According to a recent Moody’s report, the healthcare industry is “cyber poor” — meaning it's ill-equipped to prevent cyber attacks.[1] Whether you run a small practice or a healthcare conglomerate, ensuring your business is protected from cyber attacks is paramount. This article will discuss the state of cybersecurity in the healthcare industry, what’s at stake if your business’s data security is breached, and what you can do to beef up your cybersecurity investments to mitigate the threat.

Can the Healthcare Industry Handle Cyber Attacks?

While the ability of individual healthcare companies to defend against cyber attacks varies, the industry is often subject to large-scale breaches. In 2022, according to research conducted by Protenus, nearly 60 million patient records were breached — an 18% increase from 2021, when attackers compromised just over 50 million patient records.[2]

Healthcare breaches affect patient trust, damage an organization's reputation, and result in direct financial costs. In its 2022 Cost of Data Breach report, IBM pegs the average cost of a healthcare breach at $10.10 million — an increase of 42% since 2020.[3]

Mitigating the Risk of Cyber Attacks

Cybercriminals will exploit any weakness to access your network and patient data. Here's some guidance to better protect your organization's assets.

Conduct Security Risk Assessments

To prevent a breach from happening, identify risks, document the corresponding controls, and remediate gaps. It's crucial to address any weaknesses promptly. The longer they persist, the higher the chances they are used to breach your defenses. Committing to ongoing risk assessments can also help, especially if your business experiences a significant change in its operations, such as an acquisition or a divesture.

Apply Patches and Software Updates

Cybercriminals often exploit known security weaknesses. Patching systems, applications, devices, etc., remove an easy pathway to breach your organization. Again, the longer a patch or security update remains unaddressed, the greater the risk that your organization will experience a breach. To that end, ensure your IT department monitors the release of patches and updates — and plans accordingly for their installation.

Encrypt and Backup Data

Cybercriminals steal data because it contains valuable information they can monetize. Encrypting data at rest and in transit denies cybercriminals access to your data and renders it useless. In addition to encrypting data, it's important to back up your data, as the healthcare sector is often subject to ransomware attacks, where attackers steal data and demand a ransom for its return.

If you are targeted with ransomware, contact federal law enforcement, as they can potentially help mitigate the attack, prevent future attacks, and pursue the perpetrators.

And while there may be considerable pressure to pay a ransom, there are many reasons not to do so.[4] Law enforcement does not recommend paying a ransom as it does not guarantee the safe return of your data. It also rewards criminals for their efforts and may violate US sanctions and money transmission laws.

Deploy Robust Access Controls

Employees should only receive access to the data they need to perform their job. Applying the least access privilege limits employee access to patient data on a need-to-know basis. For example, a marketing employee should not receive patient data access. Instead, their data access privileges should match their role. This approach limits the amount of data employees can access and, therefore, the pathways to compromise your organization’s security defenses.

Monitor Your Network for Suspicious Activity

Deploy an intrusion detection system (IDS) to generate alerts when cybercriminals attempt to compromise your company’s defenses. An intrusion detection solution monitors your network for behavior that appears malicious. IDS comes in various forms, including network-based (which scans an entire network) and host-based solution (which resides on an endpoint).

Regardless of the type of IDS, the goal is to detect suspicious activity and generate alerts that allow a security professional to examine the activity and take steps to protect your organization.

Prepare an Incident Response Plan

If your organization experiences a breach, a systematic and efficient response can help minimize your exposure. An incident response plan provides detailed steps for your organization to follow after an attack and assigns responsibility for every plan element to individual employees or departments. To ensure it functions as designed, consider conducting a tabletop exercise that simulates an attack and gauges the plan's effectiveness.

Invest in Employee Education

Employees are often the weakest link, as they often lack a full understanding of the threats facing the organization. Requiring employees to complete periodic security training may encounter resistance, but it can be effective in preventing attacks.

For example, educating your employees on avoiding phishing scams can prevent ransomware attacks and schemes involving bank fraud. When using phishing tactics, criminals send an email, text, or voice message to trick an employee into revealing sensitive data. Teaching employees to recognize the hallmarks of a scheme can reduce the potential for an attack.

Evaluate Your Security Program Against Benchmarks

Due to the severity of the threats facing the healthcare sector, many government agencies provide extensive guidance to mitigate the risk. The Cybersecurity & Infrastructure Security Agency (CISA) and the Center for Internet Security (CIS) provide guidance for healthcare organizations to combat threats.[5][6] Evaluating your security program against such standards can uncover weaknesses before an attacker can exploit them.

Keeping Your Business Safe

The healthcare sector faces significant and pervasive threats with the potential to expose millions of patient records. Criminals continually adapt their approach to increase the likelihood of breaching your organization's defenses. Therefore, security is a never-ending task. While a multi-layered, proactive approach to cybersecurity cannot eradicate the threat, it can mitigate the risk, including stopping attacks and lessening the impact of those that succeed.

If your company’s revenue is over $10 million, our PNC Commercial, Corporate & Institutional Banking Healthcare team can help serve your organization’s needs.