- CyberVade's Weekly Scoop 🍦
- Posts
- Cybersecurity and Data Privacy in the Healthcare Sector
Cybersecurity and Data Privacy in the Healthcare Sector
Niko Kluyver & Caetano Kluyver
May 03, 2024
Today we’re writing about data privacy in the healthcare sector. We’ve got an interesting line up for you to get you up to speed regarding cybersecurity in the healthcare sector.
Our articles for you today
01. Safeguarding Patient Privacy in the Healthcare Sector
This is becoming an increasingly important topic. In addition to the ethical- and regulatory requirements to protect patient data, our analysis shows that, globally, the financial costs resulting from data breaches in healthcare sector exceed those of the Financial- and Energy sector. Combined.
source: CyberVade analysis from 2023 Statista dataset
One might wonder why the healthcare sector is such a sensitive sector when it comes to cybersecurity attacks. This is mainly due to the fact that the healthcare sector holds vast amounts of sensitive patient data, and the adoption of a wide range of digital technologies (e.g. electronic patient records, telemedicine, Internet of Things (IoT) devices) expands the attack surface for cybercriminals2 .
Understanding the Threat Landscape
For the period from January 2021 - March 2023, the European Union Agency for Cybersecurity (ENISA), performed an extensive analysis to understand the threat landscape for the European Union Health Care sector. They identified the following top 5 cyber threats for the health care sector1 :
Ransomware: cybercriminals take control over your asset(s) and demand a ransom in exchange for release
Data-related threats: cybercriminals obtain unauthorized access and make disclosures and/or manipulations of the data
Intrusion: an attack on the system has been confirmed but the details of the breach are unclear
Distributed-Denial-of-Service (DDoS): cybercriminals can overload the service and resources to prevent users from accessing data and/or services
Supply-chain attacks: attacks in which both a supplier and the customer are targets
Practical steps for Protecting Patient Data
So, protecting patient privacy from cyber threats is paramount. For organizations in the healthcare sector, to give you the best chance of protecting yourself and the patient data which you are entrusted with, there are some practical steps you can take:
Regularly train your employees to instill awareness of phishing scams and proper data handling protocols
Update your software systems, use robust encryption methods, and apply multi-layer defenses (e.g. Multi-factor Authentication, MFA)
Conduct security assessments to identify vulnerabilities
Prevent lateral movement of user access and use secure communication channels and limit patient data access on a must-need basis
Have a plan to mitigate any breaches and ensure compliance to data protection regulations, and be prepared to respond to incidents.
In today’s digital landscape, safeguarding patient privacy demands constant vigilance. By integrating these proactive measures into everyday practices, healthcare providers can both protect sensitive data and foster trust and confidence in their commitment to patient confidentiality and security.
Reach out to us for assistance in the practical steps to keep you cybersafe.
02. A cyber-event every month in the healthcare sector3
Here are some recent headlines relating to cyber events in the healthcare Industry:
Date | Incident |
|---|---|
February 29, 2024 | US Government Warns Healthcare is Biggest Target for BlackCat Affiliates |
March 8, 2024 | UnitedHealth Sets Timeline to Restore Change Healthcare Systems After BlackCat Hit |
April 9, 2024 | |
May 1, 2024 | UnitedHealth CEO Confirms Breach Tied to Stolen Credentials, No MFA |
Let's explore what happened in the Change Healthcare breach.
The importance of MFA
Multi-Factor Authentication (MFA) is not a popular security-requirement. Employees dislike the extra step to enter a special code when login into systems. They are right, it is a bit irritating from the user point of view. But, how necessary is MFA? We will illustrate this by a recent example in the Health care sector: The February 21 data breach of Change Healthcare.
Hackers managed to steal user credentials. They steal credentials in many different ways, which we will elaborate on in a future newsletter. Using the stolen credentials the hackers were able to infiltrate the systems through the Citrix portal that was being used for remote access to desktops (a hugely popular application used by many organizations). Because the portal access did not require MFA, the hackers could easily enter and move laterally (meaning they could move from the entered desktop into other systems of the organization). This way they got to areas where private data was stored and were able to steal health data and also install ransomware that was deployed nine days later.
A significant portion of the US population was stolen this way, and yes, in this case it looks like this huge breach can largely be contributed to the simple lack of enforced MFA when accessing desktops remotely.
This breach underscores the importance of enforcing MFA on all access to systems. Just a password, no matter how long and complex it may be, is not good enough protection to safeguard sensitive data.
About CyberVade
CyberVade is a professional service provider focusing on cybersecurity, data privacy, AI, and compliance. CyberVade’s mission is to fortify your business and offer knowledge and managed cybersecurity tools to assist companies in their defensive strategies to fend off the ever-growing attacks from cybercriminals. We also assist clients to become compliant in any framework that applies to them such as PCI-DSS, ISO27001, SOC2.
1 ENISA Threat Landscape: Health Sector (2023)
3 Content largely taken from Infosecurity magazine:
https://www.infosecurity-magazine.com/news/unitedhealth-breach-stolen