ORLANDO - Phishing attacks and ransomware are currently the most prevalent and significant forms of cyberattacks in healthcare, according to a Monday session at the 2022 meeting of the Healthcare Information and Management Systems Society (HIMSS).
"Healthcare providers, vendors, and others are really getting smacked by phishing attacks and ransomware," said Lee Kim, HIMSS senior principal for cybersecurity and privacy. "That's really, really rampant."
But those types of attacks might be only the most visible of cyberattacks; others might be missed because organizations may not be adequately monitoring activity on their network, according to Kim, who discussed the results of the recently released HIMSS 2021 Healthcare Cybersecurity Survey in a Q&A session.
A huge spike
That being said, there has been a huge spike in phishing attacks -- either via email or social media, she noted.
"This is the primary way in which hackers are getting into our systems, whether it's by way of direct email or whether it's social media," Kim explained. "The future really is to consider consistent, repeatable, automated processes."
These phishing attacks can be aggressive, pursuing their targets professionally or personally, according to Kim.
Attackers are largely motivated by money and typically target financial information, she said. For example, attackers have set up phishing sites mimicking payroll systems. Hospital employees can then log into the fake portal, giving up their credentials. Within minutes, attackers can get into the system and, for example, reroute paychecks of key employees.
"That's a nightmare for any organization," Kim said.
Many survey respondents reported no or negligible impact from cyberattacks. However, Kim pointed out that only a portion of respondents stated that they were deploying network monitoring tools.
"So without that, how can you really know what's happening, absent a ransomware or phishing attack that's very visible?" she asked.
Significant disruption
The primary impact of cyberattacks tends to be disruption of business systems and clinical information systems, she said.
"As a person who's been a caregiver for decades, I know how critical that seconds and minutes are to each individual that's entrusting and relying upon a healthcare system for care," Kim said. "So any kind of disruption in patient care and the inability to access information, especially for the most critically ill or patients in dire situations, that's really concerning."
Firewalls, encryption, and intrusion detection are readily available defenses for healthcare organizations, but adoption isn't at the level it should be, according to Kim.
"Why do we only have 78% of respondents fully implementing firewalls in 2022?" Kim said. "Firewalls have been around for 25 years and there should be very little excuse for organizations not to have firewalls and antivirus and other things in place."
Intrusion protection, detection
Kim believes that there should be a much higher adoption rate -- 80% or more -- for implementing encryption. Intrusion detection and protection systems were also being utilized by only 50% to 60% of respondents.
"Unless we can understand what's actually hitting our network and what velocity and to which extent we need to staff up and have resources, then we're essentially running blind in terms of our network security," Kim said.
In positive developments, HIMSS has noted an increase in cybersecurity budgets.
Unsupported legacy systems, which have an increasingly larger footprint across enterprises, also represent a key healthcare cybersecurity challenge. Some medical devices may still utilize Windows XP, for example, Kim said.
"And of course, we have research systems and other things that might run on DOS or XP or Server 2008 or something that's fairly antiquated that's unfortunately still in use," she said.
Automation, education
Although there's a lot more awareness about security in healthcare, the future for cybersecurity is automation, according to Kim.
"Where we need to go is a means by which we can consistently apply our policies and procedures through AI to help to see what's on the network and to help to triage what's going on," she noted.
Also, there needs to be greater education of the risks of cyberattacks.
"The future is increased learning for all of us, whether you're on the tech side or everyday people so that we're more aware [and] so that these low levels of attacks don't happen as much," she concluded. "The higher we raise the bar, the more we'll make our security defenses much more robust and the more we'll protect our patients."
