Healthcare Cyber Attacks Increase in 2023

Healthcare Cyber Attacks Compared to Prior Year

The same timeframe for 2022 showed approximately 190 reportable breaches amounting to approximately 22.5 million medical records having been breached for the same type incidents.  Based on this data, we can clearly see that more records are being reported as breaches this year over last year.  The question is, “Why”?

Five Factors Influencing Healthcare Cyber Attacks

In our time working with healthcare organizations, we have discovered that there are several factors influencing these increases:

1. Poor risk assessments

   The risk assessments we see do not allow quality decisions to be made.  When we review the Enforcement Highlight site, we can reasonably conclude that the risk assessments should have provided information that could have been used to mitigate the possibility of the activities occurring.

2. Training

   A look at All Case Examples | HHS.gov clearly shows that mistakes have led to many of the issues.  These mistakes should have been mitigated through proper training.  Social Engineering attacks have doubled this year and are very successful.  I am roughly 80% effective in gaining system access using Social Engineering attacks when hired to test employees.  Review the Verizon Annual Breach Report and note the following table.  You must build a strategy around Social Engineering attacks.

3. Ransomware
   

   My company gets at least one call per week from organizations who have had ransomware attacks.  If they have not properly prepared for the attack in advance, they are likely to lose data.  Even when they pay the ransom, they will not get all of the data back.

4. Poor account management and privilege controls

   Any hacker, cybersecurity professional and anyone with any knowledge of cybersecurity practices will tell you that the gold criminals are after is poorly provisioned accounts because they lead to more money, more notoriety, more data.  We see tons of accounts with too much access, accounts that should have been terminated (but were not), users with administrative access and anything in between.  If I, as a professional hacker, can compromise an account, many times I can evade discovery for long periods of time.  In healthcare, not only do you have the normal HIT accounts, but also medical device accounts.  Most healthcare organizations forget to deal with medical device security.

5. Medical devices

   The convergence of HIT into the medical device arena has left us with a mess for cybersecurity efforts.  Medical devices MUST be secured!  I could write a thesis paper on this topic and barely scratch the surface.  Medical devices must be risk assessed and managed; split tunneling and multiple unmanaged access to these systems MUST be controlled.  Default credentials must be changed, and credentials SHALL NOT be shared.

These are not all of the issues found in healthcare cybersecurity attacks, but are some of the primary concerns.  I challenge you to take a look at your risk assessment and see if it clearly and accurately identifies these and other issues.  Review your risk assessment and build a five-year plan.  If your answer is that your risk assessment does not help you to build a five-year plan, your risk assessment is broken and needs to be rewritten.