Healthcare providers continue to be a prime target for cyber attacks. Even ransomware criminals, some of whom held their fire on hospitals during the height of the pandemic, are taking aim again. In its 2022 report on healthcare and ransomware, IT security provider Sophos reported that 66% of the 381 healthcare organizations in the study had been ransomware victims last year — an increase of about 50% from 2021.
Attacks also continue on connected healthcare devices. Just last month, the personal information of more than 1 million patients and employees of the maker of a wearable cardiac defibrillator was compromised in a hacking incident. Such breaches of the so-called Internet of Medical Things (IoMT) also offer a pathway to penetrate an organization’s wider IT environment.
In response to incidents like these, the Food and Drug Administration (FDA) has just released guidance that requires IoMT makers to submit plans to monitor, identify, and address cybersecurity issues with their offerings and to ensure the availability of patches and updates. The guidance won’t be enforced until October to give the industry time to prepare for the changes.
The healthcare supply chain also creates attack surfaces. Connections to the networks of third-party providers and suppliers add to the risk of a healthcare organization being compromised. Just in the past year, the breach of a third-party imaging provider led to the exposure of two million patient records among the 56 healthcare facilities it services.
Healthcare executives recognize the threat and are asking for help. Last, month industry representatives appeared before congress to ask for minimum cybersecurity standards for their industry, given the failure of voluntary measures to protect hospitals and clinics. While HIPAA is mandated for the industry, its 42 controls pale in comparison to more comprehensive standards such as the NIST Cybersecurity Framework. And a 2020 study by healthcare security firm CynergisTek showed that nearly a quarter of healthcare providers don’t even comply with HIPAA.
It’s no wonder that healthcare organizations – with their treasure trove of personal health information and e-health records and their interconnected supply chains – remain ripe targets for attack. The situation calls for new approaches that keep threat actors from even seeing their crown-jewel assets in the first place.
Network obfuscation is a proven strategy for cordoning off critical records and networks in an ultra-secure digital environment in order to isolate them from attack. To learn more about risks and costs of cyber threats in the healthcare field and how network obfuscation can help, download the ebook: Diagnosis: Cyber Risks and Threats in Healthcare Organizations.