Healthcare organization-attractive targets to cybercrime

Organizations in the healthcare and pharmaceutical industry can use the knowledge of their threat landscape — and the most relevant vulnerabilities — to take specific steps to improve their defenses against particular types of threats that are most likely to affect them. Organizations in any industry must strike a balance between security on one hand and usability on the other. The varying business and operational needs of organizations in different industries are major factors where and how they strike that balance. Healthcare providers that face life-or-death situations with their patients may have lower tolerance for interruptions, downtime, or inconveniences that could slow their ability to respond to urgent or time-sensitive clinical needs.

The cost of such an emphasis on expediency is that it can leave organizations with more vulnerable attack surfaces. Combined with the high value of certain types of healthcare data, these vulnerabilities make these organizations more attractive targets to threat actors. Criminals are aware of these breach-related costs, and many believe that healthcare organizations are more likely to comply with data disclosure extortion demands out of a desire to avoid these costs. Threats to disclose compromised data, rather than simply encrypting it for ransom, are now a standard component of ransomware attacks.

The healthcare and pharmaceutical industry is heavily regulated in ways that have significant security implications. Compliance with the security standards of healthcare laws and regulations is a necessary but insufficient condition for a robust security posture. While it is both important and beneficial to check those security compliance boxes, a box-checking mentality can become counterproductive if it leads organizations to become complacent in a false sense of security, or to refrain from considering and defending against threat scenarios that security compliance standards did not envision. Healthcare organizations should treat the industry’s security standards as a bare minimum and seek to go above and beyond what they require.

Attackers will probably not abandon an attack simply because their target is security compliant; rather, they will simply find other ways to achieve their goals that the legal or regulatory security requirements do not cover. A research found that, the rise of remote workforce during the COVID-19 pandemic has transformed the attack surfaces and threat landscapes of all industries and the increased use of remote communication platforms, such as Zoom and Slack, has also given attackers more opportunities to send malicious links and attachments to remote workers and gain access to their private communications.

Deepak Sahu, President & CEO, VARINDIA