Three reasons why healthcare is often the target of cyberattacks

If your client works in the healthcare industry in Canada, they likely know they are an attractive target for cybercriminals.

But new research from global cybersecurity company Kaspersky sheds light on some of the reasons why. The study of more than 1,700 employees of healthcare organizations in the United States and Canada (including more than 750 in Canada) found that many are lacking cybersecurity education in three main areas: regulation, policy and training.

“Of these key areas, the most alarming statistic found that nearly a third of respondents in North America (32%) said that they have never received cybersecurity training from their workplace, but think they should have,” Kaspersky said in a press release Tuesday. In Canada, this number increased to 41%.

According to specialist insurer Beazley‘s 2019 Breach Briefing released earlier this year, the healthcare industry continued to be the most targeted sector by cybercriminals in 2018, accounting for 41% of attacks.

How does the healthcare industry fare in terms of cybersecurity policy? In the Kaspersky survey, about one in five (21%) of respondents admitted that they were not aware of the cybersecurity policy at their workplace, while 19% said there needed to be more cybersecurity training by their organization.

Another area of concern revolved around regulation, such as the Personal Information Protection and Electronic Documents Act (PIPEDA). In Canada, nearly half of respondents (49%) said they didn’t know if sensitive patient healthcare information (PHI) needed to stay in Canada. Only 1% of respondents correctly identified that all Canadian PHI can reside in the U.S., with the exception of British Columbia and Nova Scotia.

“These results bringing to light the alarming amount of healthcare industry employees that do not understand the PHI laws their government puts in place to protect patient confidentiality,” the report said. “With a clear lack of knowledge about the regulations meant to keep PHI safe, healthcare workers are widening the gap for cyber attackers to breach their IT systems and exploit sensitive patient information.”

Kaspersky launched its first report, Cyber Pulse: The State of Cybersecurity in Healthcare, in December 2018, focusing on ransomware attacks in healthcare, how patient information is being protected, why it’s important to consider cybersecurity in the workplace and workplace cybersecurity confidence. Released Tuesday, Cyber Pulse: The State of Cybersecurity in Healthcare – Part Two, examines healthcare industry perceptions on cybersecurity regulations, policy awareness and training.

From an IT perspective, 32% of healthcare IT respondents said that they are aware of their organization’s cybersecurity policy and have read it only once. Fifteen per cent of respondents admitted they had never read the policy.

Since the majority of healthcare organizations store patient information electronically, it’s of paramount importance that healthcare practitioners know how their IT devices (such as laptops, tablets and mobile phones) are being protected, Kaspersky said. However, according to the study, two in five (40%) healthcare workers in North America were not aware of cyber measures in place at their organizations to protect IT devices.

“It is clear there is a lack of cybersecurity awareness present in the healthcare profession,” the report said, using the example of an employee who cannot tell the difference between a phishing email and a real one from a bank, so they click on a questionable hyperlink. “Employees are just one click away from unknowingly infecting their entire organization’s IT systems with malware and other viruses.”