Why smaller hospitals are targets for cyberattacks

Crane Hassold wants to dispel a myth.

Crane Hassold of Abnormal Security

Hassold, the director of threat intelligence at Abnormal Security, a cybersecurity firm, said it’s time to drop the idea that cyberattacks are only aimed at large companies. That’s simply not true, he told Chief Healthcare Executive.

Since 2020, the median revenue of ransomware victims is $27 million, according to an Abnormal Security report.

“There's a perception out there that large organizations are the primary targets of ransomware attacks,” Hassold said. “Small businesses are actually the primary target of ransomware attacks today.”

• How a rural health system improved its cybersecurity
• Not if, but when: Cyberattacks threaten health systems
• The 10 biggest cyberattacks in healthcare in the 1st quarter of 2022

In the world of healthcare, small hospitals and healthcare organizations are inviting targets, Hassold and other cybersecurity experts say.

Smaller hospitals and health systems have less resources in terms of staffing and money to defend against cyberattacks. While they may not offer the prospects of a whopping payday for bad actors, attackers can have a better chance of breaching systems. It may be less money, but in some cases, it’s easier money.

So even with their limited resources, smaller healthcare systems have to be aware of the dangers of cybersecurity and take steps to protect their networks, and their patients, experts say. (The story continues after the video.)

‘Low-hanging fruit’

Lee Kim, director of privacy and security at the Health Information Management and Systems Society, said some attackers may want to try to hack into smaller healthcare systems before going after bigger targets.

“Whether it’s a new exploit actors try to test out, they could start small and go with the low-hanging fruit,” Kim said.

“Smaller organizations are viewed as less of a bust,” she said. “The reason is: time is money.”

Kim said cyberattacks are “threatening just about everyone, regardless of size.”

Linda A. Stevenson is the chief information officer with the Fisher-Titus health system, a rural healthcare provider in Ohio. She said she dealt with a breach at the hospital just months after she took the job in 2019.

Linda Stevenson, chief information officer of Fisher-Titus health system in Ohio

It wasn’t a ransomware event and it didn’t bring down the system. But it was enough to help the health system’s leaders see that cybersecurity is a threat, even to a rural system anchored by a hospital with 99 acute-care beds.

“Thank God we had already started having that conversation about our security program,” Stevenson said.

John Riggi, the American Hospital Association’s national advisor for cybersecurity and risk and a former senior executive in the FBI’s cyber division, said smaller healthcare systems need to understand they are vulnerable to attack.

Leaders of smaller healthcare systems can start to improve their cybersecurity with a little self-reflection, he said in an interview with Chief Healthcare Executive.

Riggi said leaders should look in the mirror and ask, “Have they made cybersecurity a priority? Have they set the tone from the top?”“That in itself will make the organization more secure,” Riggi said.

• Cybersecurity and patient safety: Why it needs more attention

As vital as ‘medical hygiene’

Even smaller organizations with limited resources can take important steps to fortify their defenses, even by simply changing the culture when it comes to cybersecurity. Workers need to think about it beyond the occasional or annual refresher course for training.

Cybersecurity needs to be thought of as a critical step to protect patients, Riggi and other experts say. If an employee clicks on a link from a malicious email, it could lead to a cyberattack that prevents hospitals from accessing medical records, delaying procedures and diverting ambulances.

In other words, being careless about cybersecurity raises the risk of bad outcomes for patients.

“Cyber hygiene is as important as medical hygiene to protect the patient,” Riggi said.

Hospital systems need to be using multi-factor authentication. They also need to have continuously check their network security and they need to have multiple, highly secure backups of data, including one copy that is unchangeable, Riggi said.

Cybersecurity policies need to be spelled out and they need to be accessible to all employees, Kim said.

As Kim said, all healthcare employees are responsible and play a role.

“Every user at the small healthcare system can do their part,” Kim said.

Everyone should look carefully at emails coming from outside the system. Experts suggest making sure emails coming from outside the company are marked as external emails.

Beyond that, employee policies need to make clear that people shouldn’t simply click on links from senders they don’t know.

“The number one way folks are getting into systems is by phishing,” Kim said. “If you see an email that doesn’t look right, don’t be curious. Pick up the phone. Speak to IT. Don’t respond to the suspicious email.”

Employees need to make sure web browsers are up to date. For those who use laptops or smartphones for work at home, Kim said, “make sure your kids aren’t using it to play Angry Birds.”

Healthcare systems, particularly smaller organizations, should look to a trusted vendor to help strengthen their cybersecurity. Hospital systems should also consult with the federal Cybersecurity & Infrastructure Security Agency, a division of the U.S. Department of Homeland Security. CISA will offer risk assessments and penetration testing, Riggi says.

CISA also offers a host of free resources that can help healthcare systems improve cybersecurity, Kim and other experts say. Even CISA's free resources are very helpful.

"Just because it's free does not mean it's inferior," Kim said.

Coming tomorrow: How cyberattacks could harm patients

• Cybersecurity measures advance in Washington