In a hyper-connected world, no organization is immune to cybercrime. In many respects, no sector is more vulnerable to attack than the healthcare industry. Network managers, provider administrators, and healthcare service providers are targets of relentless attacks. Too often they are the least prepared.
In this article, we discuss the general landscape of network security in the healthcare sector. We then examine specific incidents to learn how to best protect against and recover from data breaches.
The Special Case of Healthcare in the Fight Against Data Breaches
It’s logical that healthcare data attracts the attention of cybercriminals. As the 2020 Healthcare Breach Report from Bitglass points out, the vast majority of healthcare providers store and process protected health information (PHI). These data include social security numbers, financial, and, of course, health information. It is a readily available target for malicious cybercriminals.
According to a July 2022 article in Healthcare IT Security, the healthcare industry has endured the highest cost per incident for twelve years running. At an average cost of $10.1 million, the healthcare sector has suffered the “most expensive data breach costs compared to any other industry,” according to the article.
Christopher Scott, Global Remediation Lead and CTO for IBM X-Force IRIS, told Healthcare IT News how healthcare data is a prime target among cybercriminals because of the “excellent resale value” of PHI:
“Unlike passwords that can be changed or credit cards that can be reset with an expiration date,’ Scott explains, “health data lasts forever and can be used for numerous malicious activities such as identity theft, insurance and health care fraud, and more.”
Understanding the value of PHI data on the black market is important, but many healthcare providers fail to act on this knowledge, leaving their networks unnecessarily vulnerable to attack. A review of the past few years bears out the challenge facing the healthcare industry in protecting its networks and sensitive data.
Equifax, Tricare and Lessons (not) Learned
The well-publicized Equifax data breach in 2017 exposed nearly 148 million customer data records because they failed to patch a basic vulnerability, and this incident was a general wake-up call for consumers and businesses. The aftermath of this incident lingers to this day. Personal data was exposed, leaving individuals vulnerable to financial and identity theft, and following a record breaking lawsuit, Equifax is required to pay out as much as $1.38 billion to resolve customer claims.
By far, one of the biggest data breaches happened in 2011 when the backup tapes of Tricare’s electronic health records were stolen from the car of the individual responsible for transporting the tapes between facilities. Even though it is unclear who stole the tapes, whether they knew what they were stealing or if they could decrypt the information, the incident needed to be treated as a data breach, as the data of approximately five million patients was compromised. In this case, Tricare’s encryption method did not align with the federal standard of data encryption.
As noted in our recent article, Healthcare Cybersecurity in 2023, there are various recurring security challenges in healthcare which continue to cost organizations millions of dollars each year. To briefly review, the most prevalent security challenges are phishing, ransomware, and data breaches.
Even with these episodes clear in recent memory, the healthcare industry remains largely unprepared to defend against cyber-attack. Let’s review some examples of these challenges to understand how weaknesses have been exploited recently.
Phishing
Highmark Health
The security breach recently reported by HealthITSecurity highlights what may be the oldest and simplest scam in the cybercriminal handbook: phishing.
The Pittsburg-based Highmark Health, second largest integrated delivery and financing system in the U.S., announced in December 2022 that an unauthorized individual accessed the email account of one of its employees following a response to a phishing email.
Before the attack was stopped, up to 300,000 patient medical records were exposed. The breach jeopardized personal and contact information, diagnosis and treatment records, and heath ID and provider names. Additionally, the social security numbers of a subset of individuals were exposed.
In response to the data breach, Highmark Health immediately deactivated the affected mailbox, implemented network blocking, and reset passwords.
Evergreen Life
In October 2019, UK-based mobile healthcare app services provider Evergreen Life fended off an attack targeting the account of one high-level executive. Seeking to leverage his influence, a fraudulent email was sent to everyone on his contact list.
The attack was stopped before the networks were accessed. Evergreen Life reports that the data segmentation protocols used shielded core patient data records from exposure.
Evergreen Life notwithstanding, phishing attacks are among the most common types of cyberattacks. Phishing is a relatively easy way in. Once inside a healthcare organization’s database, it’s up to the intruder to decide how much damage will be done.
Ransomware
Virtual Care Provider, Inc
The Milwaukee-based company provides IT consulting, internet access, data storage, and security services for 110 nursing homes and acute-care facilities throughout 45 states. In November 2019, the company reported a strain of ransomware attack known as “Ryuk”.
As it did with Virtual Care Provider, ransomware like Ryuk brings an organization to a standstill, locked out of its own networks. The perpetrators demanded $14 million for the keys back into their networks.
CommonSpirit Health
In October of 2022, the Catholic nonprofit hospital chain CommonSpirit suffered a ransomware attack which cost the company $160 million. The ransomware attack forced CommonSpirit Health to take its systems offline and exposed the personal data of more than 623,700 patients.
On May 25, 2023, CommonSpirit estimated that the attack cost them $160 million. Additionally, the health system is facing two class action lawsuits related to the ransomware attack. According to an article from Cyber Security Hub, “both lawsuits, which were filed with the US District Court for the Northern District of Illinois and in Washington state, allege that CommonSpirit was negligent and failed to implement appropriate cyber security safety measures, leading to the exposure of confidential information.”
Learning from these attacks and the methods employed is the first step towards training personnel and hardening infrastructure to defend against these attacks. Cybersecurity Awareness Training resources have been complied by private and government entities to help raise awareness of issues and provide certification-focused instruction. Two places to start looking for this information are the CISA Website (of the United States Cybersecurity and Infrastructure Security Agency) and the Security Awareness Training site of the Department of Health and Human Services.
Review of Breaches in 2022
Phishing and Ransomware attacks are not the only ways cyber criminals are seeking to penetrate healthcare information hosting networks, but they are some of the most common. The impact has been significant.
The healthcare industry endured yet another hard year in 2022. According to a HIPPA Journal Data Breach Report, the total number of records breached last year topped 51.9 million, 13% down from 54.09 million in 2021. Even though the records fell between the two years, the year to year trend of reported breaches is alarming. In the matter of ten years, the number of reported data breaches has more than tripled, from 218 breaches in 2012 to 707 in 2022.
To be fair, given the value of PHI and the sophistication of many data breaches (often employed through simple phishing attacks), healthcare providers are in an arms race to keep their networks secure and resilient.
A look at some of the top data breaches in the industry from 2023 reveals how too often organizations unwittingly let cybercriminals in through the front door, sometimes not even realizing the intruder is inside.
Here are some quick stats:
- According to the HHS Office for Civil Rights (OCR) data breach portal, during the first half of 2023, more than 39 million individuals were implicated in healthcare data breaches.
- The average cost of a healthcare data breach is approximately $7 million.
- Healthcare organizations across the world averaged 1,463 cyberattacks per week in 2022; this is 74% more than what was reported in 2021.
These figures are staggering. Time is of the essence when it comes to hardening your infrastructure, training your personnel, and acting in ways that guard the security of information in your charge.
Looking Forward: Protect Your Network, Business, and Patients
In our next article, we look to break down the three broad categories of network security:
- Infrastructure
- Employee awareness training
- Behavior modification
With comprehensive systems, procedures, and protocols in each of these areas, healthcare organizations can guard against cyberattacks, quickly and effectively respond if it does happen, prevent losses, and maybe even save lives.
Leave A Comment