Why Healthcare Needs to Adopt a People-Centric Cybersecurity Strategy

February 12, 2019
Ryan Witt

Healthcare is one of the most vulnerable industries to security breaches. In the last five years, a surge of attacks has plagued the healthcare industry, impacting tens of millions of people.

According to a report by Marsh & McLennan Companies’ Global Risk Center, more than one-quarter of healthcare organizations reported they had been victims of a cyber attack--more than financial institutions (20 percent) and nearly twice the rate in the communications, media and technology sector (14 percent).

Defense spending does not reflect the nature of attacks

Despite increased spending on IT security, the attack trend within healthcare shows no signs of slowing down. Why is the industry struggling to defend itself?

The main problem Proofpoint researchers see is that healthcare organizations, like many companies across a variety of industries, prioritize and invest in solutions that defend the perimeter of ever-expanding healthcare networks rather than the healthcare workers, patients, doctors, and administrators behind those networks.

According to Gartner, just 8% of IT security spending is dedicated to email, an attack vector which accounts for 93% of all data breaches.

 

Attacks rely on human vulnerabilities

The most dangerous healthcare attacks leverage social engineering techniques rather than network vulnerabilities. For example, in Q3 2018, email-based corporate credential phishing attacks rose 4X vs the previous quarter.

Even the vast majority of malware used in targeted attacks on healthcare organizations no longer exploits unpatched software vulnerabilities. It’s much easier for threat actors to trick a user into running the malicious code via an Office macro and similar techniques.

In addition, web-based social engineering attacks, which trick users into downloading malicious software or visiting compromised sites, jumped 233% from Q2-Q3 2018.

Healthcare’s Very Attacked Persons (VAPs)

A key first step in successfully identifying and defending against attacks at your healthcare organization is identifying and defending the people who are most targeted.

With our people-centric window into attacks, Proofpoint is able to evaluate the risk of specific users at your organization. We call the most targeted users VAPs or Very Attacked Persons.

In healthcare, VAPs include:

  • Nursing leaders because of their ability to access large portions of the patient record
  • Pharmacy staff/leaders who enable criminals to transfer drugs and controlled substances from lawful (patients) to unlawful channels (non-patients)
  • Clinical researchers because of the grant funds they have received (information readily in the public domain).
  • Supply chain staff who, because of their engagement with business associates, regularly download files, click links or use third-party applications.

If you can get insight into the most attacked people within your health institution, how would that impact your security posture?  What controls would you put in place to make sure those who are most attacked are also most protected?

I’ll offer insight into these topics in my HIMSS 2019 presentation on Wednesday, February 13 at 11:45 am. I’ll share best practices and practical tips on how you can reduce VAP vulnerability, stop attacks, and manage data access and privilege within your health institution. Come check it out.