How can hospitals boost their cyber defences?

Losing access to patient data and equipment is not just about privacy; it can also be deadly.

Healthcare providers should bolster their cyber defences to ward off hacker attacks on an industry whose data breach costs have been the highest for the past 13 years.

The average breach cost for healthcare fell 10.6%, to $9.77 million in the 12 months through February 2024, according to IBM’s Cost of Data Breach Report. “But that factor wasn’t enough to remove it from the top costliest industry for breaches — a spot it’s held since 2011,” the report read in part.

Cyberattacks in healthcare can have ramifications beyond financial loss and privacy breach, according to the World Economic Forum. With ransomware attacks, the loss of access to patient data and medical tools can be deadly. It can also take months for hospitals to recover.

Hospitals and clinics remain an easy and lucrative target for ransomware attackers because they often use outdated technologies that are highly vulnerable to disruption, putting patient data and safety at risk.

Ransomware attacks have been rising through the years with the explosion of data in the cloud, and a fifth of sensitive data from global healthcare organisations are lost in each assault, Rubrik Zero Labs said in a report in May.

It said 99% of information technology (IT) and security leaders in Singapore reported that their organisations experienced a significant cyberattack last year. Organisations there faced an average of 43 attacks, and 96% of those that endured a ransomware attack ended up paying the ransom demand.

Synapxe, Singapore’s national healthtech agency, intercepts and blocks 3,000 malicious emails daily, whilst facing 1.7 million attempts to breach its internet-facing firewalls each month, according to the country’s Ministry of Health.

“Singapore has the unique added challenge of an ageing population, which will inevitably lead to a growth in healthcare data,” said Abhilash Purushothaman, vice president and general manager of Asia at Rubrik.

Rubrik said 51% of ransomware payments in Singapore were motivated primarily by threats to leak stolen data, including patients’ medical records.

Meanwhile, in Australia, 22% of all data breaches from July to December 2023 targeted the health sector, KnowBe4, which provides security awareness training and a simulated phishing platform to help companies manage threats, said in its June 2024 report.

This is more than double the 10% share of its financial service sector in the breaches.

Human risk

“Hospitals have become increasingly attractive targets for ransomware attacks due to their comprehensive patient databases, sensitive information, and their interconnectedness between systems and equipment,” KnowBe4 said.

Back in November 2023, Alfred Health in Melbourne apologised to more than 7,000 patients after a health worker viewed their medical records while not directly involved in their care.

Whilst there was no evidence that patient information had been downloaded or used, the data breach showed the need for health services alike to improve the detection of unusual behaviour in their electronic systems.Health organisations should develop coordinated strategies to bolster cybersecurity because the stakes are high.

“Fortifying technical defences, regularly patching software, and conducting security audits will help to ensure malicious emails do not get through to the institution’s IT infrastructure,” KnowBe4 said.

Martin Kraemer, a security awareness advocate at KnowBe4, noted that while the adoption of artificial intelligence (AI) by cybercriminals has been slower than predicted, its use is undoubtedly ramping up.

He said recent tech outages, while not necessarily malicious, showed organisations must improve their security operations. Many will invest in streamlining these processes to minimise system downtime.

Kraemer expects healthcare, manufacturing, construction and engineering, technology, and legal and professional services to remain the prime targets of cyberattacks. Across all these trends, human risk remains a critical factor, he said.

“Organisations must invest holistically in technology, processes, and people to defend against cyberattacks,” he wrote in a blog posted on the KnowBe4 website this week. “Human risk management should be a core element of every cybersecurity strategy.”

Questions to ponder:

1. How do healthcare organisations cross-check data access privileges and controls among its employees?
2. How can they prepare for more advanced cyberattacks that use AI, including information-stealing chatbots and deepfake social engineering tactics?