In the intricate web of the healthcare industry, new internal cyber threats are now emerging. As hospitals, pharmacies, and healthcare facilities increase digitalization, they become prime targets for cybercriminals. Healthcare professionals themselves can intentionally or unintentionally become cyber threat actors in their own sphere. In recent years, there has been a considerable rise in internal cyber threats caused by employees working in the healthcare industry. Luke Smith-Adams, a manager at Baker Tilly, completed a complex industry analysis covering this issue upon completing the Certified Cyber Insurance Specialist (CCIS) training.
Healthcare Professionals as Cyber Threat Actors
Although it may not appear as such, cyber risk in healthcare is widespread. The urgency of medical emergencies, the mobility of healthcare professionals, and the need for rapid access to critical data can lead to unintentional yet significant security lapses. Data protection in this industry is governed by strict laws, GDPR (General Date Protection Regulation) in Europe and HIPAA (Health Insurance Portability and Accountability Act) in the United States. Breaching these regulations can be punitive with the maximum penalty for GDPR infringement being the higher of €20 million or 4% of global turnover, although GDPR does provide exemptions around processing data in the case of medical emergencies. In this digital era, where we are more connected than ever before, data is both vital and vulnerable and internal cyber threats are silently but steadily rising, increasing cyber risk in healthcare.
Intentional Threats: The Dark Side of Access
Access can be a double-edged sword. Healthcare professionals may end up compromising the very systems they rely on. These professionals, particularly those senior enough to have privileged access to sensitive data, can become part of the cyber threat matrix, whether intentionally or unintentionally. Some might deliberately misuse their access for personal gain. This includes gathering confidential patient data to sell to interested parties, an action that could devastate personal lives and breach patient trust. Given the highly sensitive nature of medical information, there’s also potential for patient extortion. The world of medical research is not immune to these deliberate internal threats. In the fiercely competitive landscape of clinical trials and studies, the pressure to show promising results can be immense. Unfortunately, this may push some professionals to manipulate or hide results, painting a more appealing picture to secure funding. The consequences of data manipulation in a healthcare setting can have grave consequences.
Unintentional Threats: Accidents with Far-Reaching Implications
Despite the gravity of deliberate internal cyber threats in healthcare, unintentional actions often present an equally significant risk. Simple actions such as clicking on a suspicious link or leaving computers unattended can compromise the very systems designed to safeguard patient data. In busy clinical settings like hospitals, or in the homes of patients where in-home healthcare workers provide services, an unattended computer or connecting to unsecured Wi-Fi networks can become an easy target. Another common inadvertent practice with far-reaching consequences is password sharing. This might occur in emergency situations, where expediency overrides standard protocol, or within transient workforces in hospitals where staff frequently move between departments. This leaves systems vulnerable, creating gateways for unauthorized access.
Third-Party Cyber Risks in Healthcare
The healthcare industry is vulnerable to a wide range of third-party cybersecurity risks. Due to the high-value, confidential and potentially life saving data contained in healthcare, the industry is a key target for organized hackers. Disgruntled patients or relatives could even become retaliatory hackers and may resort to cyber retaliation seeking “revenge” for perceived poor treatment or unsatisfactory outcomes. Patients themselves may attempt to view, amend, or delete records for reasons like hiding medical conditions or achieving financial gain, using methods like phishing or tampering with supply chains. Corporate sabotage or espionage may also occur, especially in pharmaceutical companies, where competitors may seek unauthorized access to confidential data or manipulate results for their advantage.
In 2022, sensitive or personal data may have been inadvertently collected using basic website cookies through Meta Pixel. This was a piece of code embedded in the HTML of a website and was estimated to be used in 33 out of the top 100 hospital websites in the United States. According to King & Spalding, it is alleged that Meta Pixel led to the gathering of sensitive health information, by Meta, through individuals communicating with their healthcare providers via online portals. This type of access to information is a dangerous infringement on privacy laws in the healthcare industry and could open doors for massive class action suits.
How Technology Has Increased Cyber Risk in the Healthcare Industry
The Healthcare Industry’s vast data volumes and numerous devices create a large physical and digital attack surface. This includes digital databases with valuable patient and pharmaceutical data, interconnected networks for real-time data access, and hardware in medical machines. The industry’s extensive supply chains, integrated into clinical systems, further increase the attack surface, making it vulnerable to ransomware or DDoS attacks. Emerging technologies like AI, automation and remote patient monitoring systems further expand this digital footprint. Additionally, healthcare professionals, especially those with privileged data access, can be targeted for spear-phishing and social engineering attacks or pose an insider threat themselves.
In conclusion, whilst the natural focus is to protect from external threats, the healthcare industry is facing continued growth in internal cyber threats, which can have devastating consequences for patient data and the overall integrity of healthcare systems. This may be because internal threats are often overlooked. Healthcare organizations must prioritize cybersecurity measures, including training healthcare professionals, implementing strict access controls, and regularly updating security protocols. By taking proactive steps to address internal cyber threats, balanced with measures to mitigate external threats, the healthcare industry can safeguard patient information and maintain the trust and reliability of healthcare services.