Why Healthcare Could Face Unprecedented Cyber Threats In 2021
Continued attacks against healthcare and medical infrastructure will likely accelerate this year and could potentially lead to serious consequences. There are several reasons for this trend.
Medical records are proverbial gold for cyber thieves. The personalized content in these records is ripe for social engineering exploits. Cybercriminals can use specific personal medical details on your record to socially engineer their way into your wallet and the wallets of those in your inner circle.
Ransomware is expected to remain a big part of the cybercriminal's portfolio in 2021. The ability for an attack to shut down operations at a medical facility has life-or-death consequences in certain situations, which can motivate victims to pay the ransom. Cybercriminals know this, which explains the spike in healthcare-oriented ransomware incidents in 2020. A recent joint advisory by the Cybersecurity and Infrastructure Security Agency, the Department of Health and Human Services and the FBI says there is "credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers."
We can also expect to see a steady increase in compound attacks, in which an attacker exfiltrates data before it is encrypted and then threatens to release it if the victim doesn't agree to pay the ransom. Either way, the attacker wins. When patient records are at stake, criminals have the added option of blackmailing patients directly with the threat of exposing their medical history.
Finally, expect ransomware to expand beyond encrypting endpoint devices like laptops and desktops. Backup applications, which are often used to avoid paying a ransom, will likely be increasingly targeted in 2021. Databases will also be in the crosshairs of cybercriminals since they can fetch higher ransom payouts, especially in compound attacks.
The sad reality is that people could suffer as the direct result of a healthcare cyberattack. The only positive outcomes here are that a tragedy would force the healthcare industry to shore up its defenses and make law enforcement more aggressive in pursuing cybercriminals.
How Defenses Will Improve
Fortunately, we can also expect continued improvements in healthcare cybersecurity defenses. Here are three areas in which advancements should help address the threats listed above, which center around authentication and access technologies.
• Password management. Password management has been an ongoing issue for years, with healthcare organizations trying to balance the need to enforce strong password policies with ease of use and the ability of users to remember them. We can expect to see an increase in the number of healthcare companies offering or requiring users to adopt password management tools. There is likely to be more uptake in this area as long as these tools remain easy to use.
• Multifactor authentication. We can expect to see improvement in the greater use of multifactor authentication (MFA)—particularly token-based authentication, which can significantly reduce the risk of compromised accounts. We should also see a reduction in the use of phone-based SMS and voice MFA, as there are known weaknesses in both of these methods.
• Risk-based access controls. These techniques should rise in popularity. Enforcing access policies based on risk could not only improve an organization's overall security posture but also reduce user resistance to strong authentication technologies, such as password management and MFA. Risk-based authentication can often make it easier for users to access data from their normal locations by eliminating the need for any form of authentication. Only when risk factors increase are step-up measures invoked like MFA, which can enforce greater control in higher-risk situations and reduce user friction in low-risk scenarios.
While we can expect an increase in the number and types of threats targeting healthcare next year, we also have access to security measures that can reduce our exposure to being compromised. Own your cybersecurity readiness. Whether or not better defensive techniques are implemented will determine how effective the industry will be in fighting off the onslaught.