How Healthcare Providers Should Think About Balancing Innovation Efforts with Cybersecurity Goals
In 2023, for the 13th year in a row, the healthcare industry experienced the highest data breach costs of all industries, with the average cost hitting US$10.93 million — a jump of more than 53% since 2020. This challenge is compounded by the repercussions from COVID-19 that providers are still experiencing.
Many healthcare providers are stretched to their limits because of staffing and financial resource limitations and a high turnover rate. Investments, when available, are primarily funneled toward clinical innovations like telehealth and a burgeoning Internet of Medical Things (IoMT), with less organizational spend on more traditional functions like evolving cybersecurity approaches that are pivotal to organizational resilience.
This blog post will review how we balance innovation with needed cybersecurity to prevent the high costs of data breach.
The number of cyberattacks on providers and hospitals continues to spike. Connectivity and interoperability fueled by web applications and the mandated use of APIs expose providers and patients to risk. Unpatched vulnerabilities and technical debt from legacy technology is a costly challenge that ransomware groups use to their advantage.
And the ongoing threat of distributed denial-of-service (DDoS) attacks on hospitals attributed by the Health Sector Cybersecurity Coordination Center (HC3) to hacktivist groups and the geopolitical climate is disrupting patient care. All this is leading to data breaches of protected health information (PHI); negative impacts on customer care; and, in some cases, patient safety issues.
A steady drumbeat of attacks pounds provider organizations
Akamai research found that during the 12-month reporting period from March 2023 through February 2024, web application and API attacks against provider organizations continued at a steady pace (Figure 1). This trend will likely continue to grow, with fluctuations, as cybercriminals take advantage of both new and tried-and-true vulnerabilities inherent in evolving care models, delivery methods, and innovation to attack and abuse web apps and APIs.
Fig. 1: Monthly web application and API attacks against provider organizations globally averaged 21 million
Care coordination enabled by data sharing and interoperability through the use of web apps and APIs allows for better clinical and financial outcomes. However, the healthcare industry is at significant risk as the security implications of APIs are not yet fully understood. Fortunately, the 2016 21st Century Cures Act and its new Information Blocking Rule are driving transparency requirements for healthcare providers (and the rest of the ecosystem) to use APIs.
Balancing optimal care coordination with the risk from vulnerabilities
Because of the vast number of patient records and system connectivity points, healthcare providers need to optimize care coordination while also implementing controls to provide visibility to proactively mitigate the risk from vulnerabilities. This balance is often challenging when deploying new technologies and infrastructure like APIs.
Akamai researchers also looked at application-layer (Layer 7) DDoS attacks against provider organizations during the same 12-month period, and found a steady cadence of disruption (Figure 2). We can attribute this, in part, to a global DDoS campaign by pro-Russian hacktivist group Killnet against healthcare, with a focus on provider organizations in the United States. Throughout those 12 months, cybercriminals continued to leverage DDoS attacks that introduced risk to patient care.
Fig. 2: Monthly DDoS Layer 7 attacks against provider organizations globally averaged 406 million
DDoS attacks are setting new records for scale and speed
Unlike traditional infrastructure Layer 3/4 DDoS attacks, which aim to overwhelm network and transport layer infrastructure, application-layer DDoS attacks target specific application functionalities or the application server itself. They could cause significant damage even with a relatively smaller amount of malicious traffic.
With more healthcare interactions happening via apps, it is increasingly critical to the patient experience to get timely information and care. DDoS attacks across Layer 7, Layer 3/4 and DNS are all setting new records for scale and speed, so it is critical to make sure you have protections and processes in place.
Attacks on multiple fronts keep providers on alert
Ransomware attacks that limit access to healthcare records and force ambulances to divert highlight the fact that if you don’t have access to medical history, you can’t coordinate among healthcare providers. Reverting to paper records disrupts the tracking of patient care operations, the communication between key departments, and all ordering services.
When sensitive data is affected, provider organizations also have to deal with the impact of a data breach. Exploitation of vulnerabilities in popular software tools allow unauthorized threat actors to gain access to a treasure trove of data, from PHI to health insurance and medical information.
And a rise in DDoS activity, attributed to geopolitical developments and hacktivist groups, has caused outages that can threaten patient outcomes. The entire healthcare ecosystem has been affected — provider organizations were the most frequently targeted in Killnet’s large-scale DDoS strike in 2023. The Health Sector Cybersecurity Coordination Center (HC3) has warned that service outages of even just a few hours can affect the spectrum of day-to-day operations — from routine to critical — with potentially significant consequences.
Patient protection must include data protection
Part of patient care is the ability to protect and control access to patient data. Traditionally, healthcare cybersecurity budgets and teams have been slim, which has contributed to data protection challenges. But as cyberattacks against healthcare provider groups continue to make headlines, the provider groups continue to enhance outsourced protection partnerships and increase cyber insurance coverage.
Momentum will continue to build as healthcare providers benefit from U.S. government policy updates that are designed to enhance resilience across sectors (such as healthcare) that are deemed critical infrastructure.
Layering defenses as a preventative measure
Threat actors have demonstrated that they are highly motivated and sophisticated — and will leave no stone unturned to execute attacks against hospitals and other healthcare infrastructure. By prioritizing cybersecurity and layering defenses, healthcare providers can proactively protect patients and their PHI from cyberattacks and mitigate risks to the organization on multiple fronts.
Are you on the right track? This checklist can help you focus your investments accordingly and prevent the high cost and damages from major cyber incidents.
Deploy security controls for your web applications and APIs to ensure visibility and rapid mitigation from cyberattacks
Protect your staff with Zero Trust Network Access (including multi-factor authentication (MFA) to avoid account takeovers, microsegmentation to minimize impact, and a secure web gateway to prevent data exfiltration
Protect access to your infrastructure with a DDoS mitigation tool to protect both websites and IT infrastructure, including your DNS
Partner with vendors that provide both training and expertise to correctly set up and manage cybersecurity solutions
Learn more
Learn more about how Akamai partners with provider organizations to understand and solve for emerging and evolving threats.
*Mark Hagland. Health-ISAC’s Errol Weiss on This Perilous Cyber Moment in Healthcare. Healthcare Innovation. January 23, 2024.
