21 Cybersecurity Experts & Business Leaders Share the Biggest Healthcare Security Threats in 2021 and Beyond
There are no two ways about it: healthcare cybersecurity is a critical concern for healthcare providers. A 2020 study by IBM found that the average cost of a cybersecurity breach in the healthcare industry amounted to a massive $7.13 million. Not only does this represent a 10% increase over the 2019 study, but it also makes healthcare the industry with the highest average data breach cost.
As if that weren’t troubling enough, the study also identified that the lifecycle of a breach in the healthcare sector averaged 329 days—96 days more than that of the finance industry. To top it off, hackers are increasingly targeting healthcare providers.
With the increasing incidence and costs associated with cybersecurity attacks in the healthcare industry, it has never been so important to understand and address the security threats that healthcare providers face now and in the future.
To learn more about the biggest healthcare security threats facing healthcare providers, we reached out to a panel of cybersecurity experts and healthcare executives and asked them to answer this question:
"What is the biggest healthcare security threat for 2021 and beyond?"
Meet Our Panel of Cybersecurity Experts & Healthcare Executives:
Keep reading to discover what our experts had to say about the greatest threats to healthcare security now and in the future.
Veronica Miller
Veronica Miller is a Cybersecurity Expert at VPNOverview.
"Ransomware is the biggest healthcare security threat for 2021 and beyond…"
The majority of healthcare organizations believe they are well-prepared to cope with a ransomware attack. To stop ransomware attacks, healthcare organizations have upgraded their infrastructure and educated end-users. End-users are responsible for the majority of ransomware attacks since they click on links and download malware.
Ransomware is more likely to strike healthcare organizations because their systems store patient data, and healthcare providers cannot risk putting patients' lives in danger by losing access to that data. They feel obligated to act quickly and pay the ransom, despite the fact that they will have to go through a lengthy rehabilitation period. Any company that has an impact on people's lives cannot afford to cause damage. Instead of fighting, they talk about money.
Eric McGee
Eric McGee is a Senior Network Engineer at TRGDatacenters.
"The biggest security threat in healthcare is mobile health (mHealth) mobile applications…"
Hospitals and clinical practices must be aware of the threat of security breaches and health data theft as more health and wellness programs and procedures become available on mobile devices. Patients and visitors, as well as doctors, nurses, and hospital personnel, use tablets and mobile devices. This increases the risk of security breaches on both sides of the patient care equation.
In order to keep health data as safe as possible, network access control (NAC) solutions can be a smart step. NAC will identify each user and system type before scanning for threats or out-of-date spyware protection. Where many devices are interconnected, NAC solutions can also keep other devices and equipment safe.
William Cannon
Will Cannon is the CEO of Signaturely.
"To understand healthcare security threats, you need to think of endpoints as start points..."
The most crucial issue for security experts, at a time when work from home is the model, is endpoint protection and response. Mobile devices, laptops, and residential workstations may be generally regarded as “endpoints.” But in terms of security risk, they are “start points” where threat actors will constantly strike first.
Security experts must thoughtfully consider the “pandemic effect” on IT. Therapists, physicians, nurse practitioners, and others are accessing telemedicine from their residences. Businesses rely on these elongated endpoints outside the enterprise firewall, most of which are supported by cloud-based applications and data repositories.
Phishing scams are a popular means of obtaining access to these endpoints, but the attacks don’t cease there. Internet connections are an added point of vulnerability for healthcare organizations. A staffer’s work environment may seem adequately secured, but in security terms, it can be easy for threat actors to infiltrate.
Offenders have ways to enter a huge range of residential IoT devices. Connected home devices, voice assistants, and even fridges have internet connections these days, making them comfortable points of entry to enter private networks and reach endpoints.
Jeff Cooper
Jeff Cooper is the Manager of Messagely.
"Free EDR services are a huge threat to healthcare security…"
Behavior change is essential, but so is the foundation. Companies should spend money on a powerful endpoint detection and response (EDR) platform to secure their end devices. Free EDR services may be a charming alternative, but they are often reverse engineered by offenders and can be questionable.
An obtained solution can present stronger security. Monitoring and administration are other significant elements of security. Rich EDR data should be stuffed into a Security Information and Event (SIEM) platform where it can be regularly watched for potential endpoint intervention. A tool like SIEM enables data from disparate security solutions to be consolidated into a single interface to prioritize and triage recognized threats, enabling IT staff or managed providers to immediately address and block lasting damage.
Mobile device management (MDM) platforms have built-in protection functionality that overlays and enhances endpoint security platforms. MDM solutions enable security teams to lock down USB ports on remote laptops, so data can’t be transferred to an external drive and surpass the security bubble.
They also support geofencing. That is, if a laptop or other mobile gadget is taken outside a pre-defined geographic territory, the company is alerted and the data on that equipment can be wiped remotely.
Casey Crane
Casey Crane is a Cybersecurity Expert and Journalist at SectigoStore.com. She’s written articles for a number of industry publications, including Hackernoon, Hashed Out, Cybercrime Magazine, and Infosec Insights.
"Hands down, the biggest healthcare security threat is insecure data…"
If you don't take the appropriate steps to secure and safeguard your data, someone will get their hands on it. It's not a matter of if, but how soon they will do so. Sure, securing your data means protecting it both while it's in transit and at rest (with this including everything from transmitting data between devices to storing it on your organization's servers).
But effectively protecting healthcare data and personally identifiable information is more than that. It's also about defining and limiting who has access to what data. A big part of this boils down to having the mechanisms and policies in place that support your data protection efforts. After all, not everyone within your organization needs access to sensitive data.
Data security is crucial for all organizations and businesses because personal information like PII, healthcare records, and health insurance-related data are especially valuable to cybercriminals.
2019 data from Trustwave shows that a single healthcare record can sell for $250 on the black market. This is way more valuable than credit card information. And imagine how much that value has risen over the past two years! It's significantly harder to change your social security number than it is to change a credit card.
Healthcare data security requirements can vary depending on the country in which your business operates. Here in the U.S., you need to be compliant with HIPAA. But being compliant with HIPAA's technical and administrative safeguards can be a bit tricky. HIPAA itself is intentionally vague about how to protect data. It lays out what you need to do, but doesn't tell you exactly how to do it. That's because HIPAA was created more than 20 years ago, and its creators recognized that technology would change over time.
Noncompliance with data security requirements can result in fines, penalties, criminal charges, and lawsuits. But to make matters worse, it harms your reputation and can result in irreversible damage. And once you lose your customers' trust, it can be hard to earn back.
Nelson Cicchitto
Nelson Cicchitto is Chairman, Chief Executive Officer, and President of Avatier Corporation. Nelson oversees its overall corporate and product strategies. He is a career information technology leader and joined Avatier Corporation in 1995. With over 20 years of experience defining and implementing information technology visions for Fortune 100 companies, he commercialized the world’s first delegated administration solution for the Microsoft Windows NT platform.
"Identity theft is a huge healthcare security threat…"
Organizations need to invest in technical safeguards for identity management that protect electronic healthcare records (EHRs) from internal compromise and external factors like computer hacking or network errors.
Some of these suggestions are more easily implemented than others. To establish technical safeguards, companies can rely on third-party experts to provide products and services that will secure patient information.
Avatier, an identity management company, offers simple solutions for protecting patient data. Services like single sign-on (SSO) force users to sign in through a single portal, which allows companies to easily monitor access and usage. Features like user provisioning ensure that everyone who needs access to patient records can obtain information, while access is restricted for those who do not require it.
SSO embeds the additional benefit of improved password management. First, SSO users can more easily establish and use a strong, unique password for their accounts. Additionally, healthcare providers can change passwords at the server level to avoid exposing personal data in the event of a data breach.
HIPAA places a heavy information and security burden on healthcare providers and companies with access to healthcare information. Services like SSO allow these companies to safely share patient information in a manageable and secure way.
It’s difficult to pair the two topics of healthcare and privacy. Companies that operate in this space must provide excellent service while meeting HIPAA’s demands for an accurate balance of access and privacy. Companies must approach this with dynamic safeguards in their procedures, personnel, and technology.
Fortunately, they don’t have to go it alone. Experts that specialize in identity management solutions and features like SSO, password management, and user provisioning establish a firm foundation for patient access and data security. Such combinations of access and privacy are becoming the defining elements of successful healthcare companies now and in the future.
Peter Clay
Peter Clay is a Managing Partner at Cyberopz.
"The biggest healthcare security threat is the abolition of the corporate computing castle..."
Previously, computing lived under the control and protection of an organization, with end-users, devices, and equipment all interacting under the one roof. However, there are now many apps, devices, and the like that exist outside the physical four walls of an organization in their own autonomous environments. This poses a big threat to healthcare security.
Ari Jacoby
Ari is the CEO and Co-founder of Deduce, the leading provider of cybersecurity solutions powered by real-time customer identity data. A successful four-time founder, Ari co-founded and led Circulate (acquired by LiveRamp, an Acxiom company), Solve Media (acquired by Adiant), Voicestar (acquired by Marchex), and Newsletters.com (acquired by MarketResearch).
"The biggest healthcare security threat is account takeover (ATO) attacks…"
ATO attacks jumped nearly 300 percent from Q2 2019 to Q2 2020. Given the importance and sensitivity of user information contained in those accounts, they pose a particularly concerning threat for healthcare.
What makes the ATO threat difficult to effectively address is that in many cases, user behaviors like reusing passwords make it easy for criminals to exploit strategies like credential stuffing to penetrate accounts.
There are numerous products that aim to mitigate ATO by using predictive algorithms together with behavioral data. However, the ugly truth is that while many cybersecurity companies have vast lakes of managed data, they are in most cases contractually prohibited from using it across clients to improve fraud-spotting algorithms.
Until that “data poverty” is addressed in a meaningful way, ATO attacks will continue to pose a pernicious threat to healthcare security.
Ian Brady
Ian Brady works with Steadfast Solutions.
"The biggest healthcare security threat is ramping up online platforms, especially during COVID-19..."
The major risks of this are loss or access to confidential patient information.
There are massive penalties from the FDA for serious breaches. There are a number of laws not only in the U.S., but also globally.
Penetration testing and audits must be done regularly by an approved third party. Implement encryption at rest for all data. Mandatory reporting of all adverse events with any medication could also be done through an online forum. Healthcare providers must have processes in place to ensure these aren’t missed.
Alexander Freund
Alexander Freund is a serial entrepreneur and 36-year veteran of the technology industry. A degreed computer scientist, Alex started his career as an industrial software engineer for the Dow Chemical Corporation. After numerous technical and engineering positions working for large corporations, he started his own software development company in 1989. After building a multi-million dollar VAR (value added reseller) in the 1990s, Alex co-founded 4it in 2003 with the stated goal to bring enterprise class infrastructure, IT management, and IT support to small and medium businesses.
"I believe the biggest healthcare cybersecurity threat is—and will continue to be—breaches that allow for access to corporate email…"
This can be the result of compromised credentials, employees that lose an unencrypted portable device, a breach of the corporate network, and so on.
Email breaches are very serious for healthcare companies in three specific ways:
- No matter what data loss prevention rules are put into place, by virtue of being a healthcare company and the convenient nature of email, personal health information will end up in employees’ mailboxes. The breach of an email account puts any PHI information in that mailbox in jeopardy, and hackers are all too willing to email out PHI information and attempt to extort money in exchange for agreeing not to disclose more.
- Hackers will use the mailbox to pull a complete list of internal employees and their positions within the organization. They will also begin sending out emails to contacts and previous email recipients in an attempt to leverage the trust between them and the mailbox owner. This can become a significant reputational risk, and can assist in providing the necessary information to attempt a breach of a vendor or customer.
- People are notoriously bad about reusing email addresses and password combinations, even when the organization has strict policies about not doing so. Once a set of credentials has been compromised, hackers will try them on hundreds if not thousands of other websites in an attempt to gain access to additional leverageable data assets. For example, those credentials will definitely be tried on ADP, Paychex, and the other larger payroll sites to see if they work. They will also be tried on Google, Facebook, and Twitter, and most of the large banking institutions in the U.S. Much of this has become automated, so it’s not like there is a person doing it. Hacking is a huge business driven by efficiency and speed.
Chris Riley
Chris Riley is the Co-Founder and CEO of USA Rx.
"In 2021, there is no bigger or more pressing healthcare security threat than ransomware…"
This has been the biggest issue in the industry since 2019, and it shows no signs of slowing down. In fact, it is going to get worse as more and more files begin to be kept online.
The threat at its most basic level is hackers gaining access to healthcare sites and encrypting the data. The hackers then hold the data for ransom threatening to keep it encrypted, or worse, deleting it, unless they are financially compensated.
What makes this so devastating is the files they are holding for ransom could be important medical records needed to save someone's life. This obviously makes the target more likely to pay the ransom, which in turn makes healthcare a prime target for this kind of security threat.
Carl Fransen
Carl is the CEO of CTECH Group.
"With all systems, the biggest threat to any business is the people using the systems…"
As the main focus in healthcare is the health of their patients and most of the time, attention to proper system security is left aside. Doctors, nurses, admin staff, and other personnel need to understand the required security processes and procedures to not create security issues.
As patient data moves from paper to the computer, staff need to understand that all systems are connected to the internet. This allows potential breaches to occur.
The security of patient data is paramount. There are also industry standards that must be adhered to, such as HIPAA, PIPA, GDPR, and PCI. Today’s technology allows for the specific enforcement of a particular medical governance. Instead of the head of administration reviewing a checklist of procedures once a year, the system will continually ensure that proper handling of patient data is maintained within governance parameters.
Charly Rohart
Charly Rohart is the owner of the leading cybersecurity company, RCDevs Security Solutions.
"I believe there are three main healthcare security threats for 2021 and beyond…"
- Increased access to sensitive data: With the increased need to access data from anywhere, the simple equation of more doctors accessing sensitive data from outside the hospital exposes cybersecurity vulnerabilities.
- Lack of secure login: Secure login and device security are also among the major threats to healthcare security. Many doctors say that they have no confidence that employee-owned mobile devices used at work are secure.
- Multiple sign-ins: Healthcare organizations need a large number of applications to fulfill their tasks. This makes the number of times a clinical staff needs to sign in a cybersecurity challenge.
Demetrius Cassidy
Demetrius is the Founder and President at In The Cloud Technologies.
"One of the biggest threats that will continue to compromise the U.S. healthcare system in 2021 and beyond will be ransomware…"
Ransomware attacks have become exponentially more sophisticated in the last two years, and that trend will only continue.
One of the most considerable challenges in combating ransomware is the method of execution and delivery. An attacker can embed ransomware in an email, a file attachment, or even a text message. And even the market leaders in detection and prevention are still playing catch up. So much so that the strategy around ransomware has shifted from prevention to recovery.
The healthcare system is especially vulnerable. Due to COVID-19, there is an increased demand for all resources within the medical system. Emergency room staff, doctors, and nurses have even less capacity for critical decision-making when a malicious email comes their way. Attackers use strategies to strike at the precise time when someone is at their least attentive.
It is a fine line to walk between patient care and patient privacy. Given a choice, doctors and nurses will always choose patient care first. This offset is where data protection and deep learning systems can come into play.
Utilizing a combination of machine learning, AI, and deep learning systems can help prevent healthcare data from falling into the wrong hands. These systems can flag and retain a potential compromise of data before it becomes a breach.
It is much like a credit card company can lock a credit card from being used in what is known as a superman attack or impossible travel. This attack describes when a credit card is used in two physical locations without the ability to travel between them in that amount of time.
However, these systems come at a premium cost to healthcare providers and may not be realistic in terms of resources. So while there is hope on the horizon, we still need to be diligent in strengthening the cybersecurity chain's weakest link: the user.
Max Harland
Max is the CEO of Dentaly, one of the largest dental health resources in the world.
"Phishing and malware attempts will be at an all-time high in the future..."
Healthcare companies are at the center of focus ever since COVID-19 entered the scene. One major reason is that there's increased investment in the sector due to rising health awareness.
As a result, there is a sharp rise in the number of people booking doctors' appointments, leading to an increased flow of cash to the healthcare sector. So this presents hackers with an enticing opportunity to mint money, which in turn drives them to attempt phishing.
Plus, with most information moving to the cloud, there is a lot at stake. This includes patient and employee credentials, financial details, and other vital information. So hackers are always planning to steal by planting malicious scripts. It’s for these reasons that I think this will be a dominating concern not only in 2021, but also in the future.
Richard Bailey
Richard Bailey is the Lead IT Consultant at Atlantic.Net, a growing and profitable cloud hosting company based out of Orlando, Florida.
"Without a doubt, the biggest threat will continue to be ransomware..."
This is nothing new, especially in healthcare where patient data is a valuable prize. COVID-19 has increased the number of attacks on healthcare organizations. Some estimates suggest a 45% increase in successful attacks, with the Trickbot malware causing chaos.
Some may argue that healthcare has been slow to adapt to cybersecurity challenges and slow to adopt cloud services and managed security. Ransoms should never be paid; instead, invest in preventative measures such as training all employees to be security conscious, patch servers and infrastructure monthly, conduct risk assessments, and get outside assistance with targeted pen tests and vulnerability scanning.
Heinrich Long
Heinrich is a Privacy Expert at Restore Privacy. He was born in a small town in the Midwest (USA) before setting sail for offshore destinations. Although he long chafed at the global loss of digital privacy, after Edward Snowden’s revelations in 2013, Heinrich realized it was long past time to join the fight. He enjoys traveling the world, while also keeping his location secret and digital tracks covered.
"Supply chains are under threat in hospitals across the country and are usually overlooked by tech professionals…"
Whether hospital employees are accidentally or unintentionally stealing patient information, supply chains need to be checked consistently by a cybersecurity expert in order to make sure this doesn’t happen.
As more hospitals take advantage of cloud computing and network connected devices, there is more room now than ever before for a breach to happen. Legislation has been passed to help secure hospital supply chains for the future, but experts like myself are the first line of defense against potential threats. Hospitals can also offer in-house training and courses dedicated to supply chain security support.
Cecilia Hunt
Cecilia Hunt is the CEO of JourneyPure.
"The biggest healthcare security threat for 2021 and beyond will be phishing and ransomware…"
COVID-19 has opened people up to more phishing attacks. Hackers are attempting to scare people into allowing them access to their data, which provides an entry point for hackers to get into organizational networks and steal data at a larger scale.
This has also led to data extortion attempts as hackers hassle organizations into either paying up or having their private and confidential health data leaked.
Nathan Little
Nathan is the Senior Vice President of Digital Forensics & Incident Response at Tetra Defense.
"The fact that there's no such thing as an isolated event in cybersecurity is the biggest healthcare security threat for 2021 and beyond…"
Every incident we respond to, every breach that hits the headlines, and every run-of-the-mill update that occurs is always connected to something else. The recent attacks on the large supply chain infrastructures SolarWinds and Microsoft Exchange are perfect examples of this idea. Not only were these attacks connected to years' worth of threat actor evolution, but they also inform the threats to come in 2021 and beyond.
These supply chain attacks that target service providers on a large scale are detrimental to healthcare. Ransomware operators work in a large network, and they plan to continue attacking industries that are well-connected as well.
As healthcare expands to include messaging apps, managing appointments, handling payments, and storing personal information, the weaknesses within a supply chain of a health system put every data point at risk. We recommend implementing an endpoint detection and response (EDR) tool to actively defend against threat actors that come from unexpected places.
Inga Shugalo
Inga Shugalo is a Healthcare IT Analyst at Itransition, a Denver-based software development company.
"One of the biggest cybersecurity threats in 2021 and beyond is the lack of awareness of potential risks among healthcare providers’ employees…"
Consequently, the lack of information leads to over-reliance on providers’ IT departments and insufficient prevention measures that employees may take independently. To have such measures established, providers only need to hold a couple of training sessions. In these sessions, they can deliver handy educational materials featuring top cybersecurity threats along with guides to reduce the risks.
It’s best to prepare such guides in cooperation with the IT department or some external infosec experts. These measures don’t require any special IT skills. To take them, employees just need to be alert. For example, to stop email attacks, which is the most common type of attacks on businesses, employees should take the following steps:
- Stop link clicking, as doing so may activate the malware.
- Check the email address, the sender’s name, and the domain for typos, mistakes, and other inconsistencies.
- Report to the IT specialists if any discrepancies are found.
What’s more, employee education may help prevent another type of attack—social engineering. When employees have a basic idea about the way it works, they may promptly report any attempts to the IT team.
J Kenneth (Ken) Magee
Ken Magee is President and owner of Data Security Consultation and Training, LLC. He holds a bachelor’s degree from Robert Morris College in PA and a master’s degree from Fairleigh Dickinson University in NJ. He has taught cybersecurity at many different venues, including the JAG school at the University of Virginia, KPMG Advisory University, Microsoft, and several major federal financial institutions and government agencies.
"The most relevant cybersecurity threats facing healthcare today and in the near-future involve the compromising of patient information…"
In order to protect patient information, encrypt the ePHI (electronically stored personal health information) and control who has access to review the data. It is also important to protect patients’ insurance information, especially to prevent or deter fraudulent use of the insurance information through such scams as false claims and/or inflated charges.
