Remember paper charts? That’s what Memorial Health System’s staff were using after they fell victim to a ransomware attack this month and couldn’t access their electronic records. The Ohio-based company was forced to divert patients to other hospitals while they attempted to handle the unfortunate disruption.
Memorial Health is just one example of numerous cyberattacks happening across the healthcare industry. Breaches are reported to the U.S. Department of Health and Human Services Office for Civil Rights. They found that in the first six months of 2021, healthcare data breaches increased by 27% over the same period last year and went from 270 to 343. The numbers have spiked since 2015 when 142 data breaches had occurred in the first six months of the year.
Obtaining healthcare data is like going shopping on the dark web at the luxury retailer versus the discount store. For cybercriminals, it is one-stop shopping to gather a person’s name, date of birth, Social Security number, and financial details. Healthcare data contains more personally identifiable information and has greater monetary worth on the black market versus an individual’s financial data. Medical record data is used to create “identity kits” that can be worth up to $2,000 on the deep web to create fake IDs or file false insurance claims.
The healthcare industry is considered an easy target by cybercriminals. Smaller hospitals with small budgets and nonprofits, like Memorial Health, are often affected because they are viewed as having fewer defenses to ward off attacks. Larger healthcare systems are wide and varied and offer many backdoors to access across doctor offices, pharmacies, and other networks.
Cybercriminals know that many hospitals and healthcare organizations will most likely pay to get their information back. That’s because we’re often talking about having human lives at stake and the consequences could include numerous lawsuits and reputational damage. According to IBM’s 2020 Cost of a Data Breach Report, healthcare data breaches are ranked as the costliest. The average cost of a breach in the healthcare industry is $7.13 million, an increase of 10% compared to the 2019 study.
The pandemic overwhelmed hospitals and healthcare organizations as all the attention focused on patient care versus protecting patient data. Cybercriminals took advantage of the chaos and decided to kick them while they were down. It was easy to make inroads with the creation of makeshift temporary facilities and staff letting their guard down as fatigue took over.
The pandemic also led to a rise in telehealth services as patients avoided in-office doctor visits over fears of coronavirus transmission. As of July 2021, telehealth utilization has stabilized at levels 38X higher than before the pandemic. Providers had to adjust quickly to conducting appointments using unfamiliar telehealth technology and overseeing moving patient records onto cloud services. This led to some patchwork security solutions to protect patient information.
DarkOwl, a dark web research company, has noticed an increase in mentions of major healthcare and telehealth companies across the dark web. They saw evidence of malware toolkits that are specifically targeting telehealth technologies and strains of ransomware that are uniquely configured to take down healthcare IT infrastructure.
Securing healthcare data is possible and the best action step is one that is one step ahead of the hackers. Seeing the cyber threats to healthcare providers, especially during the pandemic, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has upped its efforts. It offers support around mitigating threats and staying vigilant.
A key area that healthcare providers and companies should consider for their IT security is IoT for hospital medical devices. These could include heart rate monitors or insulin pumps that are often run by third-party vendors that require costly agreements to make security patch updates. A new study discovered that almost half of all respondents find their staffing for medical device and IoT security “inadequate,” with most reporting a mean cybersecurity staff of around 12 or 13 people.
Federal laws and trade associations are rushing to keep up their regulations for IoT medical device manufacturers and requirements to install the proper security in their products. A challenge is that most medical devices take years for manufacturers to develop and get the proper approvals. The devices are then used by hospitals for years to come, and the built-in security soon becomes outdated.
