Morphisec Cybersecurity Blog

The Top Three Weaknesses in Healthcare Cybersecurity

Written by Matthew Delman | May 20, 2021 at 5:28 PM

With remote care, connected devices, and more efficient use of data digitizing healthcare delivery, cybersecurity has never been more vital for providers. Despite the benefits to patient care, however, there are some major weak spots that still remain for providers.

With healthcare under continuous attack from threat actors, not only will new vulnerabilities emerge, but existing cybersecurity weaknesses are also set to become more critical as providers leverage digital technology more frequently. 

Regrettably, as providers deploy new systems, cybersecurity is still frequently under prioritized at the board level. However, while non-technical healthcare executives may underestimate the importance of cybersecurity, the same cannot be said for consumers. 

Our recent Consumer Healthcare Cybersecurity Threat Index found that consumers are keenly aware of healthcare cybersecurity and that providers' email phishing defenses are their biggest worry. Over 26 percent of consumers now say that they believe phishing is their provider's weakest link when it comes to their cybersecurity defenses, a concern rating just ahead of patient portal defenses (25 percent) and browser attacks (20 percent). 

Understanding these top three patient cybersecurity concerns is crucial for providers, both for protecting their patients and securing their business. 

Phishing Is a Rising Threat to Healthcare

The significant rise in the incidence of phishing scams across every sector has been one of the defining cybersecurity trends of the COVID-19 pandemic. However, due to their constantly changing operational environment and often overstretched IT staff, healthcare institutions are particularly vulnerable to these attacks. 

Thanks to cybercriminals' amorality and ability to continually weaponize COVID-19 related disruption in healthcare, the rise of phishing scams targeting care providers has been profound. While in 2012, only four percent of healthcare breaches involved email scams, in 2020, over 40 percent did. Moreover, since the COVID-19 pandemic began, Google has reported over 18 million fraudulent phishing messages per day related to the coronavirus. 

Although the targeted individuals are typically frontline workers with little time for cybersecurity, the reality is that healthcare professionals at all levels are vulnerable to this growing threat vector. In November 2020, top executives at hospitals in Massachusetts were targeted with phishing emails from threat actors pretending to be the U.S. Department of Health and Human Services. These kinds of phishing attacks are on the overall increase and create a significant issue for hospitals with minimal resources devoted to cybersecurity. Ultimately, healthcare providers need to be aware of these issues and account for them to preserve the security of their patients’ personal health information. This leads to the second major weakness: health portals.

Patient Portal Defenses Pose Major Cybersecurity Issues

After phishing, our Healthcare Cybersecurity Threat Index found that patient portals were the second biggest worry patients have about their providers' cybersecurity. Unfortunately, this is a valid concern. Patient portals contain electronically protected health information (ePHI), which means that—under the HIPAA Security Rule—organizations using or associating with this data are required by law to develop systems to protect it. Unfortunately, these protections can and do fail, exposing vast numbers of patients to data breaches.  

In one recent example, over half a million patients were reported to have been impacted after hackers gained access to files hosted on Michigan-based provider Trinity Health's web portal. Far from an isolated incident, this data breach is only one part of a larger attack that exploited vulnerabilities in an Accellion file transfer system that several other healthcare providers also use. As a result, similar portal-related breaches may have exposed millions of more people nationwide. With patients' health records exponentially more valuable than financial or other kinds of personal data, health portals are a lucrative target for cybercriminals. 

Healthcare Browser Use Is Still a Serious Concern

Web browsers are an industry-wide weak threat vector within healthcare, and the third most significant concern healthcare consumers have about provider cybersecurity. This weakness likely persists primarily because organizations within the healthcare sector continue using Internet Explorer as the default browser on connected devices. In fact, even Microsoft has recommended companies stop using Internet Explorer as their primary browser.

Due to the generally lean nature of healthcare IT, teams commonly default to Internet Explorer as an "easy" option for ensuring compatibility across devices. However, while it may be compatible with a vast array of devices and machines, Internet Explorer is inherently vulnerable to zero-day attacks and exploits due to enormous technical debt. Despite its ease of use in this context, continuing to use IE as a browser opens hospitals and other healthcare providers up to the substantial risk of a browser-based attack. 

Final Thoughts

As overstretched staff and IT teams juggle evolving priorities, basic tenets of cybersecurity can easily lapse, endangering both patient records and, increasingly, patient health. With consumers becoming increasingly aware of vulnerabilities such as phishing attacks, problems with portal use, and outdated browser usage, healthcare providers who fall victim to network breaches are likely to lose customer trust rapidly.

For healthcare CISOs, mitigating the existential threat cybercrime poses to their organizations is a difficult task. IT teams need to both overcome deeply entrenched cybersecurity weaknesses and proactively anticipate new vulnerabilities, all while operating in a highly dynamic operational environment. 

However, with the most virulent cybersecurity threats in healthcare stemming from vulnerable endpoints, building defenses at every network endpoint is vital to overcoming this challenge. Against the growing threat landscape healthcare is faced with, vulnerable endpoints need to be protected with lightweight deterministic solutions like the one Morphisec provides