IT Brief UK - Technology news for CIOs & IT decision-makers
Story image
A reality check on email security threats in healthcare
Mon, 27th Nov 2023

In August, Barracuda published its fifth annual review of reported ransomware incidents around the world, which showed how ransomware attacks hitting healthcare organizations had more than doubled since 2022. This finding was based on publicly reported incidents and is in line with other studies based on both reported and unreported incidents.

However, if you look at healthcare in the context of other industry sectors, a more complex picture emerges. In many cases, healthcare suffers fewer major cyberincidents than other industries — but the attacks make headlines because of the risk and sensitivity of clinical activity and patient data. And in some cases because the impact, while limited, is severe. 

Healthcare is an enduring target for cyberattack
In  March, a ransomware attack on one of Barcelona’s main hospitals crippled the centre’s computer system and forced the cancellation of non-urgent operations and patient checkups. The attackers spent the next few months posting allegedly stolen data online after the hospital refused to pay the ransom.

A few months later, in August, a cyberattack against Prospect Medical Holdings in the U.S. disrupted hospital computer systems across the nation, forcing emergency rooms in several states to close and ambulances to be diverted. 

Understanding and addressing the cyber risks facing healthcare organizations is critical. 

A good place to start is with email-based risk. Email remains a primary attack vector with a high success rate that is a common entry point for many other cyberattacks. In a post-pandemic world, where the move towards digital healthcare and connected data is accelerating, broadening the attack surface for threat actors to target, healthcare organizations are more exposed than ever.

45% of healthcare organizations said they felt a lot more secure in 2022 — although 77% suffered an email security breach 
Recent international research undertaken among mid-sized organizations found that, in 2022, 77% of respondents from the healthcare sector had experienced an email security breach. The all-industry figure was 75%. 

Despite this, respondents from healthcare organizations were bullish about their ability to withstand a cybersecurity incident — with 45% saying they felt “a lot” more secure than last year, compared to 34% across all industries. This may have more to do with practices, policies, and awareness than investment, as only 10% said they invested more in cybersecurity in 2022, the second lowest figure overall.

The healthcare industry has greater confidence than many other sectors in its ability to tackle email-based threats.
Barracuda has identified 13 email threat types, from basic phishing and malicious links or attachments to sophisticated social engineering techniques such as business email compromise (BEC), conversation hijacking, and account takover. Healthcare organizations are less likely than many other industries to feel underprepared to deal with these kinds of email-borne threats. 
A graph of security risk

Description automatically generated

Healthcare organizations struggle most with recovery costs after an email security incident
Just under half (44%) of the healthcare organizations surveyed cited recovery costs when asked about the impact of successful email security attacks — compared to 31% overall — with the average cost of the most expensive attack approaching one million dollars ($975,000 USD).

Healthcare budgets are often overstretched, and the combination of limited resources, complex and often critical technology systems, plus the pressure to get everything up and running again as soon as possible are likely to be contributory factors to recovery costs being the most listed impact.

The loss of sensitive, confidential, or business-critical data was, however, lower than average — 29% compared to 43% overall. This could be because, after so many years of being a cyberattack target, healthcare organizations now face exceptionally stringent policies for the sharing, storing, and backup of medical data and other Protected Health Information (PHI).
A graph of multiple colored bars

Description automatically generated with medium confidence

60% were hit by ransomware — making healthcare among the least affected industries
The survey found that 60% of healthcare organizations surveyed had experienced a ransomware attack — the second lowest proportion after consumer services (50%) and below the all industry average of 73%. This figure is reflected in other studies, although public perception might expect the result to be significantly higher.
A graph of a number of ransomware

Description automatically generated

29% of healthcare organizations reported two or more successful ransomware incidents, compared to an overall figure of 38%. This suggests that attacks are not always completely neutralized or that security gaps are not always identified and addressed after the initial incident.
The good news is that more than half (59%) were able to restore encrypted data using backups, compared to 52% overall, and just 22% paid the ransom to recover their data, compared to 34% overall.

Spear-phishing attacks have a significant impact
Just 8% of the healthcare organizations surveyed felt underprepared to face a spear-phishing attack. To some extent, this confidence is justified, as only 32% of healthcare respondents were hit with such an attack in 2022, compared to 50% overall. However, for those who were affected, the impact of the attack was often severe.

60% of those affected said that computers or other machines had been infected with malware or viruses, compared to 55% overall, while 60% said that confidential or sensitive data had been stolen, compared to 49% overall. 70% reported stolen login credentials or account takeover, compared to 48% overall, and 40% reported direct monetary loss.

It takes healthcare around 3.5 days to detect and remediate an email security incident 
The research found that it takes healthcare organizations less time than many other sectors to spot an email security incident — 29 hours, on average, compared to 43 overall — but it was near the middle of the field when it came to responding to and remediating the incident — taking 51 hours on average, compared to 56 overall. 
According to respondents, the biggest obstacles to fast response and mitigation were a lack of automation, cited by 40%, compared to an all-industry total of 38%, and a lack of budget, cited by 34%, compared to 28% overall.  

Securing healthcare
Email-based cyberattacks have been around for decades, yet they remain widespread, ever-evolving — and persistently successful. 
Healthcare organizations need to have robust email security in place, with strong authentication controls — multifactor authentication at the very least but ideally moving toward Zero Trust measures — as well as restricted access rights, automated incident response, and AI-based threat detection and monitoring. All of which should be accompanied by continuous employee education and awareness training so that people know how to spot and report a suspicious message.

Ideally, these email defenses should form part of an integrated security platform that provides the IT team with full visibility of the entire IT environment and the ability to detect, investigate, and respond to incidents or patterns of abnormal behavior that could indicate unwanted intruders.  

The survey was conducted for Barracuda by independent research firm Vanson Bourne and questioned IT professionals from frontline to the most senior roles in companies with 100 to 2,500 employees across a range of industries in the U.S. and EMEA and APAC countries. The sample included 62 healthcare organizations.