Best practices for mitigating evolving health care cyberattacks

Health care enterprises today are plagued with evolving and increasingly sophisticated cyberattacks. The rise of remote care, complex IT environments, and connected health care devices are opening up new attack vectors for cybercriminals to exploit.

Bad actors are eager to exploit vulnerabilities in any and all of these areas to access lucrative patient data such as Social Security numbers, driver’s license numbers, financial information, health data, and insurance information.

To combat evolving and increasingly damaging cyberthreats, health care organizations must proactively operationalize key risk mitigation strategies aimed at effectively shoring up their cyber defenses.

Unyielding attacks

Threat actors are targeting the health care sector with a barrage of different attacks. Some of the most common types of attacks include hacking, ransomware, phishing, and supply chain attacks.

The HIPAA Journal reported that 2023 saw a record 725 large health care security breaches reported to the Department of Health and Human Services Office for Civil Rights, beating the record of 720 health care security breaches set the previous year. As a result of these breaches, an average of 373,788 health care records were breached every day in 2023.

Research by the Ponemon Institute last year found that 88% of health care organizations surveyed had at least one cyberattack over the past 12 months and Check Point data revealed that the global health care sector experienced an average of 1,613 cyberattacks per week, reflecting a significant year-over-year increase of 11%.

Critical consequences

The cyberattacks targeted at health care are persistent and damaging.

One of the most recent attacks in this sector impacted Change Healthcare (part of Optum, a UnitedHealth Group company). In late February, the company reported that it was experiencing a cybersecurity issue that made some systems unavailable. The attack impacted the company’s pharmacy, medical claims, and payment systems. According to published news reports, the outage left some doctors unable to check patients’ eligibility for treatment or prevented them from filling prescriptions electronically. Fallout from the attack also extended to financial disruption for providers that were unable to receive reimbursements from insurers.

It is an unfortunate reality that no health care organization is immune from cyberattacks. These attacks can lead to lengthy care disruptions, patient diversions to other facilities and delayed medical procedures all of which can jeopardize patient safety and put lives at risk.

Cyberattacks in this sector also negatively impact public trust and can inflict lasting damage on the reputation of health care organizations.

The operational disruption of cyberattacks can also lead to significant financial losses. The costs of health care data breaches continue to soar. IBM’s 2023 Cost of a Data Breach report found that the average cost of a health care data breach reached nearly $11 million in 2023, increasing 53% since 2020.

Fines for violating HIPAA are another financial risk associated with cyberattacks on health care organizations. The civil monetary penalty for knowingly violating HIPAA falls within the range of $13,785 and $68,928 per violation.

Best practice risk mitigation strategies

To combat pervasive cyber threats, it is essential for health care organizations to proactively adopt robust risk mitigation strategies. The following strategies can help health care enterprises prevent cyber threats and strengthen their overall cybersecurity posture.

Implement multi-factor authentication

Implementing multi-factor authentication ensures only authorized users gain access to protected health information (PHI). Multifactor authentication requires a user to present a combination of two or more credentials to verify identity for login. With this layered approach to securing data and applications, if one credential becomes compromised, unauthorized users will be unable to meet the second authentication requirement and will not be granted access.

Use encryption

Encryption is an essential data protection measure for health care organizations. Encrypting PHI in transit and at rest guards against unauthorized access to sensitive data. This technology changes plain text into cypher text that can’t be read or used without the proper encryption key, ensuring that even if this data is intercepted, unauthorized individuals will not be able to read it.

Encryption is also a vital security practice for helping health care enterprises adhere to data protection and privacy regulatory requirements such as HIPAA.

Provide cybersecurity training

A majority of data breaches - 74% - involve human error. That’s not surprising considering cyber criminals are targeting employees with a barrage of malware, phishing, and password attacks. Research by Fortinet found that 81% of these attacks were targeted at employees.

Providing ongoing cybersecurity training is critical for making employees the strongest link in the chain of cybersecurity instead of the weakest link. This training should reinforce that everyone plays a critical role in keeping the organization cyber secure and safeguarding patient data.

Regular training sessions should equip employees with the tools and knowledge they need to spot and combat cyber threats including understanding how to identify suspicious links and attachments, the importance of creating strong passwords and the importance of promptly reporting security incidents and adhering to security policies.

Employees should also be educated on HIPAA policies and procedures as well as other applicable government privacy regulations.

Vet solution providers

As health care organizations increasingly become digital workplaces powered by technology from third-party solution providers, it is critical to vet the security and data practices of these providers. Before selecting digital technology, health care enterprises should vet this technology to ensure these security and privacy practices meet or exceed the standards of their organization.

Adopt secure, compliant mobile messaging technology

Mobile messaging and collaboration platforms are an essential technology for keeping health care teams connected, productive and engaged. To build the most secure digital workplace, health care organizations need to adopt secure and private by design mobile messaging platforms. That means a cloud-powered mobile messaging solution that features end-to-end encryption, full IT control, guaranteed compliance, and no data collection ever.

Cyberattacks in the health care industry continue to evolve, increasing in frequency and severity. To protect patients and prevent operational disruptions, health care organizations should proactively adopt the best practice risk mitigation strategies outlined above.

Anurag Lal is the CEO and president of NetSfere, and former Obama administration Director of U.S. National Broadband Task Force