Cibersecurity in the healthcare sector: features, threats and recommendations
According to the study (ENISA: TL2023), with data from June 2022 to July 2023, it is observed that the health sector is one of the most affected, registering 8% of cybersecurity incidents behind public administration (19%), but ahead of the rest of the sectors such as banking (6%), transportation (6%) or energy (4%).
Sector characteristics
It has been observed that, at the end of the difficult months of the pandemic, cybercriminals are focusing on this sector, motivated mainly because it provides them with an important economic benefit due to 4 specific characteristics of this sector:
- High criticality of services, mainly patient healthcare. Any disruption of service, even if temporary or momentary, can represent a strong prejudice in patient care, even with vital consequences, which creates a strong social alarm and reputational damage, which is why healthcare managers are potentially willing accept possible blackmail paying to recover “normality”.
- High value of the data they manage. Health data has a high value on the black market. The price of a medical record can vary from $30 to $1,000 in specific cases, while comparatively the value of a credit card is between $1 and $6 on average (source Kaspersky ).
- Heterogeneity and hyperconnectivity of systems and devices . The digital transformation in the health sector, favored by increases in investment motivated by the situation experienced during the pandemic, as well as the appearance of European financing funds for this sector, have allowed the incorporation of a large amount of technology that helps in diagnosis, treatment and monitoring of patients, making life easier for health professionals. New devices have been incorporated into healthcare infrastructures, but there are also devices that patients take home and allows the professional to track their progress. New systems, in turn, coexist with older systems, even legacy ones, thus increasing the complexity of their operation and maintenance.
- Increased volume and data flows between systems. Not only the volume and heterogeneity of data that is generated, transmitted and processed has increased, but it is also interconnected with each other, inside and outside the organization itself. All this complexity requires much more effort to constantly keep the entire technological infrastructure and its information updated and secure, expanding the attack perimeter for cybercriminals.
Main threats in the sector
Based on published reference studies (ENISA: TLHS2023), it is identified that the most frequent attack vectors, or entry doors in the health sector are:
- Poor security configuration (68%).
- Insiders / human errors in the operation (16%).
- Social engineering / phishing (4%) as an entry vector for intrusion and data theft.
- Attacks in the supply chain are also relevant, motivated by unpatched software or hardware vulnerabilities, as well as the downloading and installation of malware or malicious programs within the technological infrastructure.
Regarding the most frequent types of attacks in the healthcare sector, there are:
- Ransomware reaching 54% of the recorded incidents, also being the type of attack with the greatest impact, and in 43% of cases, in addition to the disruption of services, it involves data theft.
- Most used ransomware families are: Lockbit, Vice Society and LV group, BackCat /ALPHV.
- Data theft present in 46%.
- Intrusion attacks in 13% of recorded incidents.
Regarding the motivation of cybercriminals:
- Organized cybercrime (60%) and with economic motivation (83%) of the recorded incidents.
Regarding the typology of victims of the attacks:
- Healthcare centers (53 %), and specifically hospitals (42%).
- Public health authorities (14%).
- Pharmaceutical industry (9%).
- Primary care (4.5%)
Finally, in relation to the objective or types of assets victim of the attacks:
- The patient's medical data stands out, including electronic medical records, laboratory results, as well as demographic and administrative data by 30%, allowing cybercriminals to carry out impersonation, fraud or extortion of the center or the patient.
- ICT infrastructure data by 28%.
- Corporate data with 15% of the incidents recorded.
Cybersecurity recommendations
For those entities that already have a master plan or cybersecurity strategy implemented based on a risk analysis approach, the recommendation is first to accommodate the growing adoption of medical technology and health data flow in accordance with said strategy and the risk appetite set by the organization. This means that medical teams work together with IT and security teams when planning the deployment of new equipment, devices, platforms and applications so that their installation and connection is carried out safely, considering organizational controls and countermeasures, as well as technical controls to preserve the security of infrastructure and information.
To undertake this mission, it is required the necessary investment in means and resources, finding a balance between in-house and contracted (through the cybersecurity industry) means to balance the investment, decision making, configuration, management, operation and capabilities in this area, and considering a proportional approach regarding the assets to protect.
Fortunately, the cybersecurity industry in Spain has companies (as shown by INCIBE's 'Catalog of cybersecurity companies and solutions') that cover the entire value chain, from initial consulting to cutting-edge services and products to provide the specific countermeasures necessary to each information asset; and, furthermore, with deployment approaches that range from on-site personnel and equipment to full remote and cloud services.
Also, it is necessary for regulatory compliance teams to be aware to possible changes in the regulatory framework (such as the entry into force in Spain of the European NIS2 Directive ) to guarantee that the organization's cybersecurity level is in accordance with regulatory compliance.
Another crucial aspect is raising awareness of cybersecurity among the entire organization, both at the decision-making and management levels, and especially at the healthcare professionals who operate services and manage the sensitive data.
It is recommended to carry out cybersecurity audits on information assets to periodically verify the cybersecurity measures in practice, and to detect possible failures in order to correct or identify improvements.
As a final recommendation, it is convenient to assume that an incident can or will occur sooner or later, therefore, it is crucial implement a 'Business Continuity Plan', which ensures that if a significant incident occurs, the entire organization is coordinated and orchestrated to act in unison for a proper crisis management, including communication and media management, coordination with authorities, incident analysis, containment measures, response and recovery of data and services, and most importantly: the return to normality in the shortest possible time to restore healthcare services that affect patients.