5 biggest healthcare security threats

Cyberattacks targeting the healthcare sector have surged because of the COVID-19 pandemic and the resulting rush to enable remote delivery of healthcare services. Security vendors and researchers tracking the industry have reported a major increase in phishing attacks, ransomware, web application attacks, and other threats targeting healthcare providers.

The trend has put enormous strain on healthcare security organizations that already had their hands full dealing with the usual volume of threats before the pandemic. “The healthcare industry is under siege from a range of complex security risks,” says Terry Ray, senior vice president and fellow at Imperva. Cybercriminals are hunting for the sensitive and valuable data that healthcare has access to, both patient data and corporate data, he says. Many organizations are struggling to meet the challenge because they are under-resourced and rely on vulnerable systems, third-party applications, and APIs to deliver services.

Ray and other security experts identified multiple issues that present major threats to healthcare organizations. Here are five of them:

1. The rising ransomware threat

Ransomware has emerged one of the biggest cyber threats for the healthcare sector since at least the beginning of the global COVID-19 pandemic. Attackers have discovered that healthcare organizations delivering vital, life-saving treatments can be more easily extorted than ransomware victims in almost every other sector. Many healthcare organizations are also more susceptible to attacks because of new digital applications and services they have had to launch to address demand for telehealth services, contact tracing, and in some cases to support research activity around COVID-19 vaccines and treatment. Concerns over the trend prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to issue a rare warning to the healthcare industry last October.

Security vendor Tenable recently analyzed data associated with 293 publicly disclosed healthcare data breaches between January 2020 and February 2021. Ransomware was identified as the primary cause for nearly 55% of the breaches for which a root cause was disclosed. There have already been some 56 publicly disclosed breaches this year, as of March 1. Recent victims include Allergy Partners of North Carolina, which was hit with a $1.75 million ransom demand; Rehoboth McKinley Christian Health Care of New Mexico; and Ireland’s public health system, which had to cancel or reschedule thousands of appointments and surgeries after attackers locked some 2,000 patient-facing systems.

The single biggest risk today in healthcare is having electronic health records (EHRs) and systems, says Caleb Barlow, president and CEO of CynergisTek. “Past attacks have shown when a hospital undergoes a ransomware-induced lockdown period, access to EHRs is shut down, and patients may have to be diverted for care,” he says.  Such attacks can prevent access to critical prescription information and dosing for patients with complex, chronic conditions like diabetes or cancer. Worse, hackers can potentially take it a step further and manipulate health record data to undermine patient care, he says.

Historically, healthcare institutions transferred this risk to cyber insurance, but that is becoming more difficult because insurers are making it harder for organizations to purchase ransomware protection without specific controls like multi-factor authentication and endpoint detection and response technologies, Barlow says.

2. Cloud vulnerabilities and misconfigurations

A survey of 790 IT professionals in the healthcare sector that CyberRisk Alliance Business Intelligence conducted for Infoblox showed that security professionals are most concerned about data compromises stemming from cloud vulnerabilities and misconfigurations. In recent years, many healthcare organizations have adopted cloud services as part of broader digital transformation initiatives. The COVID-19 pandemic and the associated increase in demand for remote telehealth services has accelerated that move. Patient health information (PHI) and other sensitive data is increasingly being hosted in multi-vendor cloud environments.

The trend has broadened the attack surface at healthcare organizations and made them more vulnerable to attacks targeted at stealing protected health information, insurance information and other sensitive data, says Anthony James, vice president of products at Infoblox. Healthcare organizations often use multiple cloud vendors and services with different security standards and practices making it hard for them to apply a consistent policy for protecting data across the cloud environment, he says.

Fifty-three percent of the respondents in Infoblox’ survey said their organizations had experienced a cloud-related data breach over the past 12 months. One recent example is PeakTPA, a provider of health plan management services. In March it disclosed that protected health information belonging to some 50,000 individuals belonging to a Medicare and Medicaid program had been accessed and exfiltrated from two of its cloud servers. In another instance last August, sensitive data belonging to over 3.1 million patients was found lying exposed in an unprotected cloud database believed to belong to a vendor of patient management software.

More than one-third (34%) of victims in the Infoblox survey described their breaches as costing them $2 million or more. Forty-seven percent said they had experienced a malware attack targeting a cloud hosted asset and 37% said they had experienced an insider attack involving PHI and other data stored in the cloud.

A survey-based cloud data security report that Netwrix released in February 2021 highlighted a similar trend. According to Netwrix, 61% of healthcare organizations store customer data in the cloud and more than half (54%) store PHI there.  Forty-four percent of organizations in the survey reported experiencing a phishing attack and 39% said they had encountered a ransomware attack in the cloud. More than six-in-10 (61%) of the respondents in the survey pointed to a lack of budget as contributing to their cloud security woes. Other factors included a lack of IT and security staff and employee negligence.

3. Web application attacks 

Web application attacks targeting healthcare entities have spiked sharply recently, once again because of COVID-19 related activity. Researchers from security vendor Imperva observed a 51% increase in web application attacks on hospitals and other healthcare targets in December 2020 around the time the first vials of COVID-19 vaccines began to be distributed worldwide.

The attacks continued a trend that Imperva says it observed through 2020. The company says it counted an astonishing 187 million attacks per month targeting healthcare organizations in 2020. On average, healthcare entities experienced 498 attacks per month last year, marking a 10% increase over 2019. Cross-site scripting attacks were the most common, followed by SQL injection, protocol manipulation attacks, and remote code execution/remote file inclusion attacks.

Ray from Imperva sees signs that these attacks caused significantly more breaches than have been publicly disclosed. For instance, Imperva researchers have noticed a dramatic increase in incidents involving healthcare data being transmitted from an organization’s internal network to external destinations—a sure sign of a breach.

“Technically speaking, web application attacks can be incredibly challenging for under-resourced healthcare organizations to manage,” Ray says. To address the issue, healthcare organizations must implement controls that enable better visibility into third-party applications and API connections, he says. Only then will the security team be able to understand who is trying to access critical data and whether that activity should be permitted.

4. Bad-bot traffic

Traffic from bad bots—such as those that attempt to scrape data from websites, send spam or download unwanted software—present another major challenge for the healthcare industry. The problem has become especially pressing in recent months with governments around the world setting up new websites and other digital infrastructure to support COVID-19 vaccine registrations and appointments. Bad actors have bombarded these new, hastily established and largely untested sites with a huge volume of bad-bot traffic.

Such traffic is believed to have at least contributed to vaccine registration websites in states like Massachusetts and Minnesota crashing soon after they went live earlier this year, resulting in widespread frustration among those seeking appointments for COVID-19 vaccines.

Imperva says it has observed a 372% increase in bad-bot traffic on healthcare websites just since September 2020. In February this year, the security vendor observed a nearly 49% month-over-month increase in bot traffic—the largest such jump in over a year.

Bot traffic presents a unique challenge for the healthcare industry, says Ray. “Increased levels of traffic result in downtime and disruption for legitimate human users who are trying to access critical services on their healthcare providers’ site,” he says. “It might also result in increased infrastructure costs for the organization as it tries to sustain uptime from the persistent, burdensome level of elevated traffic.”

From a security perspective, bots can be responsible for content scraping, account creation, account takeover, and other forms of fraud, Ray says. There have been numerous incidents where cybercriminals have used bots to infiltrate accounts through credential stuffing and password cracking. They have used the credentials to gain access to prescription orders and subsequently attempt to fill them offline and sell them illegally.

5. Increased phishing volumes

Phishing attacks pose a major threat to the healthcare industry as it does to organizations in almost every sector. Once again, a lot of the phishing activity targeting the healthcare sector over the past year has been related to the COVID-19 pandemic. An analysis that researchers at Palo Alto Network’s Unit42 team conducted recently showed a 189% increase in phishing attacks relating to or targeting pharmacies and hospitals just between December 2020 and February 2021. Vaccine-related phishing attacks soared 530% over the same period.

The security vendor’s analysis showed that attackers have kept consistently shifting phishing themes throughout the past year depending on key events. According to the vendor, in the early stages of the pandemic many phishing lures involved testing and personal protective equipment (PPE). It then shifted to stimulus and government relief programs and then to the vaccine rollout.

In a survey of 168 healthcare cybersecurity professionals that the Healthcare Information and Management Systems Society (HIMSS) conducted last year, 57% of respondents said their organizations had experienced a phishing attack, and 20% said they had experienced social engineering attacks other than phishing. HIMSS found that phishing was the typical initial point of compromise for most security incidents.

“Phishing attacks are the top type of significant security incident reported by respondents,” HIMSS noted in its report. “Phishers were the top type of threat actor responsible for significant security incidents at healthcare organizations.”