Healthcare organizations are custodians of vast amounts of personal and financial data, rendering them attractive targets for cybercriminals. As the frequency of cyberattacks on this sector continues to rise, a notable shift is underway, as evidenced by a recent survey conducted by the Healthcare Information and Management Systems Society (HIMSS). According to the findings, 55% of healthcare organizations intend to enhance their cybersecurity budgets in response to increasing threats.
“Healthcare must invest more in cybersecurity, perhaps second only to education, much like the recent PowerSchool breach,” stated Tracy Goldberg, Director of Fraud and Security at Javelin Strategy & Research. The sector is notorious for its cybersecurity weaknesses and the potential exposure of sensitive employee and patient Personally Identifiable Information (PII), highlighting a critical need for investment in cybersecurity measures.
Goldberg further emphasized the severity of the situation, noting that breaches and ransomware attacks, which both exfiltrate sensitive PII and then demand ransom while threatening public exposure of that data on the dark web, have become alarmingly common in recent years.
The Change Healthcare Data Breach
The scale of recent ransomware attacks has prompted many healthcare leaders to reassess their cybersecurity frameworks and the relationships they maintain with third-party vendors. This is particularly evident following last year’s ransomware attack on Change Healthcare, a subsidiary of UnitedHealth Group, which has been labeled the largest healthcare data breach to date. The incident compromised the PII of over 190 million individuals and was linked to a significant cybersecurity oversight—a simple password was used for a user account that lacked critical multi-factor authentication controls.
Increasing Cybersecurity Budgets
The ramifications of this breach, coupled with an increase in ransomware incidents targeting the healthcare sector, have prompted a significant change in budget allocations within the industry. Historically, healthcare organizations allocated 6% or less of their IT budgets toward cybersecurity. However, HIMSS reports that nearly one-third of surveyed organizations now plan to dedicate more than 7% of their IT budgets to bolster cybersecurity efforts this year.
This intensified focus on cybersecurity is particularly crucial, as the consequences of data breaches extend beyond the healthcare industry itself. “The lack of cyber focus and investment in the healthcare sector creates a domino effect on other industries, such as financial services,” Goldberg articulated. “These sectors ultimately face the repercussions of stolen consumer PII, leading to identity theft and resulting fraud.”
In the context of these attacks, various tactics from the MITRE ATT&CK framework are likely at play, including initial access through compromised credentials and subsequent persistence techniques that enable attackers to maintain control over affected systems. By employing methods outlined in this framework, adversaries can successfully navigate security measures and exploit vulnerabilities in critical systems, underscoring the imperative for healthcare organizations to enhance their cybersecurity posture. As the digital landscape evolves, so too must the strategies to defend against these persistent threats.
