The average cost of a data breach in healthcare is the highest out of any industry, due to the extremely sensitive nature of the data healthcare organisations collect, such as confidential patient records in the case of hospitals.
The Varonis 2021 Healthcare Data Risk Report found that healthcare organisations have an average of 31,000 sensitive files (such as those containing patient data) open to every employee on the network. Furthermore, 77% of healthcare organisation have over 500 accounts with passwords that never expire.
Together, these factors can create a recipe for disaster - all it takes is one account to be compromised for a hacker to gain access to thousands of valuable files. Once in the network, hackers rely on the ability to remain undetected – and having non-expiring passwords could mean a hacker is lurking for months or even years before they are discovered.
Overall, the healthcare sector is woefully underprepared for attacks, with an average breach lifecycle of 329 days (the time it takes to discover and remedy a breach) — the highest of any industry. The potential damage a cyberattack can cause in healthcare is unparalleled with any other industry, due to the life-threatening impacts on patient safety. In fact, 2020 marked the first year that a patient’s death has been directly linked to a cyberattack.
COVID-19 has enabled attackers to take advantage of under-resourced healthcare organisations on the front lines. With hospitals triaging patients around the clock, a cyber-attack can have devastating impacts on an already severely stressed system. The recent string of attacks against Australia’s hospital system demonstrate maliciousness on an unprecedented scale, and while hackers’ methods vary, the end goal remains the same: to steal sensitive data.
In order to prevent increasingly malicious and sophisticated cyberattacks, healthcare organisations need to be proactive rather than reactive. One of the most important ways to achieve this is implementing a policy of least privilege, meaning that staff only have access to the files that are necessary to do their jobs. By locking down their most sensitive information, healthcare organisations can restrict the amount of damage that occurs and prevent hackers from moving laterally throughout the network, saving them potentially millions of dollars. This policy is an absolute bare minimum precautionary measure that all healthcare organisations need to take.
Adam Gordon’s comments are in response to the ransomware attack on Queensland hospitals and aged-care facilities, which has led to the widespread disruption of IT systems.