Cybersecurity risk is the probability of financial loss, operational disruption, or damage from the failure of the digital technologies introduced to a system due to unauthorized access, use, disclosure, disruption, modification, or destruction of the system.
The healthcare industry’s cybersecurity risk is higher in comparison to other sectors. This is primarily because providers possess vital personal information about patients, such as their name, address, and social security number. On average, patient information is valued at $250 on the black market, which provides a significant incentive for threat actors.
The impacts of increased cybersecurity risk not only apply to patients whose personal information is at risk of being stolen but also to companies that retain their patients’ personal information. It is predicted that in 2021 cybercrimes will cost companies $6 trillion, with the healthcare industry being a significant target. 46% of companies that undergo a data breach suffer damage to their brand and reputation. Additionally, destruction or alteration of electronic health records for hospitals can lead to “downtimes,” or periods where doctors can’t access electronic health records. When a hospital in the northeast suffered downtime due to a cyberattack, overdoses and misdiagnoses took place. Since the electronic health records were similarly inaccessible, providers could not correctly operate as the healthcare organization did not have a backup plan. This wasn’t an isolated event; roughly 80 hospitals had periods of downtime due to cyberattacks from 2012 to 2018.
The three primary sources of cybersecurity risk are technical, physical, and administrative vulnerabilities.
Technical security vulnerabilities are vulnerabilities that increase cybersecurity risk because of a flaw in the software. In the fall of 2020, eyecare conglomerate Luxottica of America was the victim of two security incidents that directly involved patient data. In one of them, hackers obtained access to the patient scheduling application managed by Luxottica. After four days, the breach was detected, but not before patients’ personal information, appointment notes, health conditions, and appointment dates were stolen. Some patients even said that their credit card information was stolen.
Physical security vulnerabilities increase cybersecurity risk as a result of flaws in the physical layout of the environment. One example of a physical vulnerability from November 2019 was the theft of a laptop owned by one of the Health Share of Oregon employees. The computer contained 654,000 patient names, contact details, dates of birth, and Medicaid ID numbers.
Administrative security vulnerabilities increase cybersecurity risk due to a lack of administrative safeguards. Beginning in 2019, IT company SolarWinds was attacked by a group of Russian hackers. The initial breach was achieved partly by password guessing and brute force attacks. Another contributing factor was that SolarWinds’ update server password was solarwinds123. This hack would have been more challenging to execute if the company had administrative protocols requiring a specific level of password strength or multifactor authentication.
One method of reducing cybersecurity risk is to conduct an enterprise-wide security risk assessment, which evaluates points of exposure in an organization and suggests approaches to remediate such vulnerabilities. Implementing physical security measures is also necessary, like installing security cameras or locked doors to monitor and protect sensitive areas. Such measures could also include team member training programs to minimize the risk of succumbing to phishing emails. Other possible solutions include encrypting protected health information (PHI), regularly verifying that healthcare workstations are not compromised, or, as mentioned previously, requiring a specific password strength or multifactor authentication to log into the system. There is a myriad of solutions and options to address various risks – the aforementioned ideas are just examples of some of the remediation actions that organizations may choose to take to mitigate cybersecurity risk. A multi-layered infrastructure to protect the enterprise at various points is considered a best practice – as most organizations cannot implement everything at once, the different components of the suggested architecture should be part of the organization’s cybersecurity roadmap.
Cybersecurity risk is increasing for the healthcare industry. The impacts of increased cybersecurity risk can be devastating to both patients and enterprises. Healthcare organizations should build and maintain a comprehensive risk management program including a cybersecurity roadmap and incorporate regular security risk assessments into that program.