The number and severity of successful cyberattacks on healthcare organizations are on the rise, with no signs of slowing down. Cyberattacks have a high financial and reputational cost for any organization. For healthcare organizations, where stakes can be much higher, these costs are typically magnified. Mergers and acquisitions (M&As) can increase the likelihood of these attacks by providing even more opportunities for adversaries to strike.
Vulnerabilities in Healthcare Systems
Most healthcare organizations rely on a complex ecosystem of connected legacy and modern systems. This provides a significant attack surface with lots of potential vulnerabilities that can be exploited.
To complicate matters further, many of these legacy systems rely on outdated security protocols and do not have regular updates or patches. Many also lack thorough documentation, which can make it difficult for administrators to secure these systems effectively.
The CIA Triad
Organizations should follow three key principles when protecting systems: confidentiality, integrity, and availability. Together, these principles form what is known as the ‘CIA Triad.’
The applications of each of these principles in the healthcare industry are as follows:
- Confidentiality: Protecting patient privacy.
- Integrity: Ensuring data accuracy and trustworthiness.
- Availability: Guaranteeing system uptime for patient care.
Organizations can use these principles as a guide to protect themselves against threats.
Impact of Mergers and Acquisitions (M&A)
M&As in healthcare are set to rise in 2024. This provides many potential benefits for organizations, including enhanced budgets, opportunities for expansion and integration, and the potential for shared threat intelligence as organizations combine their threat intelligence data.
On the other hand, it also introduces some new challenges. For instance, system incompatibilities and inconsistent policies can lead to integration challenges that create security gaps and fail to address vulnerabilities. It can also increase system complexity, which increases the attack surface and provides more opportunities for adversaries.
Balancing Availability vs. Security
Many organizations have the option to prioritize user confidentiality and system integrity at the expense of availability when required. For most healthcare organizations, this is not the case.
Healthcare organizations must prioritize availability to ensure that they have access to information that helps them make timely and accurate decisions related to patient care.
Downtime can lead to delays in appointments, surgeries, and medical procedures and can also disrupt services such as billing and scheduling. This can endanger patient safety, cause compliance issues, and result in an irreparable loss of trust from patients and business partners.
Ransomware Attacks and Their Impact
The cost of data breaches is rising. In 2023, the average cost of a data breach globally was USD 4.45 million, a 15% increase over three years.
The threat to healthcare organizations, in particular, appears to be rising. In February, Change Healthcare, the organization operating the largest clearinghouse for medical claims in the U.S., was victim to one of the most significant attacks against the U.S. healthcare system in history.
Attackers compromised over 4TB of data, including financial records and personal information. The attack also disrupted operations for medical offices, hospitals, and pharmacies across the country.
This attack resulted from compromised login credentials and a remote access portal without two-factor authentication. Attackers also used a double extortion tactic: once the organization had paid the attackers to decrypt the machines, they released the sensitive data on the dark web and requested more money. This had heavy financial repercussions for the organization and also led to significant reputational damage.
Achieving Balance in Security
Protecting patient privacy while guaranteeing access to critical medical data creates a complex balancing act for healthcare organizations. M&As can further complicate these challenges by providing an increased attack surface. However, finding this balance is crucial.
A focus on availability minimizes system downtime, ensures continuity, and helps to maintain user trust. Even if a system is secure, users will lose faith in it if it doesn’t work when they need it.
Meanwhile, a focus on security helps to instill trust in users, helps organizations maintain compliance and legal requirements, and ensures organizations can withstand and recover from potential attacks.
Organizations can strengthen their cyber defenses by implementing security measures aligned with the principles of the CIA Triad. This can be used as a framework to help them strengthen their incident response programs and ensure all three standards are implemented effectively.