Attack Types & VectorsSecurity

Hospitals Can Take More Than Your Organs

August 30, 2017 — by Louis Scialabba0

You went to the hospital to get your appendix out and one week later your identity was taken from you as well.  How did this happen? In all likelihood, you can thank a hospital worker.

In its 2019 Data Breach Investigations Report, Verizon found that the majority of data breaches in healthcare are associated with internal bad actors, and result from ransomware and phishing attacks. For the second straight year, Verizon reported that ransomware incidents accounted for over 70 percent of all malware outbreaks in the healthcare vertical.

A Growing Epidemic

Per a HealthCareDive brief, almost 32 million patient records were breached in the first half of 2019 — more than double the records breached in all of 2018. And according to Health IT Security, the top ten healthcare breaches in 2019 (so far) have seen more than 200,000 records breached at a time. These are massive numbers.

In July 2019 alone, 42 separate hacking incidents led to the exposure of 22 million people’s healthcare data. There was only one higher month ever measured – February 2015 – when the Anthem breach exposed the data of nearly 80 million members.

[You may also like: Healthcare is in Cybercriminals’ Crosshairs]

Small hospitals, doctor’s offices, and clinics do a great job at making us well, which is their primary focus; cyber attacks on electronic health records have historically not been top of mind. That needs to change, and the sooner the better.

Although healthcare entities have taken small steps in protecting sensitive data, attacks continue to get more and more complex and can initiate from both the outside and inside of an organization.

Per the above referenced Verizon report, the “healthcare industry is not immune to the same illnesses we see in other verticals such as the very common scenario of phishing emails sent to dupe users into clicking and entering their email credentials on a phony site. The freshly stolen login information is then used to access the user’s cloud-based mail account, and any patient data that is chilling in the Inbox, or Sent Items, or other older for that matter is considered compromised – and its disclosure time.”

Deadly Impacts

Just as small enterprises everywhere are searching for ways to shore up their protection and avoid business disruptions, healthcare organizations have an obligation to protect their business and their patients’ sensitive information — it could very well be a matter of life and death.

[You may also like: 2018 In Review: Healthcare Under Attack]

A Vanderbilt University researcher posited that mortality rates rise in the aftermath of a cyber attack, thanks in part to corresponding disruptions to medical services and delays in providing treatment. The researcher estimated that healthcare data breaches may case as many as 2,100 deaths per year in the U.S.

Just think: What would happen if someone hacked into your pacemaker or insulin pump? The threat is so real that former Vice President Dick Cheney revealed on CBS’s “60 Minutes” in 2013 that he had the wireless capability on his pacemaker disabled.

A Prime Opportunity for Service Providers

Good help can be hard to find, especially when it comes to experts in the complex field of cybersecurity.  Carriers who are experienced (either by themselves or with partners) in protecting their infrastructure and offering services to small- and medium-sized businesses can benefit from new revenue streams by offering security solutions to the healthcare sector.

[You may also like: The Healthcare / Cyber-Security Connection]

There are three major ways a Service Provider can get into the business of selling an MSSP service:

  1. White label an existing service. This is the least risky of the options, and requires no upfront capital. It’s also the fastest way to bring a service to the market. The carrier gets to focus on sales, marketing, and back-office support, but delegates the security expertise and the technology to a partner. This can be sold as a part of connectivity or compute/storage services as part of a high-value bundle.
  2. Build your own service. This takes the most time, capital, and resources, but also offers the highest margins and overall NPV. If you have an in-house IT team that can operate and manage a network security solution, you can maximize your return on investment.
  3. Get the best of both worlds. A third option is to start with a white-labeled service before transitioning to managing it in-house. You forego large capital expenditures up front so you can focus on marketing and selling the service while building back-office operations and expertise. You’ll be able to quickly serve customers and gauge enthusiasm while planning to migrate operations in house over time to recognize the large profit streams in the later years.

This post was updated on September 13, 2019.

Read “The Trust Factor: Cybersecurity’s Role in Sustaining Business Momentum” to learn more.

Download Now

Louis Scialabba

Louis Scialabba is Director of Carrier Solutions Marketing for Radware and is responsible for leading network security and application delivery marketing initiatives for global service providers. Mr. Scialabba has over 23 years of experience in the communications and networking industry in a variety of Sales, Marketing, and Engineering roles. Prior to joining Radware, Mr. Scialabba spent much of his early career at Tellabs, where he was Director of Mobile Backhaul Product Planning and Product Management. He later became the Head of North America Marketing for Aviat Networks. Mr. Scialabba earned a Bachelor of Science degree in Computer Engineering from the University of Illinois and a Master of Business Administration degree from St. Xavier University in Chicago.

Leave a Reply

Your email address will not be published. Required fields are marked *