Five Factors Behind Increased Cyber-Attacks in Healthcare

May 24, 2021

After an eventful 2020, it’s safe to assume the healthcare sector is looking forward to a calmer year ahead. Yet, the early months of 2021 have already seen increased pressure applied to healthcare information systems as a result of a rise in cyber-attacks.

Across the world, the healthcare sector faces attacks that are capable of paralyzing all, or part, of their information systems. These attacks can have an impact on both administrative and healthcare information systems (patient administration, electronic medical records, for example) and on biomedical information systems (scanners, monitoring, and more). The consequences often lead care providers to fall back on less effective procedures: using paper records, postponing operations, for instance. Ultimately, this can have direct and indirect impacts on patients’ health.

‘Technological deficits’ keep the door open to attackers

As with other organizations, attacks on healthcare institutions target weaknesses that are often related to the deterioration of the software and hardware in use, or a failure to update it regularly. The issue is more difficult for institutions to tackle when it comes to biomedical equipment, which is almost universally maintained by manufacturers or software publishers rather than the IT teams of the institutions themselves.

In this case, projects to identify technological deficits, followed by action plans, can be implemented to help reduce cyber risks that expose these institutions.

Covid-19 increased attack vulnerability

Covid-19 presented hackers with a ‘perfect storm’ of opportunities: a rise in telemedicine and an increased reliance on IT resources in a sector that evidently keeps records with valuable personal information, attracting identify theft. According to the Bitglass ‘Healthcare Breach Report 2021’ cyber-attacks in the US increased by 55% in 2020, costing victims of attacks $499 on average – a significant increase from 2019.

These vulnerabilities exploited during the global pandemic were not only costly and compromising to those who fell victim, but they also were not easy to recover from: the average healthcare firm took about 236 days to recover from a breach. The report shows a shifting landscape in cybersecurity, as the sector embraces a cloud-first world, and highlights the need for institutions to leverage their tools and strategies to address the growing threats of malicious actors.

Responding to ransomware

Recent attacks are mostly based on the deployment of ransomware that can cause complete paralysis of the information system. This ransomware is generally distributed in the following way:

  1. A malicious code is installed either by using e-mail phishing techniques or by exploiting a vulnerability;
  2. The installed code integrates into the system and installs a service that seems legitimate;
  3. The information discovered is transferred back to the attacker;
  4. The attacker launches the attack.

Detecting and responding to ransomware-type attacks requires the use of specialist tools, fairly similar to antivirus solutions. However, such solutions are not widely used within these institutions. Although these tools alone would not provide complete protection against these attacks, their current absence puts institutions at higher risk.

Awareness and user testing still insufficient

Chief Information Officers (CIOs) and Chief Information Security Officers (CISO) have long been involved in training and cyber risk awareness-raising activities for users in a range of formats, both traditional (intranet notices, e-mails) and through ‘play’, for instance, escape games and online games). Still, a large number of institutions do not have the resources to meet ambitious cyber risk training objectives.

Raising awareness is key in order to keep users informed and on track, as they do not always receive timely warnings or know the appropriate practices to adopt. Both training and testing, such as quizzes or phishing simulations, are essential elements to security in promoting user awareness that can be best assessed at all levels of the organization.

Lastly, there can be no effective training without testing the levels of knowledge or awareness that users acquire. In practice, CIOs and CISOs could implement testing campaigns that resemble the kind of tactic an attacker might use, such as phishing.

Attacks identified after the damage is already done

Is there anything worse for a CIO or CISO than to find out that their institution’s information system is inaccessible or not working? Unfortunately, attacks are often identified after the damage has already been done.

It is important to design or identify information systems able to monitor or prevent attacks or suspicious behavior wherever possible. There are many solutions on the market that allow proactive identification and alerts. The challenge is then to have an in-house or third-party resource for analyzing technical tracks and raising alerts within an appropriate timeframe.

Professional bodies, support groups and authorities are providers of cybersecurity doctrine and best practices, which should be implemented within information systems. This guidance is a valuable aid for decision-makers and CIOs who want to raise the level of security.

Finally, it should be kept in mind that timing is a crucial factor for these cyber threats: the more robust the security, organizational and technical elements, the longer it will take to successfully carry out an attack.

An earlier version of this article appeared on Mazars.fr here

 

 



Disclaimer of Liability

The information provided here is for general guidance only, and does not constitute the provision of legal advice, tax advice, accounting services, investment advice or professional consulting of any kind. The information provided herein should not be used as a substitute for consultation with professional tax, accounting, legal or other competent advisers. Before making any decision or taking any action, you should consult a professional adviser who has been provided with all pertinent facts relevant to your particular situation.

Mazars USA LLP is an independent member firm of Mazars Group.


Related posts



Resilience in Returning to Work: Key Issues, Risks, and Mitigation Strategies​ John Rowe | Director, Management & Technology Consulting Practice | Mazars Tashonda Haugabrook | Senior Consultant, Management & Technology Consulting Practice | Mazars Click Below to Watch this Video ​ Key Items Considered The WIIFM Key Issues and Risks Mitigation

Read More



The federal No Surprises Act (“NSA”) will protect participants, beneficiaries, and enrollees in group health plans from surprise medical bills when they receive emergency services, nonemergency services from nonparticipating providers at participating health care facilities, and air ambulance services from nonparticipating providers of air ambulance services, under certain circumstances. Starting

Read More



We are now over six months past the deadline for hospitals to comply with the Centers for Medicare and Medicaid Services’ (CMS) Hospital Price Transparency final rule. However, a random sampling of 500 hospitals performed by PatientsRightAdvocate.org revealed that ~95% were noncompliant. The current penalty for non-compliance in following the

Read More








Copyright 2021 - Mazars - United States