healthcare security

What is it about healthcare?

Print Friendly, PDF & Email

Longtime readers of this blog might be experiencing a sense of déjà vu as we report, yet again, on warnings of elevated cyberattacks targeting the healthcare industry.

Throughout the spring of 2020, as COVID-19 was beginning to strain healthcare resources, there were multiple reports of high threat levels, particularly regarding ransomware, which we wrote about here and here. Rates of data breaches and intrusions ballooned along with ransomware through that year and in 2021, as we discussed here and here.

Which brings us to a recent threat brief from the U.S. Department of Health and Human Services Cybersecurity Coordination Center (HC3) about a rise in web application attack campaigns that target healthcare organizations.

Multiple contributing factors

Cybercriminals may be ethically and morally challenged, but they’re not stupid — they have good reasons to disproportionately target the healthcare industry, which really boil down to just two reasons:

  1. High-value data — The data available to be stolen from healthcare organizations includes private financial data about both staff and patients, along with personal medical data about patients, both of which can generate high financial return for those able to carry off a large breach.
  2. More vulnerabilities and attack surfaces — The healthcare industry has been slower than others to adopt new technologies and implement cloud-based digital transformation. This is partly due to reliance on large numbers of legacy medical devices running obsolete software, and, paradoxically, on the unusually high incentives to protect private data, especially medical data. While most organizations have now overcome initial resistance to migrate workloads to the cloud (due to perceived security issues), much of this transformation has occurred in a hurry, thanks to — you guessed it — the pandemic. The sudden need to implement remote-work solutions, full-featured patient portals, and advanced telehealth solutions has in some cases meant that security took second place to a concern for maintaining operations.

Minimizing application-threat risks

Despite the increased frequency and sophistication of application-layer and website threats, there are steps that IT professionals in the healthcare industry are increasingly using to combat those threats and dramatically reduce the risk of a costly and disruptive data breach.

At the top of the list is a shift, both conceptual and technical, away from using point solutions to address specific vulnerabilities or threat modalities, in favor of adopting a platform approach that integrates multiple features and capabilities to provide comprehensive protection.

For example, Barracuda Cloud Application Protection combines full web application firewall (WAF) functionality with a complete set of advanced security services and solutions that protect applications against multiple types of threats, whether they are deployed on-premises, in the cloud, or in a hybrid environment.

Whatever solution or platform you choose should have the following capabilities:

Barracuda WAF-as-a-Service serves as a foundation for a complete web application and API protection (WAAP) platform, delivering many of the capabilities listed above. In addition — and arguably more important — it stands out from other WAF solutions by being incredibly simple to configure, deploy, and use. This makes it ideal for organizations with limited IT security budgets, personnel, and skill-sets.

Understand your risk levels

The first step for any individual organization is to gain a full understanding of where your greatest vulnerabilities lie, in order to see the scale of the risks you face and to prioritize efforts to mitigate risks.

Barracuda Vulnerability Manager is a free online scanner that anyone can use to identify their specific vulnerabilities. It generates a comprehensive report that includes specific recommendations for remediation. It takes about 2 minutes to set up. Honestly, you should use it right now.

As more healthcare organizations adopt advanced, effective protections against the latest generation of targeted threats, we may even see a day in the near future when we’re no longer publishing blog posts about that industry being a prime target for cyberattacks.

Scan web applications for vulnerabilities today

Scroll to top