The healthcare industry has been one of the most targeted industries over the past few years and hackers have jump-started their attacks since COVID. Attacks on healthcare industries have increased for the last 5 years, with a 42% jump from 2019 to 2020.
These attacks aren’t likely to stop, especially if healthcare companies don’t take any actions or react to a hostile environment. With 2022 just beginning, it’s a good opportunity for healthcare companies to assess what cybersecurity looks like in the near future in order to be better prepared.
We spoke to Alex “Jay” Balan, Security Research Director at Bitdefender to get an expert’s perspective on what cybersecurity will look like in 2022 for the healthcare industry.
Ransomware attacks are the driving force between the increase in compromises within the healthcare industry. In 2020, 1 in 3 healthcare organizations reported being hit with ransomware and there was a 45% increase in attacks in the short period from November 2020 to January 2021.
Ransomware is likely to get worse for three reasons:
The data doesn’t lie and there’s no reason why healthcare organizations wouldn’t be among the industries most affected by malicious hackers and data breaches.
Healthcare organizations don’t do enough to protect and secure their data and they leave themselves susceptible to automated attacks like spray and pray spam and phishing, device botnet infections, and exposures due to misconfigured databases.
“Many hospitals don’t have security as their main area of expertise,” says Bilan “Obviously security is important but they haven’t prioritized it.”
Healthcare organizations should have prioritized cybersecurity fundamentals years ago and it’s largely the reason why these hacks occur. The companies who still fail to invest in their cybersecurity will only continue to see compromises rise.
The healthcare industry has seen an explosion of IoT and medical connected devices through innovations in healthcare facilities and patient care.
But these devices often bring their own risks, particularly because they’re connected to a facility’s network, making them a potential attack vector. And healthcare companies are doing themselves no favors by not conducting the proper due diligence with these new devices to ensure that the devices themselves aren’t risky and their implementation is done properly.
These risks include:
“Medical and other connected devices can be extremely risky if healthcare organizations don’t take the proper steps to ensure the devices are secure” says Balan. “A few years, we [the Bitdefender research team] found various vulnerabilities in a Smart Plug that could have led to some problems for a lot of companies.
The discovery of log4j showed how zero-day vulnerabilities can still shock the cybersecurity world and pose a major threat to hundreds and thousands of organizations. Among the healthcare industry, not only are they likely more susceptible to zero-day vulnerabilities, but their lack of attention may lead to an increase in zero-day discoveries.
Without vulnerability assessments, due diligence, and vulnerability management, critical exploits may not be discovered by organizations, increasing the risk that hackers find them first.
“It’s a misconception that a company finding vulnerabilities is a bad thing,” says Balan. “Companies should be looking for vulnerabilities so they know what to fix. Otherwise, they’ll never know they’re susceptible until it’s too late.”
“I go to a lot of cybersecurity conferences like Black Hat, Def Con, and I meet executives from all over. Except healthcare. I’ve never met a healthcare exec at these conferences. They’re the only industry I don’t see.” - Alex “Jay” Balan
Leaders in healthcare will make cybersecurity a priority and devote resources, time, and effort to having basic cybersecurity fundamentals and partnering with key solutions and vendors to drastically improve their cybersecurity posture. In order to address major cybersecurity gaps healthcare organizations have, they should:
The healthcare industry needs to make a significant investment in cybersecurity because the status quo isn’t sustainable. With insurance prices increasing, ransomware attacks becoming more frequent, and the attack surface widening across these companies, having a robust cybersecurity strategy has to become an organizational priority.
Don’t miss out on exclusive content and exciting announcements!