Global cybercrime will reach $10.5 trillion by 2025, making it more profitable than the international drug trade and larger than all economies except the U.S. and China. In particular, cybercrime is making a major impact on the U.S. healthcare system.
Cybercriminals from every corner of the globe are sending out 3.4 billion phishing emails daily, according to Earthweb, and U.S. healthcare organizations are a prime target. In 2021, 61% of respondents to a Sophos healthcare study reported that they paid ransoms, which is a rate higher than any other sector. And, ransomware attacks on healthcare organizations increased an alarming 94% in just one year.
The pandemic made the situation worse. Hackers are taking advantage of stressed healthcare employees and unprotected networks to infiltrate their systems. According to Paubox data, the number of attacks against healthcare providers has been steadily rising and malicious emails have increased 600% since the pandemic began.
Why is healthcare particularly vulnerable to cyberattacks
Healthcare organizations have experienced a spike in attacks due to their high propensity to pay a ransom, the value of patient records, and often inadequate security. The sector also has a zero-sum choice between paying a ransom and risking patients' lives, which bad actors exploit. Because healthcare providers can't fully serve patients without access to records and monitoring digital medical tools connected to health networks, they often yield to demands to put patients first. It is important to note, however, that not all organizations that pay a ransom get their data back.
Phishing attacks are exceptionally dangerous for healthcare organizations because patient data is one of the most valuable assets for criminals today. Protected health information (PHI) is worth a fortune to cybercriminals and is one of the hottest commodities on the dark web. Experian tags stolen patient records as going for $1,000 each, while credit card numbers are selling for around $5 each, a hacked Instagram account is $7, and Social Security numbers are worth a paltry $1.
In addition, criminals experienced in drug trafficking and money laundering eagerly buy medical records to obtain prescription medications, file bogus medical claims, or steal the information to open credit cards and take out fraudulent loans. Medical records are a rich resource of valuable and permanent data points, while accounts and credit cards are quickly canceled.
Cyberattacks on healthcare also yield exorbitant ransoms. For example, the ransomware known as Ryuk has purportedly been used to extort millions from U.S. healthcare facilities since 2018. In addition, the average price tag of a healthcare data breach just climbed to $10 million, according to IBM Security's annual Cost of a Data Breach Report.
How healthcare organizations can protect themselves against cybersecurity threats
Every healthcare company needs to prioritize security. In particular, since email is one of the most frequent entry points for data breaches, a zero trust approach is recommended for organizations to adopt.
Healthcare providers also have a legal obligation to protect patients and their PHI, especially when sending or receiving emails. So, email security strategies and solutions need to address both cybersecurity and HIPAA compliance.
Cybersecurity leaders should follow these steps to prevent a data breach:
- Educate and train staff to reduce the risk of social engineering attacks via email and network access.
- Assess enterprise risk against all potential vulnerabilities and prioritize implementing the security plan with the necessary budget, staff and tools.
- Develop a cybersecurity roadmap that everyone in the healthcare organization understands.
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) encourages organizations to familiarize themselves with the growing threat of ransomware and provides links to online government resources to help healthcare facilities protect themselves.
The risk of not implementing an email security program is too high
Health system leaders are asking for help to fight off hackers. However, insurers sometimes won't cover damages, and there are complaints that there is not enough government or law enforcement support.
Consider this: To date, 60% of healthcare organizations have raised prices to cover the expense of a breach. And the regulatory compliance and legal expenses can extend for years. Those costs are spilling over to the U.S. population, already burdened with inflation.
The best way forward for healthcare organizations is to acknowledge the severe threat of the cyberwar being waged, assess their situation, and plan and implement a security strategy tailored for the sector, providing staff with the tools and resources necessary to prevent a cyberattack.