The healthcare industry presents a unique array of cybersecurity concerns. If you’re interested in working in healthcare, an awareness of those cybersecurity issues is absolutely vital.
For example, there is a significant amount of sensitive data that hospitals, clinics and doctor’s offices collect (perhaps as much as 50 petabytes annually) that is also stored for long periods of time. This data, much of it personal health information, is a tempting target for cybercriminals and worth 10 to 40 times more than credit card information on the dark web.
These kinds of setups have made healthcare increasingly vulnerable to an array of cyber threats. A study published by security firm Proofpoint and the Ponemon Institute earlier this month found the industry is prone to four types of threats: cloud compromises, ransomware, supply chain attacks and business email compromise (BEC) schemes. These incidents cost healthcare organizations up to $5 million in damages, a 13 percent year-over-year increase.
The Proofpoint and Ponemon study backs up other recent data. The Journal of the American Medical Association (JAMA) Health Forum, for example, published an article in December 2022 that found ransomware attacks targeting healthcare organizations doubled between 2016 and 2022, affecting more than 42 million patients.
“The [healthcare] industry also has many third-party workers and a significant number of remote workers—both of whom often use employee-owned devices—which complicates the attack vector,” Ryan Witt, vice president of industry solutions at Proofpoint, recently told Dice about the company’s latest study. “Lastly, most healthcare IT expenditure over the last 10 years has been focused on digitizing patient records. As a result, investment in cybersecurity capability has lagged other industries. Threat actors know this and target healthcare accordingly.”
The federal government has stepped in to help the healthcare sector. In April 2023, for instance, the U.S. Department of Health and Human Services Cybersecurity Task Force released new resources to help with education, preparedness and awareness. Despite this, incidents happen. One recent example: an attack targeting a Tennessee cardiac care clinic, reportedly impacting more than 400,000 patients.
Over the years, the healthcare sector has struggled to attract enough skilled tech professionals as threats continue to grow. While competitive pay is one factor, experts and insiders also noted that the industry requires some specialized skills due to the number of regulations and laws that govern healthcare.
“While healthcare organizations generally pay a competitive rate for their area, working in cybersecurity is so commonly remote that it’s easier for people to find jobs paying considerably more for organizations based elsewhere,” said Shawn Surber, senior director of technical account management at security firm Tanium. “This is especially hard on rural providers. Second, healthcare has taken a beating-up on the subject of cybersecurity readiness for years. The lack of funding, shifting priorities, and vulnerable infrastructure make securing a healthcare organization a daunting task.”
Still, the wider healthcare industry continues to grow and tech pros looking for security careers have significant opportunities.
Developing a Secure Healthcare Mindset
Working in healthcare requires many of the same technical skills as other industries. Tech professionals interested in this sector, however, must develop a specific mindset, noted Surber, who worked in the healthcare space for several years himself.
“You’re regularly working with systems that could directly impact not just the quality or speed of care that patients are getting but could actually have life-or-death consequences,” Surber told Dice. “That means you have an additional concern with every downtime or performance issue. It means you can’t just block access to resources that make perfect sense in every other setting, because you never know when a provider will need to research something that’s not normally acceptable in a workplace.”
While the healthcare industry does require a specific outlook and mindset for tech pros, it’s also a field where younger workers can gain valuable experience. “Healthcare is a great place for cybersecurity practitioners to work especially when they’re just starting,” Surber added. “You’ll see some of the toughest security problems to overcome and you’ll be protecting some of the most valuable systems and data on the planet.”
Heath Renfrow, co-founder of security firm Fenix24 echoed those sentiments.
“For cybersecurity professionals looking for careers: whether healthcare is a good choice depends on why they are entering the field,” Renfrow told Dice. “Some are financially motivated; others want to work with many other great cyber professionals; others are deeply motivated by making a real difference in the world. The latter group would be good for healthcare because this is one of the industries where cyberattacks do real and tangible harm to innocent people. Protecting a healthcare organization can save lives.”
Over the next several years, the demand for cybersecurity professionals in the healthcare industry is expected to rise alongside its outsized share of attacks and cyber-costs relative to most other industries, said Mika Aalto, co-founder and CEO at Hoxhunt. These cybersecurity challenges, however, create career opportunities for tech professionals as other sectors cut back.
“This is a good industry for aspiring cyber security professionals to target, as they will be able to secure a foothold in a long and productive career that could provide extra meaning as they, along with healthcare providers, ensure the health and safety of patients,” Aalto told Dice. “With the many disruptions reported in the media from ransomware and BEC breaches over the last few years in particular, it's no exaggeration to say that good cybersecurity is a matter of life and death in this critical space.”
Understanding Regulations in Healthcare
A significant barrier to hiring enough tech professionals within healthcare is the large number of regulations within the industry. U.S. laws such as the Health Insurance Portability and Accountability Act (HIPAA) impose strict data security and privacy requirements to protect patient information, but also require IT and security staff to understand these, as well.
“This complex regulatory environment sometimes requires cybersecurity professionals in healthcare to have specialized knowledge, which can be a barrier to entry for some candidates,” Proofpoint’s Witt points out.
For those aspiring to make a career in healthcare, Renfrowm noted that tech and security professionals would benefit from mastering industry-specific frameworks such as HITRUST that address threats specific to the sector.
“Cybersecurity professionals in healthcare will have to align to the mandatory legal requirements of HIPAA, and running afoul of its mandates could involve very hefty fines. Many healthcare organizations use the optional HITRUST security framework to get into compliance with HIPAA and establish security programs,” Renfrow said. “However, it’s very important to note that using HITRUST and being compliant with HIPAA in no way means these organizations are safe from breaches—if they were, we would see few healthcare breaches. Organizations must go beyond these and ensure they are secure against actual adversary tactics, not just compliance lists.”
Help with Training in Healthcare
When looking at the Proofpoint survey numbers, two of the top four most common types of attacks, ransomware and BEC, typically have their root cause in the form of negligent insiders: employees who accidentally cause security breaches due to carelessness or lack of awareness, noted Ian Walters, principal at consulting firm Coalfire.
These are specific concerns within the healthcare industry and typically lead to breaches and other threats.
“The exploitation of insider threats, specifically negligent insiders—employees who accidentally cause security breaches due to carelessness or lack of awareness—and compromised insiders—individuals whose credentials or access have been compromised by external attackers—are some of the most frequent vulnerabilities that we identify while conducting a healthcare risk analysis,” Walters told Dice. “Both are avoidable and take very little effort or skill for the malicious actor to exploit.”
Mitigating insider threats requires cybersecurity training. This opens other doors in the field for tech and security professionals who can teach cyber awareness to employees. Positions such as cybersecurity instructor are becoming more popular with many organizations.
“The skills needed to provide effective awareness and training, and to implement controls to mitigate the likelihood of exploitation, are not readily available in healthcare organizations,” Walters added. “It is often the case that these duties are given to people who already have full-time jobs, and the lack of availability of quality training is evident in the number of ransomware and BEC incidents that could or should have been prevented.”