How to improve the cybersecurity posture of healthcare and pharmaceutical companies

Kiran Vangaveti
January 31, 2023

Threat landscape of the health industry

The healthcare industry is one of the biggest victims of cyber attacks and data breaches. However, even when industry professionals are aware of the vulnerabilities that plague the sector, little is done to ensure that systems are secured. Healthcare and pharmaceutical companies are massive repositories of health and personal information of patients, and such information is highly valuable on the black market.

Healthcare records for targeted patients fetch an average of $250 per record making it the most valuable stolen data. For comparison, credit card information could be purchased for as little as $5.4, almost 50 times less than healthcare information. 

The health sector is becoming more vulnerable everyday with minor innovation and action in the industry to mitigate threats. In this article, we discuss how the cyber threats plagues the healthcare and pharmaceutical industry and best practices to better protect systems. 

Assessing exposure

Healthcare and medicine are becoming more reliant on machines with the advent of advanced digital systems capable of managing and monitoring patient health accurately. However, as more devices connect to the network, patients are exposed to the risk that the internet brings. The health sector, although very welcoming towards technology, has paid negligible attention to installing measures that protect enterprise data. This has allowed threat actors to exploit vulnerabilities and extract critical confidential information. 

The value of patient data

Unlike credit cards and payments related information, which can easily be blocked, altered, and even replaced, patient data is permanent. Patient records contain data that can never be altered or replaced. Once in the hands of cyber attackers, patient data provides them access to personal information that can be used for acquiring bogus prescriptions, filing false claims with insurance companies and more. The permanent nature of patient data makes it much more valuable than any other type of stolen information. 

The crown jewels of the drug makers

Pharmaceutical companies, like other healthcare institutions, store information on patients in their database, however, it is only a small part of their data that is at risk of breach. Pharma companies store information on drug patents, ongoing and future clinical trials, projects under development and information on storage facilities. All of this information, if accessed by cyber criminals, can be used to harm patients and advances in medicine. For attackers targeting pharmaceutical companies, one of the most common goals is intellectual property theft which can render the cost of research and development meaningless. 

An overview of failure

Medical information theft is increasingly becoming one of the most common incidents in cyberattack news. In 2020 alone, 599 healthcare breaches were reported in the US with the highest average cost per breach of any industry at $7.13 million and average cost per record at $499. Within a single year from 2019 to 2020, the number of reported healthcare breaches increased 55 percent costing healthcare companies $13.2 billion.

Even when some of the most critical information of patients is stored with healthcare and pharmaceutical companies, systems responsible for protecting such data are so weak that 34% of all data breaches are reported by healthcare organizations alone. This has also resulted in an industry leading 4.08% turnover rate causing companies to lose customers as soon as the breach occurs. 

Where does heath cybersecurity fall short?

Imperfect cyber inventory

The health sector stores large amounts of data on patients, relatives and connected devices of a wide variety. Such vast amounts of information have had to transition from an analog world to a digital workspace creating gaps in the cyber inventory. As a result, most institutions remain unaware of the kind and magnitude of information that is stored with them. Therefore, when institutions do not have knowledge of the information that they have, it becomes harder to protect.

Third-party risk

Healthcare institutions work closely with several third-parties responsible for providing equipment, data, software and more. In many cases, patient data is traded between parties in order to make processes smoother and improve patient care. However, this exposes patient data to the risks of breach that may be induced due to vulnerabilities in the system of the third-parties. 

Insider management

Notably, the majority of breaches reported in the healthcare industry originated from within the organizations. A staggering 59% of all breaches occurred due to the direct involvement of internal threat actors. While most organizations look at outside actors and competitors when breach incidents are discovered, the healthcare industry is a victim of grave insider mismanagement. 

(No) lessons from the past

Healthcare institutions have fallen victim to one the most devastating cyber attacks in recorded history but seldom has the industry witnessed stringent measures to ensure data security. 

For example, when 3 of the largest Blue Cross’s Blue Shield Associations members fell victim to massive data breaches in 2015, exposing over 100 million patients records, it was expected that data security would become a priority for all affected and related organizations. However, in 2018, the personal information of over 16,000 patients was exposed online due to an employee error. The worst part? The error was discovered more than three months later. 

In another incident, drug maker Pfizer, which had already witnessed breach of employee data in 2007, was again targeted by threat actors in 2020, along with other drug makers, to extract intellectual property on the COVID-19 vaccine and its supply chain network. 

An ideal approach

Owing to one of the highest number of data breaches, costs and customer turnovers, it is critical that healthcare and pharmaceutical companies identify flaws in the system and patch them before threat actors can take undue advantage of them. The vulnerabilities that exist in the healthcare ecosystem are no harder to cover than any other industry, therefore, taking cue from other sectors, the healthcare sector must improve its practices and prevent data breaches for public and private good. 

Here we discuss some aspects of data security that healthcare companies need to work on:

Improve network security

Healthcare organizations, especially clinics and hospitals use a large number of connected devices to monitor different types of information about the patient. These connected devices share information across multiple systems and can easily be breached should threat actors be able to gain access to the network. Therefore, to preserve patient information and protect devices from threats, healthcare institutions need to improve standards and protocols surrounding network security. 

Training employees

Employees in the healthcare sector are often untrained or have outdated information regarding data security. It is important that the workforce is trained and their knowledge updated regularly to ensure maximum data security. Training sessions centred around dealing with suspicious links, prevention from phishing attacks and reporting suspicious activity are essential for cyber security. 

Internal monitoring

Since more than half of all data breaches in the healthcare industry are caused by internal actors, it is important that organizations constantly monitor employees. Personnel with direct access to critical information or clearances that allow them to gain information on patients must be observed closely to ensure that they are not able to carry or send confidential information outside of the organization. Further, a zero-trust security environment must be built to ensure that employee access is not misused by threat actors. 

Third-party management

The health sector includes several companies working in tandem to improve patient care, causing patient data to be exposed to more risks. Therefore, organizations in the health sector must ensure that they work only with trusted third-parties and always keep track of information being shared with such partners. 

Proactive threat hunting

One of least common practices noticed in healthcare cybersecurity is threat hunting. As healthcare institutions invest very little in cybersecurity, it is only natural that threat hunting is not on the agenda. However, actively looking for threats allows institutions to prevent incidents by identifying potential breaches before they gain access to critical information. Healthcare and pharmaceutical companies, therefore, need to invest in security teams and solutions that are able to identify and neutralize cyber threats before they materialize.