Average ransom payments related to cyberattacks have jumped from almost nothing in the third quarter of 2018 to approximately $240,000 in the third quarter of 2020, according to data from Coveware, a Westport, Connecticut-based company that helps businesses remediate ransomware. While the average random payment fell to just over $150,000 in the fourth quarter of 2020, that’s hardly good news.
Indeed, the cost of ransom payments doesn’t tell the full story of the damage cyberattacks wreak on healthcare organizations. In a March 2021 presentation, the U.S. Department of Health and Human Services Cybersecurity Program shared the following insights about data breaches in healthcare in 2020:
- Ransomware attacks were responsible for approximately half of healthcare data breaches.
- Healthcare is the most targeted sector for data breaches.
- VPNs won’t necessarily fix this problem; while VPNs can protect many organizations against cyberattacks, certain vulnerabilities associated with VPNs mean users and organizations can still be at risk.
In addition, with the transition to working from home for many healthcare employees during the early months of the COVID-19 pandemic, home work environments were increasingly targeted, per the federal agency’s analysis. Further, healthcare organization’s Bring Your Own Device (BYOD) policies may also make them easy prey for hackers. The HHS Cybersecurity Program observed that 72% of organizations lacked BYOD malware protection entirely or relied on endpoint software installations.
While cybersecurity efforts once focused on protecting a single data source, the sheer number of connected devices and the departments that rely on access to data mean healthcare organizations may be even more vulnerable to cyberattacks.
“Gone are the days when there was a key database that had all the sensitive information that had to be protected. What oftentimes happens in healthcare is the data is everywhere, whether it’s part of your claims processing or its eligibility transactions or clinical data at the point of care, data resides in so many places within the organization,” said Mike Swyt, senior vice president and CISO at Nashville-based technology company Change Healthcare. Swyt has more than 15 years of information security experience in healthcare.
Healthcare organizations are prime targets for cyberattacks
Seattle-based cybersecurity firm Critical Insight revealed that 45 million people were affected by cyberattacks in 2021, reported FierceHealthcare. That’s up from 34 million people in 2020. By way of comparison, 14 million people were affected by cyberattacks in 2018, according to the cybersecurity firm’s report that does a deep dive into breach data reported to HHS by healthcare organizations.
Here are just three examples of data breaches at healthcare organizations:
- Fort Lauderdale, Florida-based Broward Health was attacked by hackers in October 2021, according to reporting by WSVN-TV. A health system spokesperson told the news outlet that hackers accessed its data through a third-party medical provider who had access to its system. The hackers had access to employee and patient data, but there was no evidence of misuse. FierceHealthcare reported that 1.3 million patients and staff were potentially exposed.
- Manitowoc, Wisconsin-based Forefront Dermatology faces a class action lawsuit due to a 2021 data breach that affected approximately 2.4 million patients, according to ClassAction.org. Per the lawsuit, data such as patients’ names, addresses, dates of birth, patient account numbers, and health insurance plan member IDs were exposed to unauthorized parties. Forefront Dermatology posted on its website that the hacker gained access to its IT network in May 2021.
- Indianapolis-based Eskenazi Health was hit by a data breach that impacted more than 1.5 million people, reported WXIN-TV. Cybercriminals had access to data such as names, dates of birth, social security numbers, and clinical information, according to the news outlet. HIPAA Journal reported that a patient is suing the hospital as a result of the data breach.
‘Trustworthy Imaging’ is part of the solution
Change Healthcare’s Swyt advises healthcare organizations to create a “culture of awareness” about cybersecurity. That starts with education, he explained.
‘It’s part of an employee’s job to be the ‘human firewall.’ All it takes is one employee making a mistake or being careless or being tricked into sharing information to circumvent a lot of very expensive security controls,” said Swyt.
Healthcare organizations should create an environment where “an employee will look at an email that comes in from an odd place or with a goofy link in it, and they’ll question it because they were trained on the basics of cybersecurity,” he added.
Just as important, have a multilayered security system that helps safeguard the end-to-end imaging environment designed to keep radiology systems and patient data safe. Keep bad actors out without making work life harder for clinicians by applying user-account control policies, browser policies, firewall policies, and permission policies.
To support healthcare organizations, Change Healthcare has developed what it calls “Trustworthy Imaging,” said Swyt. That includes the following components: multilayered security, active directory authentication, in-file permissions, interdict Windows 7 exposures (now a high-risk platform with the end of Microsoft support), and world-class penetration testing. Think about it like home security. The goal is to deter unwanted persons; but ultimately, if they gain access, it’s about detection—isolate or stall the theft and facilitate an effective response. Security toolkits further empower IT to detect and neutralize attacks.
According to the technology company, the benefits of this approach for providers and patients include avoiding disruption of clinical services and serious patient harm, in addition to monetary savings by avoiding HIPAA fines.
Review Cybersecurity Webinar
In this on-demand webinar, experts from Change Healthcare, HITRUST, and Google Cloud Healthcare and Life Sciences discuss data privacy regulations, encryption at rest, third-party certification, and the critical nature of shared responsibility for cloud security.