As we see the number of cyber breaches increasing daily, some industries are impacted more than others. Among the hardest hit is the medical field. Statistics show three three-quarters (75%) of the loss of medical records is due to data breaches from hackers and IT incidents. After that, data loss of medical records comes from theft (15%), loss (10%), and unauthorized access (4%).
The types of attacks are common yet devastating with top methods being ransomware and phishing.
It used to be the bigger healthcare networks were the main victims of the big scams and breaches. They still suffer from such attacks, but now small practices are also being targeted. No size of healthcare practice is safe from ransomware or phishing attacks.
The FBI and DHS encourage all those hit by a ransomware attack to report the incident to authorities for investigation. All organizations, including healthcare, should have reliable data backups and cyber insurance to help them avoid being at the mercy of these hackers. But some lack these resources and aren’t in a position to wait weeks or months for an investigation by overloaded authorities – resulting in some healthcare organizations resorting to paying the ransom in hopes of getting their data back quickly.
HHS Office for Civil Rights Provides Some Security Guidelines
The HHS Office for Civil Rights has guidelines and recommendations for cyber attack preparedness. HIPAA compliance also requires similar safeguards (section 45 C.F.R. 164.308(a)(6)). The procedures cover putting security measures in place as well as how to respond to a breach should one occur.
Security guidelines apply to a range of different types of security events, including ransomware strikes. The guidelines below are from the HHS Office for Civil Rights’ Ransomware Fact Sheet PDF.
HHS Ransomware Fact Sheet Guidelines*
- Detect and conduct an initial analysis of the ransomware;
- Contain the impact and propagation of the ransomware;
- Eradicate the instances of ransomware and mitigate or remediate vulnerabilities that permitted the ransomware attack and propagation;
- Recover from the ransomware attack by restoring data lost during the attack and returning to “business as usual” operations; and
- Conduct post-incident activities, which could include a deeper analysis of the evidence to determine if the entity has any regulatory, contractual or other obligations as a result of the incident (such as providing notification of a breach of protected health information), and incorporating any lessons learned into the overall security management process of the entity to improve incident response effectiveness for future security incidents.
- See HHS Ransomware Fact Sheet
Largest Breach, Largest Settlement - Anthem Paid Millions for Largest Healthcare Data Breach to Date
A year ago, Anthem agreed to pay the federal government a record $16 million for a 2015 data breach impacting close to 79 million people. As a HIPAA breach, it was the largest settlement for the HHS Office of Civil Rights. Two years ago, Anthem was on the hook for a $115 million class action suit for the same breach, again the largest in history at the time. That’s a high cost for one data breach, one that exposed the ePHI (electronic protection health information) of so many patients, including their names, social security numbers, medical identification numbers, addresses, dates of birth, email addresses, and employment information.
Sampling of Medical Breaches Just Since July:
Below are some of the more recent cyber attacks on healthcare and medical practices in the last few months of this year:
- October 17, Methodist Hospitals of Indiana, 68,000 patients hacked
- September 5, Providence Health Plan, 122,000 members
- August 28, American Medical Collection Agency, nearly 25 million, 23 healthcare organizations
- August 27, Presbyterian Healthcare Services, 183,000 patients and plan members
- August 5, Primera Blue Cross, over 10.6 million patient records, $74M Settlement
- July 25, Park DuValle Community Health Center, paid nearly $70,000 ransomware, data has been inaccessible since June 7
- July 19, Bayamón Medical Center and Puerto Rico Women and Children’s Hospital, ransomware attack on their information systems impacted 522,000 people
- July 17, Clinical Pathology Laboratories (CPL), 2.2 million patients
- July 11, Premera Blue Cross of Seattle, 10 million people, $10M settlement across 30 states
- July 10, 2019, Los Angeles County Department, 14,600 patients
- July 10, 2019, Essentia, Phishing attack through third-party vendor exposed data
- July 9, Vitagene in San Francisco, DNA testing service, 3000 user files unprotected AWS server
Hackers are well aware of how motivated, even desperate, organizations are to protect health information and abide by HIPAA rules. Yet, given a new healthcare provider is compromised so frequently, attackers continue to be highly successful at undermining organizations and stealing patient information.
There's More All Companies Can Do to Protect Themselves from Ransomware
If you have not already, upgrade your security infrastructure to guardrail your applications and counter any thought of a ransom attack. Watch Virsec's Ransomware attack demo of a multi-step ransomware attack in action using advanced hacking tools. See how Virsec security platform can instantly spot this attack at every stage and stop it. If you are not already partnering with Virsec, it may be time to consider doing so – before there is a ransom demand or if you are recovering.