Preserving Patient Trust: Exploring the Menace of Human Factor and Phishing in Healthcare & Pharmaceuticals
Nowadays the healthcare and pharma industry finds itself at the forefront of a battle against cyber threats. Hospitals, healthcare centers, insurance companies, research institutions, and pharmaceutical companies worldwide have fallen victim to cyberattacks.
The situation remains quite serious: at the beginning of this year, the LockBit ransomware operation claimed responsibility for a November 2023 cyberattack on Capital Health, a healthcare service provider in New Jersey and parts of Pennsylvania, US. The hackers not only infiltrated the hospital network but also threatened to leak sensitive medical data and negotiation chats.
Although the nature of this very cyberattack remains undisclosed, statistics show that over 50% of ransomware and malware attacks start with phishing. Verizon's 2023 Data Breach Investigations Repor adds another layer to the narrative, saying that “74% of all breaches include the human element, with people being involved either via error, privilege misuse, use of stolen credentials or social engineering”. The case of Capital Health provides an opportunity to talk about the level of staff preparedness for such social engineering attacks as phishing in a highly vulnerable sector such as healthcare & pharmaceuticals.
The High Stakes of Phishing Attacks in Healthcare
Phishing attacks pose an exceptional threat to healthcare organizations due to the value of patient data they store.
In addition to financial gain, cybercriminals with experience in drug trafficking and money laundering eagerly purchase medical records from malicious websites. These records enable them to obtain prescription medications, file false medical claims, or engage in identity theft by opening credit cards and taking out fraudulent loans. Unlike accounts and credit cards that can be quickly canceled, medical records provide a rich resource of valuable and permanent data points.
Although many cybercriminal groups have recently been talking about ethics when it comes to targeting highly vulnerable organizations such as hospitals, they are not going to leave the sector alone, even if the consequences of their attacks could be disastrous for health systems and the well-being of patients, who rely on the healthcare system.
Alarming Phishing Statistics in the Sector: A Wake-Up Call
Despite the fact that healthcare providers and pharmaceutical organizations are that vulnerable to cyberattacks, the Phish-Prone Percentage (PPP) for the sector, as revealed in the Phishing by Industry Benchmarking Report for 2022 and 2023, is concerning. Let's take a detailed look and first glance at the data.
In 2022 across small organizations (1-249 employees) the healthcare & pharmaceuticals industry ranked 2nd at risk with a PPP of 32.5%. Among mid-sized organizations (250-999 employees), with a PPP of 36.6%, the healthcare & pharmaceuticals is in the 2nd position as well.
These figures highlight the healthcare and pharmaceutical industry's vulnerability, ranking highest at risk for both small- and medium-sized organizations.
Addressing the Human Factor: Cybersecurity Training is Key
The results of initial baseline phishing security tests held by KnowBe4 emphasize the likelihood of users falling victim to phishing scams without proper cybersecurity awareness. Every organization, regardless of size and vertical, is susceptible to both phishing attempts and social engineering without training and frequent reinforcement. The workforce, in every industry, represents a potential doorway to attackers, irrespective of investments in top-notch security technology.
Apart from utilizing high-quality hardware, regularly updating software, using multi-factor authentication whenever possible, and initiating backups cooperating with trusted vendors, healthcare and pharmaceutical organizations must prioritize staff education to prevent catastrophic damages resulting from a single employee clicking on a malicious link promising them free tickets to a Taylor Swift show. Assessing existing levels of awareness through surveys and planning training opportunities for staff at all levels is paramount. Frontline employees must receive additional information about potential security issues and prevention methods as the security landscape evolves.
Several pieces of research also indicate that messages regarding data breaches, risk management, and cybersecurity values are more thoroughly followed when they come from top management. Establishing direct communication between management and employees regarding security issues fosters a culture of cybersecurity within the organization.
Technical Means: Web Filtering as a Shield
While various technical means exist, finding a high-quality solution that minimizes the probability of human error is critical.
With SafeDNS web filtering, malicious links, even the most newly generated ones, will not harm the organization. This additional layer of network protection is able to shield healthcare providers and pharmaceutical organizations from the potentially disastrous consequences of human error.
The rising tide of cyber threats against healthcare organizations demands immediate and comprehensive action. Beyond the implementation of technical solutions, cybersecurity education and awareness must take center stage. Protecting patient data and ensuring the resilience of healthcare systems require a multi-faceted approach, including continuous training of healthcare staff, communication from top management, and even practices leveraging advanced up-to-date technologies like web filtering.
Today when the stakes are higher than ever, the healthcare sector must be well-equipped with all the available tools and strategies against cyber threats. As the saying goes, an ounce of prevention is worth a pound of cure. Let’s prioritize cybersecurity to both protect patients and safeguard the backbone of our communities – the healthcare system.