Healthcare Cyberattacks: Five Underestimated Risks for Covered Entities

Change Healthcare’s billion-dollar ransomware attack has woken many leaders up to the urgent necessity of stronger cybersecurity. But most media reports focus on only a handful of high-profile risks – and obscure many other urgent threats to healthcare cybersecurity.  

This article redresses that imbalance, exploring five underestimated risks healthcare cybersecurity leaders must focus on in the coming years.  

Expect to learn: 

• The surprising number of healthcare organizations that lack a formal incident response plan 

• The cultural problem that leads many healthcare professionals to avoid reporting data breaches 

• The common error which leads third-party vendors to feel disrespected by healthcare providers 

Why are Healthcare Organizations at Risk from Cyberattacks? 

The fundamental reason healthcare organizations face heightened cybersecurity threats is simple: there is a large black market for health data, and protected entities are the largest repository of such information. But there are several structural issues that exacerbate this, including: 

• Large, complex attack surfaces: With thousands of digital touchpoints across a complex digital ecosystem, the average healthcare organization has more potential entry points for cybercriminals than companies in other sectors. 

• Legacy technology: The FDA recently published guidance intended to ensure medical devices are “cybersecure” – but this only applies to new products. Many legacy devices, such as heart rate monitors, were not designed with cybersecurity in mind. As a result, these devices – which are expensive, difficult to replace, and rarely updated – present a serious vulnerability for most healthcare organizations. 

• Patient data must be shared: Healthcare organizations need to make medical data easily accessible to healthcare professionals at multiple touchpoints to enable efficient and effective care. But this creates a conflict where organizations must balance accessibility with cybersecurity – a problem that has been exacerbated by the rise of telehealth and remote working. 

• Evolving digital ecosystems: Most healthcare organizations have adopted digital technology slowly, meaning they have a combination of state-of-the-art tech – and outdated legacy devices or systems. Many of these legacy devices may not have been turned off for several years, which means their software hasn’t been updated – increasing the risk of a back door breach.  

5 Underappreciated Cybersecurity Risks for Healthcare Organizations 

1. Employee Error 

Most organizations understand that employee error is a leading cause of data breaches. From falling for phishing attacks to mishandling patient data, some studies have found more than a third of all breaches are caused by employees – yet most organizations still do not offer proper cybersecurity training for employees. 

A recent survey found that over a quarter of organizations offer cybersecurity training sporadically, while a fifth only offer training once per year. However, given how quickly the threat landscape evolves, this is simply not frequent enough to ensure employees are prepared to effectively deal with attacks. 

2. Cultures of Silence 

While employees are not offered robust or frequent enough cybersecurity training, they are aware of the risk associated with data breaches – to the extent that many are afraid to report problems with the IT system.  

30% of employees say they have not reported a data breach because they feared losing their jobs, suggesting there is a culture of silence around cybersecurity. But this may ultimately exacerbate the issue, as security teams cannot act quickly enough to prevent further problems. 

3. Poor Incident Response 

For healthcare organizations with complexly interconnected IT systems, the impact of a poor response to a cybersecurity breach can be worse than the attack itself. Yet recent research shows that 37% of healthcare organizations don’t have a cybersecurity contingency plan in place – often leading to a cascading effect where problems spread throughout the system. 

Without a proper contingency plan: 

• Communication is limited: A security breach is likely to impact internal communication systems, which means security teams may not even be able to let personnel know that an attack has taken place – or inform patients that the system is down. 

• Panic ensues: Without clear communication, individual employees and patients are left in the dark – leading them to panic and potentially exacerbating the issue. 

• Downtime is extended: Security teams must formulate a response in real-time rather than relying on a pre-defined process – which inevitably leads to a slower, less efficient solution. This can negatively impact patients and increase the total cost of an incident. 

This is why healthcare organizations need to undertake regular cybersecurity preparedness tests, helping them understand how their systems would respond in the event of an attack – and ensuring their contingency plans are robust. 

4. Outdated Assessment Questionnaires 

Security assessments are essential to understand and identify vulnerabilities, prioritize risks and ultimately remediate your risks to improve cybersecurity posture. However, 50% of healthcare security teams are dissatisfied with their ability to keep up with the growing volume of assessments. 

There are two commonly cited reasons for this: 

• Manual processes: Most security teams have not yet adopted software to automate and streamline assessments, meaning their teams are forced to manually complete hundreds of assessments – creating the infamous “assessment fatigue.” 

• Slow vendor responses: Third-party vendor assessments rely on vendors’ cooperation and completion of assessment questionaries. Yet surveys show that 43% of teams are unhappy with the turnaround of assessments, and nearly a quarter struggle to get vendors to even respond to assessment requests. 

However, there is a third, far less commonly acknowledged problem: outdated assessment questionnaires. Many security teams save time and effort by using pre-existing questionnaire templates for vendor assessments, which presents several problems: 

• The questions may be irrelevant to specific vendors. 

• The vendor may struggle to understand questions that are not directly relevant to their business. 

• The vendor may feel sending templated questionnaires is disrespectful. 

All of this leads to confusion, frayed vendor relations, and, ultimately, slower assessments. 

5. Fragmented Risk Data 

While the volume of cybersecurity assessments is a problem, it is made far worse by the fragmentation of risk data. Information about individual suppliers or aspects of the security posture may be stored in separate systems, using a combination of paper and manual spreadsheets – which makes finding the security data you need difficult and time-consuming. 

The net result of this fragmentation is a lack of organization-wide visibility, which means: 

• Risks are often overlooked: It is easy for security blind spots to emerge when security leaders must spend hours manually sourcing data from across the entire risk spectrum. 

• Prioritization is flawed: Security teams struggle to compare different forms of risk – and, therefore, cannot make accurate assessments about the relative urgency of remediation.  

• Decisions are slower: Security executives must make fast, high-pressure decisions based on data. However, without a clear view of their security posture, these decisions are often too slow to properly protect their organization. 

Address Vulnerabilities Before It’s Too Late with Intraprise Health 

Hidden vulnerabilities could be your organization’s downfall – but there is still time to identify and remediate them. Intraprise Health offers a suite of innovative software and expert-guided services to: 

• Train employees: Offer comprehensive, on-demand online training to help employees understand cybersecurity risks and ensure compliance. 

• Streamline assessments: Automate assessment processes, access high-quality pre-written questionnaires, and use a single centralized platform to view, analyze, and prioritize risk.  

• Combat risks: With consulting services based on expertise in both healthcare and cybersecurity, we help you identify hidden risks, develop a remediation plan, and execute the plan to keep your organization safe. 

Want to protect your patients, reputation, and bottom line? 

About the Author

Scott Mattila, CSO, Intraprise Health

Scott Mattila is the Chief Security Officer at Intraprise Health. He has held leadership positions at some of the country’s most prestigious institutions, and is currently an adjunct professor and serves on the Dean's advisory board at Duquesne University's Rangos School of Health Science. See full bio

Subscribe to the Blog