Advances in healthcare technology bring new risks

It’s not news that cybercrime remains a serious and pervasive problem for the healthcare industry. But in 2024, healthcare providers face regulatory and post-pandemic shiſts that present new security challenges in addition to the ongoing efforts to protect data and organizations from potential breaches.

The statistics remain disturbing; the number of ransomware incidents in the U.S. rose 18% in 2023, and the healthcare industry topped the list with a total of 249 incidents.¹

Cybercriminals use phishing attempts to target healthcare providers of all shapes and sizes, not just large multistate companies or small regional hospitals. The phishing attempts oſten have one thing in common; an estimated 68% of all data breaches involve a human element — someone inadvertently clicking on a link or attachment or responding to a fraudulent email.²

In addition to the email compromise that has long been central to many cybercrimes, new challenges emerged during and aſter the COVID-19 pandemic. Everything shiſted, and it didn’t shiſt because of operations or the changes in the business. Everyone had to adopt digital tools — and fast. Massive digital adoption, while operationally effective, created new risks.

Today, a typical healthcare provider’s facility includes not only a central physical space, but also multiple satellite locations networked together. Each facility is likely to have healthcare instruments and tools individually connected to the internet. The provider has back-office functions that need to be connected to the digital world as well. Lastly, there’s public Wi-Fi. Healthcare, as an industry, moved away from having everything, including data, within four walls. Suddenly, there are a myriad of avenues that cybercriminals can take advantage of. And it only takes one click for ransomware to be installed.

Add to that, the bring-your-own-device trend — with doctors and other medical professionals using personal phones or laptops to download apps they work on — changes the level of cyber hygiene.

Beyond meeting the security demands of an increasingly digital business, healthcare executives are bracing for changes to Health Insurance Portability and Accountability Act (HIPAA) regulations that also could require rethinking and investing more in data protection efforts.

The possible tightening of HIPAA regulations comes as patients are asking for more access to their medical records. Consumers want their medical records opened. They want portability and to have direct access to their information. But the ability for them to be able to control that health data is going to put more of a burden on how we protect that health data.

Today, a healthcare organization’s treasury team is increasingly on the front line. Treasury teams are becoming more and more integrated into the cybersecurity policy framework for their organizations. That’s because they’re the front line; they’re getting the emails from the fake vendors, they’re getting the fake client emails, they’re getting all of these communications coming in. That also can mean they are the first line of defense for their organizations. But ultimately, it’s not just IT or treasury employees who need to be on guard. With the expanded footprint healthcare has, everyone is part of the front line in protecting organizations against cybercrime. Create a culture of security, so that each employee is taking responsibility for the defense of their organization.

It’s more important than ever before for the healthcare industry to be aware of and have a plan for dealing with cyber threats.

Cybercrime involves four groups of potential actors: First, the criminals trying to steal data, extort money, or steal intellectual property. Second, an organizational insider who — intentionally or by mistake — opens a door to data or computer systems. Third can be an increasing number of so-called “hacktivists” — hackers who have a cause to promote and use cyber-attacks as a megaphone to amplify that message. Fourth, there are rogue or malevolent nation-states seeking to create chaos.

Organizations also should be aware of two growing tactics these criminals use: whaling and deepfakes.

Whaling is the term used when cybercriminals specifically include or target an organization’s top executive in a scam. For instance, criminals may send out a bogus email that appears to come from the CEO, asking treasury to issue an emergency payment to them or a third party. Whaling can leave employees feeling pressured to comply with requests quickly — aſter all, it appears to be a request from the boss. That time pressure can mean employees don’t take time to double-check and verify information.

A rapidly emerging, advanced technique leverages computer and AI-generated images and sounds, also known as deepfakes. These deepfakes can use publicly available images and videos to mimic key executives and decision-makers on voice messages, calls or video conferences.

Given these current and potential new threats, as well as industry changes, what can — and should — a healthcare organization be doing now to protect itself and its patients?

Realize that all those potential criminals are looking for the same thing: the weakest links in an organization. In healthcare, the easiest targets are oſten vendor accounts. Criminals take over a vendor’s account and ask to change the payment details — addresses or bank information. Or they send fake invoices or even set up fake companies.

When onboarding a new vendor, it’s important to elevate security and make the process multilayered and thorough. In addition, everyone who deals with vendor payments should be wary of invoices outside a vendor’s regular billing cycle, or any changes to payment details, since most companies don’t change addresses or banks very oſten. If an employee spots something unusual about a vendor account, a pause is a way to add friction and test to make sure the information you’re being given is correct. Use that time to go into the enterprise resource planning (ERP) tool, to verify the information — or just pick up the phone and call to verify the changes.

Unfortunately, companies don’t always take the time to create a process to handle this type of suspicious or irregular information. When the processes aren’t defined, the team doesn’t understand when and how they should validate and verify information. And it’s at the moments of most stress — late Friday aſternoon, the hours before a holiday, when everyone’s moving fast and trying to get out of the office — when those cybercriminals oſten try to take advantage of people.

Cybercrime can have many impacts on an organization. Most frightening, of course, are events that jeopardize patient care. However, there are operational risks that affect patients, staff and the organization as a whole. Patients come first. It’s also important to keep the lights on by being able to pay the bills, to keep those patients secure and your employees at their job and safe. You need to ask: If you are hit by ransomware on Wednesday, can you make your payroll on Friday? What is your digital resiliency?

The most successful healthcare organizations — which have been the most defensive — have structured their organizations so the idea of protection and security and privacy has permeated through the entire chain, starting from the executives all the way down to the janitorial staff, to the nurses, to the doctors, to everyone. These organizations make sure employees understand that anyone in that cycle can raise their hand and say, “Hold on — something isn’t working.”

That may require a cultural shiſt, to reinforce the notion that everyone is not only doing their jobs but also protecting patients and the organization.

Reinforcing an organization’s IT and security teams is important as well. Having so many companies across all industries working to protect their data and systems has increased the demand for talent. Numbers show the healthcare industry has been unable to fill all its security positions as it competes with other industries for cybersecurity veterans.

Remember: The biggest opportunity for a breach is still the simplest, stealing a username and password, and security is not a perfect solution. You need to build layers of defense. That means not only the IT team but educating every staff member so that they know what to watch for. And it includes the back-office team putting processes in place that help support reduction of risks where criminals are trying to get their way in the door.

The healthcare industry as a whole needs to address cybercrime and data protection holistically and really help support with the right infrastructure.

Sources:

¹  FBI Internet Crime Report 2023

²  2024 Data Breach Investigations Report