In one survey, the healthcare industry experienced more email security breaches than average. The recovery costs following such attacks are particularly problematic for the healthcare system.
Ransomware attacks on healthcare organizations have more than doubled since 2022, according to the latest Barracuda Ransomware Annual Report. However, when you look at healthcare in comparison to other industries, a more complex picture emerges, says Dr. Klaus Gheri, Vice President & General Manager Network Security at Barracuda Networks. In many cases, this sector experiences fewer major cyber incidents than other industries - but the attacks make headlines due to the risk to patients and the sensitivity of personal data. And in some cases, the impact, while limited, is serious.
Healthcare is a constant target of cyber attacks
In March, a ransomware attack on one of Barcelona's main hospitals crippled the center's computer system and forced the cancellation of non-urgent surgeries and patient exams. The attackers spent the next few months posting the allegedly stolen data online after the hospital refused to pay the ransom.
A few months later, in August, a cyberattack on Prospect Medical Holdings in the US crippled the computer systems of hospitals across the country, forcing emergency rooms in several states to close and ambulances to be diverted.
It is critical to understand and address the cyber risks facing healthcare organizations. A good place to start is email-based risk. Email remains a primary attack vector with a high success rate for cybercriminals and a common entry point for many other attacks. In addition, the pandemic has accelerated digitalization in healthcare, which further increases the attack surface.
77 percent affected by an email security breach
A recent international study of mid-sized companies commissioned by Barracuda found that 77 percent of healthcare respondents experienced an email security breach in 2022. In comparison, the number in all sectors was 75 percent.
Despite this, healthcare respondents were confident in their ability to weather a cybersecurity incident. 45 percent said they felt “a lot” safer than last year, compared to 34 percent across all other industries. This may have more to do with practices, policies and awareness than investment in cybersecurity, as only 10 percent said they planned to invest more, the second lowest overall.
Still, the healthcare industry has more confidence in its ability to combat email-based threats than many other industries. Barracuda has identified 13 types of email threats, ranging from simple phishing and malicious links or attachments to sophisticated social engineering techniques such as business email compromise (BEC), conversation hijacking and account takeover. Healthcare companies are less likely than many other industries to say they feel underprepared for these types of email threats.
Healthcare struggles the most with recovery costs
Just under half (44 percent) of healthcare organizations surveyed cited recovery costs when asked about the impact of a successful email security attack - compared to 31 percent overall - with the average cost of the most expensive attack being $975.000 supplied.
Healthcare budgets are often stretched, and the combination of limited resources, complex and often critical technology systems, and the pressure to get everything back up and running as quickly as possible are likely contributing to recovery costs being the most commonly cited impact .
However, loss of sensitive, confidential or business-critical data was below average: 29 percent compared to 43 percent overall. This could be because, after so many years of being the target of cyberattacks, healthcare organizations now have particularly strict policies for sharing, storing and securing medical data and other protected health information.
Ransomware: Healthcare least affected industry
The survey found that 60 percent of healthcare organizations surveyed had been affected by a ransomware attack - the second lowest share after consumer services (50 percent) and below the industry average of 73 percent. This number is also reflected in other studies, although public perception would suggest a significantly higher result.
29 percent of healthcare organizations reported two or more successful ransomware incidents, compared to a total of 38 percent. This suggests that attacks are not always completely neutralized or that vulnerabilities are not always identified and remedied after the initial incident.
The good news is that more than half (59 percent) were able to recover the encrypted data using backups (52 percent total) and only 22 percent paid the ransom to restore their data (34 percent total).
Spear phishing attacks have a significant impact
Only 8 percent of healthcare companies surveyed felt inadequately prepared for a spear phishing attack. To some extent, this confidence is justified, as only 32 percent of healthcare companies surveyed were affected by such an attack in 2022, compared to 50 percent overall. However, for those affected, the attack often had serious consequences.
60 percent of those affected said computers or other devices were infected with malware or viruses, compared to 55 percent overall, while 60 percent said confidential or sensitive data was stolen, compared to 49 percent overall. 70 percent reported stolen credentials or account takeovers, compared to 48 percent overall, and 40 percent reported direct financial losses.
Approximately 3,5 days to detect and resolve an email security incident
The research found that healthcare companies take less time than many other industries to detect an email security incident - an average of 29 hours compared to 43 hours overall - but they are in the middle when it comes to responding an incident and its resolution (on average 51 hours compared to 56 hours overall). 40 percent of respondents cited a lack of automation (compared to 38 percent overall) and 34 percent cited a lack of budget (compared to 28 percent overall) as the biggest obstacle to rapid response and mitigation.
Protection measures against email-based attacks
Email-based cyberattacks remain widespread and constantly evolving. Healthcare companies therefore need to have robust email security in place. This should include strong authentication controls – at least multi-factor authentication, but ideally moving towards zero trust measures – as well as limited access rights, automated incident response and AI-based threat detection and monitoring. All of this should be accompanied by ongoing training and awareness raising for employees so that they know how to recognize and report suspicious messages.
Ideally, these email protections should be part of an integrated security platform that gives the IT team a complete view of the entire IT environment and the ability to detect incidents or abnormal behavior patterns that could indicate unwanted intruders investigate and respond to it.
The survey was conducted on behalf of Barracuda by independent market research firm Vanson Bourne. IT professionals from the first to the highest management levels in companies with 100 to 2.500 employees from various industries in the USA as well as in EMEA and APAC countries were surveyed. The sample included 62 healthcare organizations.
More at Barracuda.com
Via Barracuda Networks Striving to make the world a safer place, Barracuda believes that every business should have access to cloud-enabled, enterprise-wide security solutions that are easy to purchase, implement and use. Barracuda protects email, networks, data and applications with innovative solutions that grow and adapt as the customer journey progresses. More than 150.000 companies worldwide trust Barracuda to help them focus on growing their business. For more information, visit www.barracuda.com.