Remote Work Boom Fuels Surge in Cyberattack
Ransom demands connected to cyberattacks have escalated significantly. In the third quarter of 2018, ransom demands were virtually non-existent, but this figure skyrocketed to nearly $240,000 by the third quarter of 2020, according to data compiled by Westport, Conn.-based cybersecurity company Coveware. By the end of 2020, the average ransom demand fell slightly to over $150,000, but this decline should not be mistaken for an improvement in the landscape of cyber threats.
However, the actual cost of these ransom payments does not encapsulate the extensive damage that cyberattacks inflict on healthcare organizations. In a 2021 briefing, the U.S. Department of Health and Human Services (HHS) Cybersecurity Program highlighted that ransomware attacks were behind nearly half of all data breaches in the healthcare sector during 2020. The healthcare sector has, in fact, emerged as the most targeted sector for such data breaches.
The Changing Landscape of Cybersecurity and the Increasing Threat
It’s important to note that virtual private networks, or VPNs, may not be the definitive solution to this problem. While VPNs can shield many organizations from cyber threats, certain associated vulnerabilities mean risks continue to persist for both users and organizations. The rise in remote work, which began in the pandemic and continues to this day, only compounds this issue, according to the HHS. Hackers are increasingly targeting home-work environments.
Furthermore, the Bring Your Own Device, or BYOD, policies that many healthcare organizations have adopted may leave them vulnerable to cyberattacks. The HHS Cybersecurity Program noted that a staggering 72% of organizations either lacked malware protection for BYOD entirely or depended solely on endpoint software installations.
The focus of cybersecurity measures has shifted drastically. Earlier efforts were concentrated on protecting a single data source. However, the influx of connected devices and the reliance of various departments on data access mean healthcare institutions may be even more vulnerable to cyberattacks.
Mike Swyt, senior vice president and chief information security officer at Change Healthcare, says the issue is multifaceted. “We no longer live in an era where there is a single key database that holds all sensitive data,” Swyt says. “Today’s reality in healthcare is that data is dispersed throughout organizations. It can be found anywhere from claims processing units to eligibility transactions or clinical data at the point of care. This ubiquity of data within the organization makes the task of protection more challenging.”
Healthcare Institutions: The Prime Targets for Cyberattacks
According to Seattle-based cybersecurity firm Critical Insight, cyberattacks impacted approximately 45 million people in 2021. This figure is a major jump from the 34 million people affected in 2020 and the 14 million affected in 2018. These findings come from the cybersecurity firm’s in-depth examination of breach data reported to HHS by healthcare organizations.
For instance, in October 2021, hackers accessed Fort Lauderdale, Fla.-based Broward Health via a third-party medical provider. While there was no evidence of data misuse, FierceHealthcare reported that approximately 1.3 million patients and staff were potentially exposed.
Another instance is Manitowoc, Wis.-based Forefront Dermatology, which is now facing a class-action lawsuit due to a 2021 data breach that exposed the data of about 2.4 million patients. Compromised data included patient names, addresses, dates of birth, patient account numbers, and health insurance plan member IDs.
Then there’s the most recent cyberattack that has garnered headlines around the globe—the October 2022 breach at CommonSpirit Health. One of the nation’s largest hospital networks, the 142-hospital-strong CommonSpirit Health was taken down by a ransomware attack that delayed patient care and suspended access to electronic healthcare records. Devastatingly, the ransomware attack also exposed the personal data of more than 620,000 patients.
The escalating threat of cyberattacks, the changing cybersecurity landscape, and the unique vulnerabilities of healthcare institutions underscore the urgent need for comprehensive cybersecurity measures. As healthcare organizations adapt to the evolving digital age, protecting sensitive data from cyber threats must be a top priority.
Review Cybersecurity Webinar
In this on-demand webinar, experts from Change Healthcare, HITRUST, and Google Cloud Healthcare and Life Sciences discuss data privacy regulations, encryption at rest, third-party certification, and the critical nature of shared responsibility for cloud security.