Mary Knotts works at the intersection of healthcare and security as a Certified Information Systems Security Professional (CISSP) and PEAKE’s Chief Operating Officer.
In a recent interview with Knotts, we explored the greatest threats to the healthcare landscape, countermeasures to protect patient data, and the future of cybersecurity in healthcare.
Table of Contents:
What are the biggest cybersecurity problems in healthcare?
How can we improve cybersecurity in healthcare?
What does the future hold for healthcare cybersecurity?
Healthcare entities are prime targets for cybercriminals due to the extensive and valuable information they hold.
A successful healthcare cyberattack reveals:
- Protected health information (PHI)
- Credit card and bank account information
- Proprietary medical research
- Personally identifying information (PII) (such as SSNs)
‘Threat actors’ behind these attacks trade in the currency of personal information and create a marketplace of vulnerabilities. According to the AHA Center for Health Information, “stolen health records may sell up to 10 times or more than stolen credit card numbers on the dark web.”
Healthcare cyberattacks can cause victims insurmountable damage, and addressing them costs nearly triple that of other fields. On average, organizations spend $408 for every comprised healthcare record, while other industries spend $148.
The broader discourse on cybersecurity often centers on the strategic and technological defense against attacks. But as Knotts explains, we must also focus our conversations on the users who can prevent these breaches.
What are the biggest cybersecurity problems in healthcare?
Knotts was quick to answer, “Targeted social engineering attacks.”
Surprisingly, the greatest cybersecurity threats to healthcare right now aren’t always fueled by powerful new technology. They’re fueled by human error and manipulation tactics.
These tactics exploit organizational hierarchies, pinpointing key individuals for phishing attacks to compromise their credentials. One notable incident Knotts witnessed involved an executive whose email was breached to authorize a fraudulent financial transaction, nearly costing the organization $350k.
These cybersecurity attacks are sophisticated. They pose direct financial threats and can quickly compromise patient data.
Given the role of human error in healthcare cybersecurity risks, there’s a critical need for vigilant and compassionate protection of patient information.
Organizations must understand healthcare excellence goes beyond clinical care. It encompasses safeguarding the personal and financial well-being of those they serve.
How can we improve cybersecurity in healthcare?
There has been a worrying rise in cyber threats, particularly those involving sensitive patient data. The stakes are high.
Data breaches can lead to financial penalties for violating the Health Insurance Portability and Accountability Act (HIPAA). They also profoundly impact patient trust and the operational integrity of healthcare institutions.
The U.S. Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), plays a critical role in tracking and responding to these cyber threats.
Their data reveals a 93% increase in large breaches reported from 2018 to 2022. Even more alarming, they identified a 278% surge in significant breaches involving ransomware over the same period. Protecting healthcare data is becoming increasingly challenging.
Your foundation for defense starts with end users.
Make 2FA (two-factor authentication) a priority.
2FA, or multi-factor authentication (MFA), is an easy step to improving your cybersecurity measures. It’s incredibly accessible, “an easy win,” as Knotts puts it.
2FA requires another form of identification to access email or other sensitive systems that threat actors can infiltrate to compromise data. Someone attempting a healthcare cyberattack will have more difficulty—they’ll need more than just a password.
While some find 2FA to be an inconvenience, it’s absolutely necessary in our digital age. In the earlier case, the executive didn’t have 2FA for their email.
And the phishing email that caused the breach? It read, “Your 2FA is about to expire.”
The executive believed the message came from their IT department. They entered their account information using the link provided despite not having 2FA.
If they had actually had 2FA, the cybercriminal would’ve failed.
Conduct cybersecurity awareness training.
It’s impossible to overstate the importance of user awareness training for cybersecurity in healthcare. Knotts explains, “Users are the first and last lines of defense.” They must think critically.
Organizations and vendors need to have policies and communication in place to mitigate targeted social engineering attacks.
While PEAKE’s SRA services include training, Knotts recommends healthcare organizations implement their own user awareness training, too.
She recommends organizations make cybersecurity awareness a fundamental part of their culture, meaning this training can’t be a once-a-year endeavor.
And training is only the first step.
PEAKE had conducted phishing training with the executive whose email was breached. When they didn’t ignore the training, they failed it.
User awareness testing is an educational tool and a way to spot vulnerabilities. If you find a vulnerability, you must address it.
Tips for Identifying Phishing Emails
These tips provide a great starting point for defending healthcare organizations against social engineering phishing attacks:
- Spotting Urgency and Emotional Manipulation
Most common phishing attacks create a sense of urgency to prompt a quick, less thoughtful response from their targets. They may claim that your account has been compromised, you owe a payment, or a deadline is approaching.
These tactics play on emotions to make you act before verifying the legitimacy of the email. To protect yourself:
- Take a moment to assess the situation calmly. Genuine organizations rarely demand immediate action through email.
- Look for generic greetings (like "Dear Customer") instead of your name and other impersonal cues.
- Verify the authenticity of the email by contacting the company directly through official channels, not by responding to the email or clicking on any links within it.
- Analyzing the Sender's Email Address and Domain
Phishing emails often mimic legitimate email addresses but with slight variations that can be easily overlooked at a glance. Pay close attention to the sender's email address and the domain name:
- Check for subtle misspellings or character substitutions in the sender's email address (e.g., "amaz0n.com" instead of "amazon.com").
- Be wary of email addresses that come from domains that mimic official ones but are slightly off or use different domain levels (e.g., a legitimate-looking email address ending in a suspicious top-level domain like ".net" instead of ".com").
- If you're unsure, examine the email domain's reputation using online tools. A simple search can reveal whether it's known for phishing or other malicious activities.
- Scrutinizing Links and Attachments Before Engaging
Phishers frequently use links and attachments to steal information or deliver malware. Before clicking on anything in an email, take these precautions:
- Hover over any links (without clicking) to preview the URL. Look for mismatches between the text and the actual URL or URLs that look suspiciously complicated and unrelated to the supposed sender.
- Be skeptical of emails requesting you to download attachments, especially if they're unexpected or from unknown senders. Attachments can contain malware that can compromise your device.
- Use security software to scan attachments for malware before opening them, and keep your system and applications updated to protect against known vulnerabilities.
Instruct your users to always err on the side of caution and follow these tips to significantly reduce the risk of falling victim to phishing attempts.
Encourage skepticism.
Avoiding cyberattacks in healthcare requires a healthy dose of suspicion. As Knotts says, “It’s okay to be a skeptic.”
When in doubt, contact the supposed entity directly through a verified phone number or website. That’s how the executive in our example narrowly avoided costing their organization $350k.
It never hurts to validate if something is real, especially when you’re in a position to access vital patient data.
“Be stingy with your credentials. Trust your gut.”
Build a company culture that values security.
You must establish a culture that emphasizes security as a fundamental aspect of patient care. Excellent security measures are essential for delivering excellent healthcare.
This mindset shift needs to start at the top. Knotts finds that executives and other leaders sometimes have a false sense of security, “They don’t think they’re the ones who have to be worried—they don’t realize the criticality or urgency until an attack happens to them.”
However, because those in higher positions have more access to sensitive data, they can be an even bigger target for cybercriminals. These leaders must recognize the importance and immediacy of robust cybersecurity practices before facing direct threats.
Implementing continuous education reduces risks and fosters a proactive, security-aware work environment, which directly contributes to patient care.
What does the future hold for healthcare cybersecurity?
The healthcare sector is at the forefront of some of the most significant technological transformations. Among these, artificial intelligence (AI) has become a double-edged sword in healthcare cybersecurity.
AI's capacity to rapidly process and analyze vast amounts of data makes it a powerful ally in healthcare. Its benefits are undeniable—from predicting patient outcomes to automating routine tasks.
However, these capabilities also empower cybercriminals, “AI makes it a lot easier for people to develop new malware, exploit vulnerabilities, and iterate their attacks.” Knotts explains how AI can automate attacks, craft more convincing phishing emails, and even create malware that adapts in real time to avoid detection.
At the same time, AI represents the next frontier in cybersecurity defense. AI-driven security solutions can:
- Monitor networks for unusual activity.
- Predict and neutralize threats before they cause harm.
- Learn from attacks to prevent future breaches.
Given this dichotomy, the future of cybersecurity in healthcare will likely be characterized as an arms race between cyber defenders and attackers. AI will be the weapon of choice on both sides.
Healthcare providers must ensure that patient care continues to benefit from technological advancements without falling prey to cyber threats.
Find a Partner for Cybersecurity in Healthcare
The path to healthcare excellence is deeply intertwined with robust cybersecurity measures. Mary Knotts’ insights emphasize the human element in safeguarding patient data and underscore the necessity for a security-centric culture within healthcare organizations.
When you’re dedicated to protecting patient information while embracing technological advancements, you deliver superior patient care.
If you’re looking to strengthen your technology infrastructure and security, PEAKE is here to help. We’re technology partners dedicated to helping you deliver healthcare excellence.
Contact us today for expert support in navigating cybersecurity challenges and guaranteeing the continued excellence of your healthcare services.