Cyberattacks continue to increase in the health care sector, especially those caused by third parties. A recent report suggests that implementing best practices could be highly effective in detecting, preventing, and responding to these threats, but adopting these practices is not occurring on a widespread scale.
A new report, The State of Cybersecurity and Third-Party Remote Access Risk, which surveyed 636 individuals about their cybersecurity practices, documented the increase in cyberattacks. This is the second-annual research study sponsored by SecureLink Inc. to investigate how organizations are investing in their cybersecurity infrastructure to minimize threats and which industries are paying attention to third-party remote access risks.
Data show that every industry contains vulnerabilities and strengths. The financial and health care sectors are the 2 top industries targeted by cybersecurity attacks. The report indicated that 58% of financial organizations and 55% of health care organizations experienced a third-party data breach in the previous 12 months.
The results were not surprising because both of these industries rely heavily on third parties and gather valuable data, such as protected health information (PHI), that hackers are seeking. The findings revealed that the health care sector is not making IT systems and third-party security top priority. More than half of health care entities reported that managing third-party security is overwhelming and a drain on internal resources.
The report found that implementing an automated infrastructure could be a powerful defense against cyberattacks, but lack of resources is a barrier. According to the report, cybersecurity is often deprioritized at an organizational level, with only 39% of organizations allocating 15% or less of their annual IT budget towards cybersecurity. Further, 52% said securing third-party remote access is not a priority for their IT or security team.
Hackers look for the path of least resistance into mission-critical applications and assets, whether a vulnerable access point or a poorly secured credential. The health care industry has transitioned to a more virtual environment since the start of the COVID-19 pandemic through increasing virtual and telemedicine consultations, said Steven Walczak, PhD, Professor of Health Information Systems at the University of South Florida in Tampa. The increased reliance on Internet-based communications and virtual work has opened new targets for cybercriminals. Often, clinicians’ home computing devices lack adequate security measures.
Dr Walczak pointed out that there are no barriers to entry into becoming a cybercriminal. “The only tools a cybercriminal needs to perform attacks against medical facilities, personnel, and patients, is an Internet connection,” he said. “Cybercriminals also communicate and promulgate attack methodologies via the Web, meaning that cybercriminals no longer need advanced computer knowledge to steal identities or upload malware.”
Some experts contend cybercrime is not widely enforced. Many attacks may happen across national borders and laws and enforcement policies vary around the world. “While HIPAA serves to remind health care workers about their information protection responsibilities, I do not personally believe that increasing penalties will greatly affect compliance, Dr Walczak said. “Additionally, even with perfect compliance, hacks and medical identity theft will still continue to happen.”
As a best practice, health care practices and facilities must hire full-time cybersecurity professionals or contract with cybersecurity providers to help oversee their networks and make sure their defenses are the best possible, Dr Walczak said.
Genevieve P. Kanter, PhD, Assistant Professor of Medicine, Medical Ethics, and Health Policy at the University of Pennsylvania in Philadelphia, said both the number of breaches and the reporting of breaches are on the rise. “There are many reasons for why the number of breaches in health care has been increasing, from the demands of COVID on hospitals, both in terms of stresses on resources, as well as the switch to telehealth,” Dr Kanter said.
Contributing to the problem is an increasing number of business associates and contractors, many of whom have greater vulnerabilities. Reporting and talking about these breaches have increased, and many health care providers are looking for direction. “I think the law, through HIPAA, has focused a lot on privacy, but laws and regulations need to be extended to create carrots and sticks for security concerns, distinct from privacy concerns,” she said.
Dr Kanter pointed out that some problems resulting from cyberattacks, such as interrupted health care services, are beyond the scope of HIPAA, which only requires health care entities to report instances when PHI is extracted or removed from the system, not simply when there is a PHI incident. Existing law has not created a regulatory scheme to deal adequately with health cybersecurity specifically, she observed.