In 2024, healthcare organizations experienced multiple expensive cyberattacks, costing an average of nearly $10 million.¹ And with the expansion of ransomware and extortion exploits, healthcare will likely continue to be targeted by such attacks.

“[Threat actors] are trying to extort payment from organizations. That’s a trend we’re seeing,” said Ryan Witt, Proofpoint’s vice president of industry solutions and chair of the company’s healthcare customer advisory board.

Healthcare chief information security officers are also concerned about data loss attributable to malicious insiders, compromised accounts and careless users on insecure email, remote work apps, cloud computing and productivity platforms.²

Advanced security measures are needed to protect patient information from AI-enhanced ransomware, phishing and insider threats and to ensure the integrity of healthcare operations. Understanding healthcare’s current threat landscape represents the first step toward adopting a human-centric, proactive approach to data protection.

Safeguarding data starts with people

Today, attackers target people, not technology. And that’s where cybersecurity leaders should focus their attention and resources.

“The cybercrime economy is largely based on how exploited humans interact digitally,” said Brian Reed, Proofpoint’s senior director of cybersecurity strategy. “It’s a far lower barrier of entry to socially engineer a victim or craft a phishing lure than to spend time and energy building, testing and releasing zero-day exploits.”

Reed estimates that in healthcare, as in most other industries, about 80% of attacks focus on human elements rather than on technical vulnerabilities. “The vast majority of those cases of data loss are just good people making bad decisions,” he said. According to Reed, the most common such threats are:

• Ransomware attacks, which usually involve an inducement to install a browser extension, click a link or download an app;
• Business email compromise, consisting of disguised attempts to get users to take an action outside of the usual workflow; and
• Data loss due to malicious, compromised or careless insiders.

Preventing accidental and intentional data loss

Traditionally, cyber defense has meant patching vulnerabilities, stopping inbound phishing attempts and identifying social engineering efforts before they reach end users. However, an exponential increase in endpoints and widespread cloud adoption across the healthcare ecosystem and a constantly fluctuating workforce that can include temporary employees and traveling clinicians have increased the demand for data loss protection (DLP) solutions.

Proofpoint’s 2024 Data Loss Landscape report stated that 70% of respondents named careless users as a leading cause of data loss and regulatory violations.³ Verizon’s 2024 Data Breach Investigation Report found that 68% of breaches involved a “non-malicious human element, like a person falling victim to a social engineering attack or making an error.”⁴ Illustrating this point, a 2023 report from Tessian (now a Proofpoint company) found that about one third of employees sent about two emails to the wrong recipient annually.⁵

DLP solutions recognize that preventing data loss from the inside is just as important as stopping external exploits. Most approaches use sophisticated pattern matching to try to identify sensitive data that might accidentally or intentionally be exfiltrated before it can leave the network. Advanced DLP goes much further; large language models can look at billions of records and classify sensitive data by understanding context and the relationships between and among files and directories.

Joshua Linkenhoker, Proofpoint’s enterprise security advisor, said these models can scan outbound email or file transfers to identify attachments potentially containing sensitive data. Even more powerfully, AI can be trained on human behaviors to stop hard to catch mistakes such as accepting an incorrect autofill suggestion for an email recipient. Linkenhoker calls it “behavior-driven functionality.”

Detect data exfiltration from email, the cloud and endpoints

Real-time AI interventions add a powerful component to automated compliance. Every time an employee is guided to make the right choice in handling sensitive data, a potential regulatory violation is avoided.

Behavioral AI can also coach users to think twice before moving data onto an insecure cloud storage folder or sharing a sensitive file via OneDrive or SharePoint. Witt believes cloud-based productivity apps that default by design to sharing information have become a major vulnerability in healthcare.

Reed agreed that it’s one thing to anticipate the moves of a determined cybercriminal, but much harder to anticipate the creative, if insecure, workarounds of an overburdened healthcare workforce.

Of course, he added, behavioral AI can also stop anomalous behavior with more malicious intent. When a user who’s already given notice starts renaming sensitive financial files “family pictures.zip,” moving them to a USB drive and deleting them from a local drive, it’s clear that this kind of exfiltration isn’t innocent. And without the ability to use scalable AI to recognize suspicious behavior, it’s hard to identify internal bad actors.

With an increasing number of endpoints and channels to monitor, specialized information security solutions have multiplied. While a “defense in depth” approach is valuable, a multiplicity of data feeds can make it more difficult for healthcare security analysts to review incidents in real time and understand human actions in context.

Proofpoint research indicated that nearly 70% of surveyed IT professionals rank visibility into sensitive data, user behavior and external threats as the most important capability for data loss prevention programs.⁶ It’s a complex problem because information security analysts need to see both deeper and wider simultaneously, also known as having visibility at scale.

When information that flows from different sources is integrated, healthcare organizations can move from protecting against known, commoditized attacks to preventing the most advanced, tailored and unanticipated exploits. That provides an opportunity to employ AI across information silos to achieve a truly contextual, 360-degree view of the threat environment.

“You now have to go find the needle in the haystack,” Witt said. “You need that level of full visibility, that level of analytics, that level of AI that is detecting a small number of interactions.... You’re capturing just a very small fraction of the totality of the traffic, but it’s that little bit that really matters.”

Download the complete Proofpoint-HIMSS white paper on adopting a people-centric approach to healthcare data security here.

References

1.  IBM and Ponemon Institute. 2024. Cost of a Data Breach Report 2024.  https://www.ibm.com/reports/data-breach.

2.  Proofpoint and CyberEdge. 2024. The 2024 Data Loss Landscape. https://www.proofpoint.com/us/resources/threat-reports/data-loss-landscape.

3.  Ibid.

4.  Verizon. 2024. Verizon 2024 Data Breach Investigations Report. https://www.verizon.com/business/resources/reports/dbir/.

5.  Proofpoint. 2024. Transforming DLP [eBook]. https://www.proofpoint.com/sites/default/files/e-books/pfpt-us-eb-rethinking-dlp.pdf.

6.  Proofpoint and CyberEdge, The 2024 Data Loss Landscape.