing text messages, phone calls, and even
social media “quizzes” to trick unwitting victims.

Ransomware

While cryptojacking is now the most common type of malware, ransomware is
still a significant healthcare cyber threat, primarily because of the
time-sensitivity of the information processed and stored in healthcare data
environments. One-quarter of SamSam ransomware victims are in the
healthcare sector. Authorities believe the SamSam hackers have earned over
$6 million from their malware.

Loss or theft of hardware

Mobile devices, such as laptops, tablets, and smartphones, have opened up
the world of remote work. In the healthcare industry, mobility makes
electronic health records feasible; healthcare providers can access patient
data from anywhere. However, these devices also present a major healthcare
cyber threat, as they are easily lost or stolen. Even if a device is
ultimately recovered, PHI and other sensitive information may have been
compromised.

Insider, accidental, or intentional data loss

Insider threats exist in every organization, and there are two types:
accidental and intentional. Intentional insider threats, which involve
purposefully malicious behavior, represent the minority of cases. However,
even an accidental insider healthcare cyber threat — an employee being
tricked into clicking on a phishing link or sharing their password “just
this one time” — can result in a ransomware attack, a data breach, or other
cyber attack.

Attacks against smart medical devices

Smart devices are proliferating like rabbits, but a lack of common security
standards means many devices suffer from serious security vulnerabilities.
The proliferation of medical IoT devices has given hackers a much broader
attack surface on which to target healthcare organizations. Recognizing the
severity of this healthcare cyber threat, NIST has released a guide for
securing medical IoT devices, SP 1800–8. While SP 1800–8 specifically
addresses infusion pumps, the guidelines can be applied to the entire
medical IoT ecosystem.


--
#BetterDataMatters - Want to meet up at RSA? Find us at Booth #6285 North
Expo.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20190123/31ee4c03/attachment.html>


More information about the BreachExchange mailing list