A recent study claims that ransomware attacks have increased 350 percent in the past year. This mirrors other reports, including one by Blackberry Cylance, outlining a similar upsurge in such attacks against the healthcare sector across the U. S. and Europe. In December 2019, Cylance disclosed findings related to Zeppelin Ransomware-as-a-Service (RaaS), which targeted IT vendors and healthcare providers.
Healthcare providers are often low-hanging fruit for hackers, as the healthcare sector ranked eighth out of 10 sectors (1=best, 10=worst) in Cyberhedge’s cyber governance rankings by sector.
Unlike most other sectors, the healthcare industry’s use and protection of data has been regulated through HIPPA for years. However, the sector still continues to be a significant laggard in protecting data and systems from attack. And, although breaches of medical records dominate news headlines, ransomware attacks are actually the most disruptive and financially costly attacks deployed against the sector—and what healthcare companies should be most concerned about.
Words used to describe technology in healthcare today often include “revolutionary,” “growth driver,” “unparalleled operational efficiencies.” But, prioritization of growth and cost-efficiencies over security has led to healthcare companies’ cyber governance underperformance for some of the following reasons:
- Growth through acquisition. Policy trends have accelerated growth via M&A, leading to increasingly complex and more difficult-to-manage networks that exponentially increase the number of vulnerabilities. This has long been healthcare’s chosen strategic growth path.
- Accelerated third-party outsourcing. The corporate drive for greater efficiency and cost savings has created additional supply chain vulnerabilities most companies haven’t considered when making strategy decisions about outsourcing. Few industries can rival the complexity of a healthcare company’s supply chain.
- Increased reliance on IoT. Operational processes often combined with sensors and data transmission execute critical functions that were previously entirely analog-driven. This has significantly increased not only cost-efficiency and productivity, but also vulnerability. Healthcare’s full embrace of technology is well-documented, and now the sector is forced to more urgently reckon with the security consequences of this adoption.
This should be a concern not just for healthcare executives but investors and regulators. There are examples of healthcare companies striking the right balance between growth, cost, and security (i. e. Gilead Sciences, Inc., a Cyberhedge 5-star company for cyber governance). But, at a sector level, the underperformance in cyber governance paired with increasing business disruption attacks mean that breaches and losses will continue to accelerate.