Layer Your Defenses as Healthcare Cyber Security Attacks Increase

Since the enactment of the HITECH Act, the healthcare industry has undergone revolutionary technological changes, strengthening some aspects of the delivery of healthcare services while presenting new challenges in other areas. With more and more medical data stored electronically, healthcare organizations and their business associates need to be ever more vigilant to protect that information from cyber criminals. Taking a multi-layer approach to IT security can help to minimize risk.

In 2015, 57 data breaches related to hacking/IT incidents were reported on the U.S. Department of Health and Human Services (HHS) Office of Civil Rights Breach Portal, which tracks breaches at healthcare organizations and their business associates. That is a 68% increase over 2014, when 34 such breaches were reported. This year is on pace to have the highest number yet, with 18 hacking/IT incidents already reported so far in 2016.

Why are healthcare cyber security attacks on the rise? The increase in incidents shown on the HHS website could simply be because healthcare organizations have been reporting more breaches in compliance with breach notification rules. However, there may be other factors.

A recent report suggests that one key factor may be a lack of spending on IT security. The healthcare industry invests less than 6% of its technology budget in security, according to the 2016 Analytics Healthcare IT Security and Risk Management Study by the Healthcare Information and Management Systems Society (HIMSS). For comparison, financial services organizations project to spend 10-12% of their IT budget on security in 2016, according to a survey by the SANS Institute.

Regardless of the reason behind the higher number of breaches, one thing is clear: hackers appear to be taking the healthcare industry hostage with ransomware.

The Institute for Critical Infrastructure Technology (ICIT) has warned that 2016 will be a year plagued by ransomware. As reported in the ICIT Ransomware Report, the healthcare industry was not a traditional target for ransomware attacks; however, this has recently changed. Earlier this year, the Hollywood Presbyterian Hospital Medical Center was infected with ransomware called “Locky,” and a week after that attack, five computers belonging to the Los Angeles County Health Department were infected with a ransomware variant.

Ransomware is typically not a sophisticated attack; it can be performed by pretty much anyone with an internet connection through available-for-hire models, called “Ransomware as a Service” (RaaS).

As with other forms of social engineering attacks, phishing, spear phishing or spam emails are the preferred delivery method of malicious software into a network for a ransomware attack because employees open emails and click on attachments and links as part of their day-to-day activities. Hackers only need a single employee to click on the malicious link or attachment in order to compromise the network. The larger the organization, the greater the risk because more information is available on the internet about the organization and its employees that can be used in a ransomware campaign; there are also more employees who could potentially fall victim.

The threat of ransomware should not be taken lightly. These attacks can have devastating consequences, including:

  • Financial and operational impact on employee productivity
  • Significant costs associated with ransomware containment and data breach assessment
  • Financial loss due to “ransom” payment to attackers
  • Cost of potential legal action and reparations to victims
  • Fines, liabilities and regulatory actions

Of course, it’s better to prevent a malware or ransomware infection than to potentially incur millions of dollars in remediation costs. A layered defense system is critical to help you ward off cyber threats. Information technology and information security professionals, vendors and consultants with healthcare industry experience can help you build a fortified defense, which may include:

  • Providing employees with specialized information security awareness training, including phishing and spear phishing attack simulations
  • Having reliable backups for data and systems
  • Patching all devices as often as possible, including performing vulnerability scans that can help to detect potential weaknesses
  • Deploying technical controls, which include firewalls, content filtering for web and email, antivirus on email servers, antivirus and anti-malware on employee inboxes, and desktop antivirus software
  • Segmenting and subnetting the network, restricting access in the event that there is a successful attack
  • Assigning user account access based on a least-privilege model

Cyber threats may be on the rise, but your organization does not have to fall victim. Healthcare organizations can boost their cyber security defenses, whether by improving their technical controls or by having a strategic combination of manual and technical controls. In addition to technical controls, healthcare institutions should strongly consider enhancing their security awareness training – an area that is often overlooked – with phishing and spear-phishing simulations run by an outside expert who has experience in healthcare IT security. Implementing a multi-layer cyber security defense system can greatly minimize your organization’s exposure and risk of an attack.


Jorge Rey, CISA, CISM, is a Cybersecurity & Compliance Principal at Kaufman Rossin, one of the Top 100 CPA and advisory firms in the U.S.