HEAL Security Healthcare Cybersecurity Roundup: 22 March 2023

Watch this week’s healthcare cybersecurity roundup from HEAL Security Dispatch.

For the latest healthcare cybersecurity threat, risk and alert intelligence, subscribe to our information and insights service at https://healsecurity.com.

HEAL Security | Actionable intelligence on cyber threats, risks, and remedies for Healthcare

#HealthcareCybersecurity #ThirdPartyRisk #VendorManagement #Cybersecurity #CybersecurityAwareness #HEALSecurity #HealthcareSecurity #CyberIntelligence #Healthcare #HealthcareTechnology #CyberAttack #CyberCrime #Hackers #CyberCriminals #MedicalDevices #Risk #Complexity #Hospital #HealthcareIndustry #HealthcareSector #SupplyChain #Security #Ransomware #DataBreach #PHI

Heal Security YouTube Channel: https://lnkd.in/gqaqKZae

In this edition:

In-depth analysis on 385M US patient records exposed from 2010–2022

A recent article in Healthcare Dive Magazine analyzed the 385 million U.S. patient records exposed between 2010 and 2022, revealing that the number of healthcare data breaches of more than 500 patient records tripled over the period, with over 700 such attacks in 2022 alone.

The article provides information, supported by interactive graphs, to illustrate why the healthcare sector remains the prime target for cybercriminals, including analysis of the growth in electronic health records, remote working and connected medical devices, and the tactics and techniques used by ransomware and other bad actors.

It concludes that, despite all its efforts to date, the healthcare industry’s increasing reliance on digital technologies to gather and store confidential patient and medical data has inevitably broadened the range of potential attack vectors for cybercriminals.

To counter this ever-evolving threat, the entire healthcare sector needs to comprehensively change its approach to cybersecurity, including establishing a forum for cross-industry knowledge-sharing on past, present and future cyber threat, risk and attack activity.

Access to a trusted resource for all sector-related cybersecurity intelligence is an important first step in enabling healthcare providers to better protect the patient data, medical devices and IT systems that keep our healthcare systems running.

Read more at https://healsecurity.com/hacking-healthcare-with-385m-patient-records-exposed-cybersecurity-experts-sound-alarm-on-breach-surge/

?

Legacy technologies provide low-hanging fruit for cyber criminals

Although the healthcare industry is known for being one of the most technologically advanced infrastructure sectors, it continues to utilize legacy technologies — outdated systems, hardware and software — that were never designed for internet connectivity. And those legacy technologies lack modern cybersecurity safeguards, making them especially vulnerable to criminal cyber attacks.

A 2021 HIMSS survey of healthcare IT leadership revealed that 73% used legacy technologies, despite considering them a high cybersecurity risk, with the cost and complexity of upgrading to more secure systems the primary factors behind their continued usage.

A Healthcare IT News interview with Tony Jaros of Legacy Data Access explored how healthcare entities must balance the risks of their continued usage of outdated technologies when upgrading to newer systems, while operating in an ever-evolving healthcare cybersecurity landscape.

Upgrading just one aspect of an organization’s interconnected IT infrastructure can create a ripple effect across its entire digital ecosystem, so healthcare decision-makers must carefully assess and integrate cyber risk into their business continuity and risk management strategies.

Read more at https://healsecurity.com/how-best-to-manage-or-dump-legacy-healthcare-it-systems/

?

Making the move from a reactive to proactive cybersecurity stance

As cybercriminals and other bad actors continue to attack healthcare providers and their third-party supply chain partners, it’s imperative that they adopt a proactive approach to identifying, understanding and acting upon potential cyber threats.

Although compliance with government and industry regulations is an important first step, it’s not enough. To stay ahead of the criminals lurking in the shadows, healthcare cybersecurity decision-makers must remain informed of the latest specific cybercrime activity that could impact their IT infrastructure.

That’s near impossible, given the overwhelming mass of raw data — emails, alerts, forums, government warnings and vendor updates — that they need to wade through on a daily basis, much of it post-event logs and analysis of limited use.

An extensive article in Security Today magazine explores how healthcare organizations can move from a compliance-centric approach to an agile and responsive risk-based management program that anticipates the likelihood and impact of potential cyber attacks and connects back to their overall business strategy.

As a first step to achieving that, the healthcare industry must first establish a method of delivering targeted, trusted and relevant real-time insights and analysis directly to the people responsible for maintaining healthcare organizations’ essential IT and connected digital infrastructure.

Read more at https://healsecurity.com/taking-a-proactive-approach-to-risk-in-the-healthcare-industry-security-today/

?

EHR adoption amplifies need for end-to-end cybersecurity strategy

Over the past decade, the U.S. healthcare system has witnessed widespread adoption of electronic health records, or EHRs, with usage currently reported to be growing at 70% year-on-year.

EHRs, effectively digital versions of an individual’s medical information, are designed to enable healthcare providers to speedily and easily access patient health data and medication history, irrespective of where they may be located.

One of the main drivers behind their adoption was the Health Information Technology for Economic and Clinical Health (or HITECH) Act of 2009, which provided funding incentives for healthcare providers to implement EHR technology. As a result, adoption rates skyrocketed, from just 9% in 2008 to over 90% in 2019.

While EHR usage has assisted in creating a more efficient and coordinated healthcare system, it has also raised considerable privacy and security concerns, with 49.2 million U.S. patient records compromised in the past year — over 4.1 million of them in a single ransomware attack.

To protect themselves from data breaches and cyber attacks, healthcare systems looking to adopt EHR solutions should learn from the experience of their American counterparts by implementing an end-to-end cybersecurity strategy that encompasses regular personnel safety training; software, hardware and systems security inspection; continual monitoring for suspicious activity; and clear protocols on staff access and usage.?

And they must ensure that those same cybersecurity procedures are implemented across their third-party supply-chain, especially cloud-based app, service and storage providers.

Standardization is key. Device manufacturers, software and systems vendors need to establish common usability and interoperability standards, immediately share information on vulnerabilities and mitigation strategies, and go beyond regulatory guidelines to properly protect the safety and confidentiality of EHR data.

Find out more at https://healsecurity.com

?

Emerging technologies can be used to strengthen cyber defenses

This week’s release of GPT-4, the successor to the widely-acclaimed ChatGPT text generation tool, has again brought the spotlight back onto artificial intelligence technologies and their potential impact on every area of society, including the healthcare industry.

However, as reported in Security Boulevard, they also pose new cybersecurity challenges — in particular their potential to identify and exploit system vulnerabilities, generate hyper-personalized phishing emails, and even mimic executives’ voices to authorize fraudulent transactions.

Evidence is emerging daily of cybercriminals employing increasingly sophisticated AI and machine learning tools.

In light of that, healthcare entities must reevaluate their risk calculus around these new technologies, update their defensive and offensive security strategies, and leverage them to strengthen their own cybersecurity defenses.

In doing so, they can bridge the innovation gap caused by the global shortage of skilled cybersecurity professionals by automating data collection and analysis, reducing the time and effort expended on repetitive and recurring tasks, and improving in-house development capabilities.

Additionally, healthcare providers can safeguard their email systems by employing advanced security tools to comprehensively block different attack vectors, including phishing and social engineering tactics, and adopt a zero-trust architecture with secure access strengthened by multifactor authentication.

However, as the healthcare sector incorporates AI and machine learning into its clinical and administrative workflows, it must ensure that users adhere to strict usage policies and comply with the latest technical controls and data loss prevention procedures.

Read more at https://healsecurity.com/how-to-protect-your-company-in-a-chatgpt-world/

?

To receive daily updates on global healthcare cybersecurity, subscribe to our information and insights service at www.healsecurity.com