The healthcare industry has been one of the most targeted industries over the past few years and hackers have jump-started their attacks since COVID. Attacks on healthcare industries have increased for the last 5 years, with a 42% jump from 2019 to 2020.
These attacks aren’t likely to stop, especially if healthcare companies don’t take any actions or react to a hostile environment. With 2022 just beginning, it’s a good opportunity for healthcare companies to assess what cybersecurity looks like in the near future in order to be better prepared.
We spoke to Alex “Jay” Balan, Security Research Director at Bitdefender to get an expert’s perspective on what cybersecurity will look like in 2022 for the healthcare industry.
Prediction 1: Ransomware will continue to wreak havoc on healthcare
Ransomware attacks are the driving force between the increase in compromises within the healthcare industry. In 2020, 1 in 3 healthcare organizations reported being hit with ransomware and there was a 45% increase in attacks in the short period from November 2020 to January 2021.
Ransomware is likely to get worse for three reasons:
- Automated attacks will continue to impact unprepared healthcare organizations, which, as we mentioned, are a large percentage of healthcare companies (unless things change)
- Ransomware as a Service (RaaS) will increase in popularity as smaller hacker groups and players get into the RaaS game, leading to more targeted attacks on healthcare facilities. “They’ll use social engineering to appear more believable, look at heads of departments, and likely target HR and finance,” says Balan.
- Criminal hackers know that healthcare is a good target. The organizations have minimal security, high budgets, and critical environments, which make them excellent targets for ransomware. Many of these facilities can’t afford having their systems shut down given that patients are depending on these systems so they’re likely to pay a premium, fast.
Prediction 2: Healthcare companies will still be among most affected by data breaches
The data doesn’t lie and there’s no reason why healthcare organizations wouldn’t be among the industries most affected by malicious hackers and data breaches.
Healthcare organizations don’t do enough to protect and secure their data and they leave themselves susceptible to automated attacks like spray and pray spam and phishing, device botnet infections, and exposures due to misconfigured databases.
“Many hospitals don’t have security as their main area of expertise,” says Bilan “Obviously security is important but they haven’t prioritized it.”
Healthcare organizations should have prioritized cybersecurity fundamentals years ago and it’s largely the reason why these hacks occur. The companies who still fail to invest in their cybersecurity will only continue to see compromises rise.
Prediction 3: IoT and other connected medical devices will be compromised
The healthcare industry has seen an explosion of IoT and medical connected devices through innovations in healthcare facilities and patient care.
But these devices often bring their own risks, particularly because they’re connected to a facility’s network, making them a potential attack vector. And healthcare companies are doing themselves no favors by not conducting the proper due diligence with these new devices to ensure that the devices themselves aren’t risky and their implementation is done properly.
These risks include:
- Hardcoded passwords: Malicious actors know how to find hardcoded passwords of most devices and can use that as a way into a company’s network.
- Lack of security controls: If there’s no way to stop unauthorized users from reaching your device, you’re better off looking for a more secure alternative.
- Network implementation: Healthcare organizations need to carefully integrate connected devices into their network in order to mitigate potential risk. If this is done carelessly, hackers can exploit these devices.
- Lack of security credentials: As part of due diligence, organizations should look at device credentials such as PCI DSS and SOC 2 Type 2 which shows that the manufacturer took steps in order to make devices more secure.
“Medical and other connected devices can be extremely risky if healthcare organizations don’t take the proper steps to ensure the devices are secure” says Balan. “A few years, we [the Bitdefender research team] found various vulnerabilities in a Smart Plug that could have led to some problems for a lot of companies.
Prediction 4: Zero-day vulnerabilities will continue to rise
The discovery of log4j showed how zero-day vulnerabilities can still shock the cybersecurity world and pose a major threat to hundreds and thousands of organizations. Among the healthcare industry, not only are they likely more susceptible to zero-day vulnerabilities, but their lack of attention may lead to an increase in zero-day discoveries.
Without vulnerability assessments, due diligence, and vulnerability management, critical exploits may not be discovered by organizations, increasing the risk that hackers find them first.
“It’s a misconception that a company finding vulnerabilities is a bad thing,” says Balan. “Companies should be looking for vulnerabilities so they know what to fix. Otherwise, they’ll never know they’re susceptible until it’s too late.”
Prediction 5: Leaders in healthcare will make targeted investments in cybersecurity
“I go to a lot of cybersecurity conferences like Black Hat, Def Con, and I meet executives from all over. Except healthcare. I’ve never met a healthcare exec at these conferences. They’re the only industry I don’t see.” – Alex “Jay” Balan
Leaders in healthcare will make cybersecurity a priority and devote resources, time, and effort to having basic cybersecurity fundamentals and partnering with key solutions and vendors to drastically improve their cybersecurity posture. In order to address major cybersecurity gaps healthcare organizations have, they should:
- Invest in ongoing vulnerability management and assessment to discover vulnerabilities, potential exploits, and fix them before they lead to a compromise.
- Prioritize security due diligence and review of all devices (new and old) as well as third-party vendors who can be used by hackers to reach your organization.
- Segregate networks and use identity management services to reduce the risk of compromise via employees — this is especially valuable given the sheer size of many healthcare organizations and the number of employees they have.
- Leverage pentesting, attack simulations, testing readiness and response capabilities of your organization. This will help you spot susceptible departments/employees while identifying areas of improvement when it comes to incident response.
- Work with key partners who can provide cybersecurity tools and solutions like EDR, XDR, threat intelligence, and managed services. For many organizations who can’t devote a huge number of resources to building out entire security departments, it’s the only way to account for the amount of risk healthcare organizations are exposed to.
The healthcare industry needs to make a significant investment in cybersecurity because the status quo isn’t sustainable. With insurance prices increasing, ransomware attacks becoming more frequent, and the attack surface widening across these companies, having a robust cybersecurity strategy has to become an organizational priority.
Learn how Bitdefender can help your healthcare organization manage risk, secure your assets, and improve your cybersecurity posture. Check out the healthcare solutions page here.