The rush to administer top-notch healthcare services and oversee an effective vaccine rollout in the COVID-19 era has put cybersecurity on the backburner for healthcare providers. The providers are too busy plugging holes in the COVID-19 dam to prepare security systems for the stress of hundreds of millions of appointments. This is undoubtedly a lucrative enterprise for hackers. A PhishLabs study reported that healthcare data assets were worth 10 times more on the dark web than stolen credit card numbers.
The 2021 Horizon Report lays out the trends of cybercrime throughout 2020, with COVID-19 opening the door for hackers, especially in the back half of the year. The Horizon Report found that over 500 healthcare organizations reported breaches to hundreds of patient records. Healthcare providers are a frequently targeted sector for hacking, accounting for around 80% of breaches. The threats of malware and ransomware loom large, and phishing tactics remain stubbornly pervasive. Although there are many angles of attack for cyber criminals, email consistently produces the most attempts at stealing patient data.
Take for instance the recent incident at Beaumont Health in Michigan on January 30th. A scheduling pathway weakness in the Epic electronic healthcare system was exploited by one user through email invitations, which let over 2,500 people sign up without prior authorization for vaccination appointments. Epic was silent when confronted with the possibility of similar errors occurring in its system for other vaccine scheduling.
In the case of Beaumont Health, the difference between the “ticket” and “open” forms of scheduling was of note, with the latter having fewer safeguards and seeming to be the culprit. With the ostensible solution being to set further limits on public access, a world of inconvenience could befall patients—at the behest of providers with earnest security concerns. Both groups must bend to the will of clever cybercriminals.
Healthcare providers risk falling behind in vaccine distribution if entire security systems need to be revamped while dissatisfied and potentially worse for the wear customers are left waiting. According to Dan L. Dodson, CEO of Fortified Health Security, what’s important is “getting back to security fundamentals as organizations face the undoubtedly turbulent year ahead – including evaluating security infrastructures, response plans, staffing models and potential gaps – to minimize cybersecurity risk and protect patients in the most cost-effective way.”