By a Biometrica staffer
It seems like every day brings a new cyber incident that compromises the personal data of thousands, if not millions, of Americans. Last week, we wrote about how K–12 schools became the favored target for malicious cyber actors last year. This week, there seems to have been an abundance of healthcare organizations disclosing that their systems had been compromised by hackers, and that patients’ private healthcare information had been stolen.
The litany of incidents is at once terrifying and astounding. Just last week, Orlando Family Physicians, LLC, disclosed that in April a phishing scam affected four employee email accounts, with the data of around 450,000 patients being potentially exposed. Announced this week was that, over a four-month period between December last year and April this year, hackers compromised UC San Diego Health’s systems in a phishing attempt.
In May 2021, attackers hacked Florida Heart Associates and stole the data of over 45,000 people. When their ransom demands were not met, they took down the firm’s systems. As of this week, the clinic is still operating at only about 50% capacity. In October last year, the University of Vermont Medical Center lost an estimated $50 million in an attack, despite not paying the ransom.
As per federal law, organizations are obligated to report to the Department of Health and Human Services (HHS) any data breaches that affect 500 or more individuals within 60 days of the incident. In turn, the HHS Secretary must inform the public about these attacks. The industry is classified by the federal government as “critical infrastructure,” alongside energy, fuel, food supply, water management, etc.
The statistics surrounding attacks on the industry are just as alarming and bleak. According to a recent report by Comparitech, over 18 million patient records were compromised in some way by ransomware attacks last year, 470% more than in 2019. Further, the attacks in 2020 forced downtime that cost the healthcare industry $20.8 billion, twice as high as what was seen in 2019.
The report concluded that 600 clinics, hospitals, and organizations were affected in 92 separate ransomware incidents. The number of attacks was the highest noted in the previous five years. Another report by SonicWall said that the number of attempts to compromise healthcare facilities rose 123% last year.
One survey found that more than 1 in every 3 healthcare organizations across the world reported being a victim of ransomware attacks in 2020. Another study concluded that, since November 2020 alone, the industry saw a 45% increase in such attacks. It was also found that 1 in every 3 victimized organizations opted to pay the ransom, just to get their operations up and running again quickly.
IBM has also highlighted that the industry topped a list of the industries with the most expensive data breaches, with an average cost of $9.23 million. Mega breaches (attacks in which 50–65 million records are exposed) cost an average of $401 million.
Further, around 44% of the breaches exposed sensitive personal data, ranging from names, emails, passwords, and birthdates, to health records, insurance details, social security numbers, and/or passport numbers. People affected can include current, past, and prospective patients, employees, students, and many others.
These attacks are particularly debilitating for healthcare entities as they significantly strain budgets that are already quite low. At higher risk are nonprofits and public health systems, as well as rural hospitals that serve thousands in surrounding counties, as they are generally underfunded and understaffed, and so possess fewer resources across the board.
Hackers proved to be particularly prolific last year, with HHS indicating that more than a million people’s records were impacted by data breach at a healthcare organization virtually every month in 2020. In September alone, nearly 10 million individuals had their data compromised by a cyberattack against a healthcare organization.
What made the industry such an attractive target in 2020? Much like with schools, malicious actors took advantage of the Covid-19 pandemic and the associated confusion, fear, and anxiety to exploit victims. Like many other industries, hospitals moved services online, increasing telehealth consultations, remote working, online data storage. Through this, hospitals that were already devastated and overburdened by the pandemic, became an easy target for hackers.
Another factor is the higher pressure on hospitals to ensure business continuity; they cannot afford prolonged downtime, with many situations literally being life or death. This makes them more vulnerable to extortion, which many hackers are more than happy to exploit. In addition, the highly sensitive nature of data means that hospitals will want to react quickly to secure their systems.
Experts are also highlighting the deficiencies in hospitals’ cybersecurity infrastructure. Many are unable to or unwilling to allocate funds to patch security, especially last year, as this has historically not been seen as a priority. In addition, they are exposed to supply-chain risks as they tend to rely on a hodge-podge of solutions from third-parties rather than in-house technology.
Studies have also shown that healthcare organizations often neglect the most basic of cybersecurity directives, storing sensitive information on unsecured servers and not using two-factor authentication. Medical devices are also now more likely to be connected to the internet — which in hospitals is often unprotected, providing an easy entry point for hackers.
The lax standards are particularly worrying to observers and stakeholders, as records are being increasingly digitized in hospitals, and there is a pressing need for cybersecurity measures to keep up.
Of course, all these gaps were only exacerbated by the pandemic, when the resources of the health industry were already stretched thin and in high demand. Many organizations were even forced to furlough cybersecurity staff amidst shortages, demand increases, and lockdown measures.
The federal government has been doing its best to help organizations deal with and respond to ransomware attacks. On Wednesday, July 28, President Joe Biden issued a memo detailing voluntary actions critical infrastructure companies can undertake to mitigate threats. He has been constrained by the federal government’s inability to impose regulations on private companies, who own around 90% of the country’s critical infrastructure assets. Various officials have, however, been increasingly sounding the alarm over the threat that cyberattacks pose to national and economic security, as well as public health and safety.
Per some estimates, hacking attacks that have compromised patient information reported to HHS so far this year have skyrocketed by over 150%, compared to the same time-frame in 2020.
You can find a list of all the breaches reported to HHS over the last 24 months that are currently being investigated here.