The growing need for medical cybersecurity: what you need to know
Healthcare is one of the industries most susceptible to hacker attacks. How to secure your medical solution?
What you need to know about medical cybersecurity in 2023
Guess what industry was hit particularly hard by cyberattacks in 2022? Healthcare [1]… And no wonder: medical systems are a treasure trove of confidential information, making them very tempting for cybercriminals. Besides patients' medical information, hackers can obtain credit cards, bank accounts and social security numbers. But the problem is far more than just the attractiveness of the data itself to hackers. The point is that many systems, forced to go completely digital in order to remain competitive, were technically unprepared for such an environment, becoming victims of cyber attacks.
What do you need to keep yourself safe from a med-related cyberattack? Our insights will help you to improve your cybersecurity!
Medical cybersecurity is at serious risk
Although the incidence of cyberattacks has been rising throughout the last couple of years, there was an evident rise after the COVID-19 pandemic. The shift from face-to-face care to virtual one, from office-based to remote work, especially as the demanded high-speed shift required technical teams to deploy immediately, bypassing the stage of ensuring adequate cyber protection. Many companies did not have time to discover new technologies and make the right choice. Meanwhile, legacy systems simply didn't bear up to the new conditions of "existence".
The risks are so serious that the FBI has issued a warning about the consequences of using unpatched and outdated technologies in healthcare [2].
What do the numbers indicate?
For the first time since 2015, the number of recorded data breaches containing 500 or more records fell in 2022: from 715 cases to 707 [3].
However, even with this decline, 2022 was still the 2nd worst year for the number of reported breaches [4]. Together, the 11 largest leaks of 2022 affected more than 21.5 million people.
Among them:
- Shields Health Care Group of Massachusetts experienced a data breach affecting up to 2 million patients [5]. Type of attack: Hacking incident and data breach.
- OneTouchPoint suffered a data breach of more than 4.1 million people [6]. Type of attack: Ransomware.
- Advocate Aurora Health suffered a leak of information about 3 million patients [7]. Type of attack: Pixel-related impermissible disclosure via websites.
- CommonSpirit Health suffered an attack that interrupted access to electronic health records and compromised patient care in several regions [8]. Type of attack: Ransomware.
And this is only a fraction of all the registered cases.
One of the most common attacks is considered ransomware. According to the U.S. Department of Health and Human Services, 82% of health systems reported cybersecurity incidents between mid-2020 and 2021 — 34% were ransomware-related [9]. In 2021, for example, the health sector had the highest number of reported ransomware attacks — 148 out of 649 [10].digit
Meanwhile, 25% of ransomware attacks in 2022 also targeted the healthcare sector [11], resulting in global data theft, inaccessibility of critical data during decision-making, and a negative impact on patient care.
As a result, companies have been forced to take action. According to a Gartner survey [12], 88% of respondents consider cybersecurity a business risk and 66% intend to increase spending on cybersecurity to strengthen their protection in the coming years. Healthcare providers' spending on cybersecurity is expected to grow at a compound annual growth rate (CAGR) of 8.1% between 2020 and 2025, from $4.59 billion to $6.77 billion [13].
How to secure your medical solution from a cyberattack
- Continuous software monitoring and updating
Your legacy solution may still work fine solo, but today it is all about flexibility and the ability to integrate with other solutions. Unpatched vulnerabilities in legacy systems, as well as ignoring vulnerabilities emerging out of further integration, remain the most common attack vectors used by ransomware hackers [14].
It might be worth considering a patch and workflow management system. Automation can help IT staff keep better track of all technical processes and update the system after the slightest change, at the same time minimizing the risk of human error.
- Plan a backup scenario
Although a robust system might be less susceptible to an attack, the risk remains. There are as many systems as there are methods of disabling them. You and your team should be prepared to consider “plan B” at some point to keep the application from failing. Making backups and having a solid plan to recover from a system hack is a “must-have” if your medical development company wants to get back on track as quickly as possible.
Therefore, pharma businesses should accept that the threat of hacking and the theft of confidential medical data is greater than in other industries. Studying the technology you are going to implement, following security guides, paying attention to the system and its performance, and testing can help reduce the risk of hacking and/or preventing it in time. Besides, a solution that is secure from all angles will have a positive impact on every aspect of your medical business, for example:
- Keep the customer's trust and ensure quality service delivery
- Reduce technical debt and make a bag-free system.
- Improve system performance and reduce costs.
- Make the system more stable and ready for any kind of risk.
Final thoughts: Don't underestimate the importance of a trusted partner
After all, all ends lead to the people who are at the origin of both the implemented system and the pharma solution. With a reliable team, you can go through thick and thin.
In the pharma business, you need a business partner who complies with pharmaceutical regulations and ensures med-related safety at the highest level. Brandmed can become that partner for you. Given our medical and technical expertise, we can help you roll out a reliable and powerful solution that meets all the necessary legal regulations required for a digital health market. Just drop us a line.
References:
- Forbes, 2022 In Review: An Eventful Cybersecurity Year, https://www.forbes.com/sites/emilsayegh/2022/12/13/2022-in-review-an-eventful-cybersecurity-year/?sh=1a9d462b352f, [last accessed: 10.03.2023].
- IC3, Unpatched and Outdated Medical Devices Provide Cyber Attack Opportunities, https://www.ic3.gov/Media/News/2022/220912.pdf, [last accessed: 10.03.2023].
- The Hipaa Journal, 2022 Healthcare Data Breach Report, https://www.hipaajournal.com/2022-healthcare-data-breach-report/, [last accessed: 10.03.2023].
- Chief healthcare executive, The 11 biggest health data breaches in 2022, https://www.chiefhealthcareexecutive.com/view/the-11-biggest-health-data-breaches-in-2022, [last accessed: 10.03.2023].
- Shields health, Notice of Data Security Incident, https://shields.com/notice-of-data-security-incident/, [last accessed: 10.03.2023].
- Ibidem.
- Fierce healthcare, Advocate Aurora says 3M patients' health data possibly exposed through tracking technologies, https://www.fiercehealthcare.com/health-tech/advocate-aurora-health-data-breach-revealed-pixels-protected-health-information-3, [last accessed: 10.03.2023].
- Healthcaredive, CommonSpirit Health confirms it was hit by ransomware attack, https://www.healthcaredive.com/news/commonspirit-health-ransomware-cyberattack/634011/, [last accessed: 10.03.2023].
- HHS.gov, 2021 Year in Review, https://405d.hhs.gov/Documents/405d-spotlight-webinar-december2021.pdf, [last accessed: 10.03.2023].
- Becker's Healthcare, Cyberattacks in 2022 and what hospitals, health systems can learn going into 2023, https://www.beckershospitalreview.com/cybersecurity/cyberattacks-in-2022-and-what-hospitals-health-systems-can-learn-going-into-2023.html, [last accessed: 10.03.2023].
- Ibidem.
- Gather, Gartner Survey Finds 88% of Boards of Directors View Cybersecurity as a Business Risk, https://www.gartner.com/en/newsroom/press-releases/2021-11-18-gartner-survey-finds-88-percent-of-boards-of-directors-view-cybersecurity-as-a-business-risk, [last accessed: 10.03.2023].
- Medical device network, Healthcare companies must prioritize cybersecurity, https://www.medicaldevice-network.com/comment/healthcare-prioritise-cybersecurity/, [last accessed: 10.03.2023].
- Ivanti, Ransomware 2021 Year End Report, https://www.ivanti.com/company/press-releases/2022/ransomware-2021-year-end-report-reveals-hackers-are-increasingly-targeting-zero-day-vulnerabilities-and-supply-chain-networks-for-maximum-impact, [last accessed: 10.03.2023].