Increased Cyberattacks On Healthcare Institutions Shows The Need For Greater Cybersecurity
While the pandemic brought about inspiring displays of solidarity and compassion, as with any tragedy, bad actors took advantage of the situation for personal gain. While hospital workers set up field hospitals in parking lots and clinicians risked their health to combat the frightening virus, hackers, ransomware gangs, and financial scammers doubled down on their mission to obtain valuable patient data.
The number of hacking incidents reported in healthcare climbed for the fifth straight year in 2020, according to my company's report, jumping 42% in 2020. Hacking incidents comprised more than half of all last year's patient data breaches — 62% — up from 2019.
According to the Wall Street Journal (paywall), healthcare hacking attacks were particularly brutal in 2020, with data from the U.S. Department of Health and Human Services showing "that almost every month last year more than 1 million people were affected by data breaches at health-care organizations."
These unsettling figures are good indicators of how hackers targeted healthcare organizations amid the pandemic, but given how Covid-19 overwhelmed healthcare organizations' limited resources, a worrisome volume of data breaches could still have yet to be detected.
Crisis Unravels Protections
Unprepared for Covid-19 surges, many hospitals were forced to reallocate resources from administrative functions to patient care. The necessary pivot resulted in important data protection measures going by the wayside, exacerbating the vulnerabilities that hackers have worked tirelessly for years to exploit.
With more staff working remotely, the operation of mass Covid-19 testing and vaccination sites, and soaring telehealth utilization, many health systems watched their defenses against patient data exposure crumble. All the while, they were flooded with requests to share data with the media and the public. Then came elective procedure standstills, which choked off a critical revenue stream.
Having weathered this chaotic environment for more than a year now, healthcare workers are understandably weary. Details related to password complexity, connection security, and compliance protocols may not be top of mind for workers with so many priorities competing for their attention. Of course, the industry-wide fatigue — and the opportunities it creates — are well understood by bad actors looking to profit off of stolen patient data.
Behind The Attacks
Criminals seeking patient data continuously tailor their strategies to whatever specific circumstances healthcare organizations face. This is why cyberattacks typically increase during popular vacation times, when criminals bank on hospitals' reduced staffing and lowered defenses, according to a technology security expert in USA Today.
Unfortunately, the pandemic created upheaval and anxieties that have given hackers more opportunities for phishing, or when network access is gained by luring people to click email links. USA Today's technology security source explained how phishing attempts switched from offering personal protective gear in March 2020 to offering advice on obtaining stimulus funding in April, and so on.
The primary motive behind these targeted attacks against health systems is — you guessed it — money. By stealing and demanding ransoms for patient data, hackers can squeeze millions of dollars out of health organizations desperate to avoid lengthy care interruptions. Alternatively, hackers can steal patients' medical record data to create "identity kits" worth up to $2,000 on the deep web, with purchasers using the information to create fake IDs, file false insurance claims or rack up other kinds of expenses.
The damage to affected patients may never be undone. One patient whose identity was stolen in 2004 as the result of medical record theft spent a decade scrubbing charges from his credit report, and the integrity of his medical files remains in question. With more than 31 million patient records exposed by hacking incidents in 2020 (that we know of), this story could become all too common — a concern not only for potentially affected patients, but for healthcare organizations relying on patients' trust for critical revenue.
Preventing The Damage
To avoid the many consequences of increasingly common and sophisticated attacks, the focus should be on cybersecurity. The Advisory Board recommends having "a well-funded and widely supported security program that matches their specific organizational culture and operational needs and ultimately is aimed at mitigating risk down to an acceptable level."
With the volume of threats to organizations steadily growing, mitigating risk to an acceptable level will be a massive undertaking. Compliance and security teams cannot rise to the challenge with manual labor alone; they need the right technology in place — in addition to a tactical strategy — and that means analytics powered by automation and artificial intelligence.
Organizations must still ensure they have a solid framework behind the technology. In order to ensure a strong program, organizations should leverage industry best practices for creating policies and procedures to ensure data security. Ongoing employee education through training materials and email programs is critical to creating a culture of compliance while staying up to date on the latest threats and will help you know where to focus resources in order to proactively reduce risk.
For now, the threats can be boiled down to this: Hacking has worsened during (and due to) the Covid-19 crisis, jeopardizing hospitals' strapped finances, their reputations and the livelihoods of millions of patients.