Cybercriminals' Newest Target Is Healthcare Vendors

Why Are Cyber Criminals Targeting The Healthcare Industry?

What's better? Targeting an individual or an organization with significant financial value and numerous sensitive data on people? This is primarily why many hackers target the healthcare industry.

And the truth is that hackers gain access to sensitive information by simply hacking any hospital or healthcare facility's electronic medical record (EMR) systems. And the sadder truth is that hacking into medical facilities is easy for hackers too.

Consider that the average cost of a phishing attack for healthcare facilities is $14.8 million annually. This amount has drastically increased from 2015's $3.8 million, so employees are not diligently trained to spot and mitigate phishing attacks.

Additionally, healthcare focuses more on patient care than data security, making these institutions vulnerable. So, if the software is not updated regularly, and employees are not trained to identify and avoid activities like phishing emails consistently, it presents an easy target for cybercriminals.



Keep in mind that cybercriminals are continuously upping their game by inventing new attack methods and software. So, by refusing to disrupt the daily care practices of a hospital in the name of cybersecurity training and development, hospitals continue to be at high risk.

Why Vendors Now?

Because targeting vendors is like getting multiple giggles from one hack for cybercriminals. Think about it, in our current healthcare system, many healthcare facilities use the same vendor's EMR system because using vendors is a cash-aware alternative to handling certain events in-house.

And since it is more challenging for healthcare facilities to invest in cybersecurity, they rely on the proficiency of their vendors. But vendors are not always forthcoming about their cybersecurity safeguards. Some are not precisely proactive about it, either, and no matter their claims, every firewall is susceptible to hacking.

And if hacking one vendor means gaining access to more than enough information, sensitive data, about patients' medical records, why focus the energy on just one facility? As Lauren Berryman explains, targeting vulnerable vendors helps cyberattacks get around the safeguards of healthcare providers, facilities, and insurers.

This is why hacking incidents involving EMR systems in 2022 increased by 20 incidents between late 2021 and early 2022, marking an 8% rate of total hacking breaches.

And because vendors are consolidated into the healthcare industry, the number of individuals affected by a breach is higher compared to a breach directly targeting a healthcare facility. To be precise, healthcare providers experience about 59,000 records per breach, while vendors experience 97,000 records per breach on average.



Vendor micro-segment services (those offered to hospitals or health facilities with a smaller bandwidth) experience an even greater breach rate, with vendor systems taking a close second. A good example is the mega breach that occurred in December 2021 on Eye Care Leaders. The company specializes in providing EMR systems to more than 9,000 physicians nationwide. The single breach exposed more than 2 million records.

What Can Businesses Do?

Make cybersecurity a primary concern for your healthcare facility. Besides, it is legally required by HIPAA to protect patient information and privacy from any attack or exposure if you handle protected health information (PHI).

This means investing in the market's most influential and updated security technologies to secure patient data. Besides implementing the right technology, business leaders must ensure that their entire organization is aware and prepared for said attacks.

Therefore, every healthcare facility and vendor requires a risk manager who can develop and run a tabletop exercise with comprehensive discussions on the signs and mitigating strategies of a cyber-attack.

The insurance industry is especially susceptible to liable costs and losses caused by a cyberattack. Therefore, it is prudent for every insurance company to determine what their significant risk is in case an attack occurs.

Once the risk scenario is determined and outlined, an appropriate mitigation strategy can be formed in its wake. Write a list of the essential things in a breach based on priority and create policies or step-by-step guidelines for handling every situation.

For example, do you have the financial capacity to pay a ransom? How can you distribute your cash flow to pay the ransom when needed? What guidelines should you follow? How will you compensate or cover your clients?

Remember, any member of your organization can easily be a target or the gateway to a cyberattack in your organization. It is imperative to make all your employees aware of your risk scenarios, train them on the proper mitigation strategies to implement, and then practice with drills to make sure the risk is reduced significantly.



For instance, consider the risk caused by vendors being targeted, outline secure vendors employees can use if an attack occurs, and provide guidelines for using said vendors.

Work As a Team

One of the most significant shortcomings of creating your cyberattack management guideline is forgetting to work as a team. An attack on an individual is an attack on the entire organization.

Therefore, you must consolidate every department, leader, and worker in your organization to make your cyberattack mitigation strategies successful. But most of all, do not forget to include the expertise of your risk team.



Having your risk management, IT, and CSO work together will provide the best mitigation results. And, like it or not, with today's cyber environment and internet use, you need working cybersecurity strategies in place.

Then Prepare Like Your Business Depends on It

Do you have a cyber liability insurance cover? Getting one will give you the cover you need for a data breach and subsequent claims when it happens. Outwardly ask your insurer whether their general liability coverage covers cyber liability.

If not, get one that covers an array of coverages for unauthorized exposure of confidential data, hacking events, intellectual property infringement, vendor liability breach, social engineering breach, and improper equipment disposal. Protect your assets, your company, and your employees.

PS: this is the time to get an employee benefits package that secures your employees in your organization. Let Zupnick & Associates help.