Fall 2021 showed a slight increase in reported healthcare data breaches. Acquire the main tendencies, channels, and locations of cyberthreats.
The healthcare industry is often a cybercriminal’s target and the number and severity of attacks have accelerated during recent years. Statistics report 67 out of 100 organizations had experienced at least one security incident over the past 12 months. At the same time, almost 50% of respondents said they were victims of a phishing attack. The most common attack channels are phishing and email compromise attacks, ransomware, hacking, and insider threats. Cybercriminals frequently use these channels to obtain access to protected health information (PHI) and take advantage of it. Fall of 2021 showed a slight increase in reported healthcare data breaches, and we should analyze them to keep covered entities and business associates forewarned.
The most extensive data security breach reported this fall occurred in Eskenazi Health, an IN-based healthcare provider. Eskenazi Health detected it has fallen victim to a ransomware attack in August 2021. While investigating the incident, however, experts determined that the attack was launched on May 2021. The hackers had first gained access to the healthcare provider’s systems and then disabled its security systems to ensure their presence was not detected. The intrusion was only detected when ransomware was deployed and files started to be encrypted. The attack affected 1,515,918 individuals.
Another extensive data incident occurred in the State of Alaska Department of Health & Social Services (DHSS). The experts initially believed the breach resulted in the personal data theft of all state residents. Although the DHSS reported the incident as affecting 500,000 individuals. Based on preliminary data, the cyberattack is most likely to have been conducted by a nation-state hacking group that compromised the organization’s servers, desktop computers, and laptops.
University Hospital Newark (NY) has discovered that a former employee acquired PHI of thousands of patients accessing the information without authorization for over a year. Subsequently, other unauthorized individuals also obtained access to the sensitive information. In its substitute breach notice, University Hospital Newark said the unauthorized access occurred between January 2016 and December 2017 but was revealed this fall. As University Hospital reported the incident to law enforcement and a criminal investigation is ongoing.
The most challenging effects of cyber attacks on healthcare are patient safety issues. Experts indicate increasing mortality rates, medical complications, and the length of hospital stays following ransomware attacks. In addition to this, security incidents also lead to an increase in service costs among healthcare organizations. More than 80% of IT security leaders reported increased expenses associated with cyberattacks in the past year. At the same time, 20% of respondents said costs had increased by 50% in the past year. Meanwhile, the expenses on cyber insurance policies have also risen due to the increased risk of cyberattacks.
HIPAA experts report that the most common recently observes attack channels are phishing attacks, malware hacking attacks including ransomware, and insider threats.
Security incidents such as ransomware are among the most frequent in the healthcare industry. So, there is no surprise that most of the attacks this fall involved ransomware. For instance, 6 out of the 16 data breaches in September 2021 occurred due to ransomware. The HIPAA Journal highlights several active ransomware gangs and pays special attention to the FIN12 group as the most active one. It also reports that 20% of the gang’s attacks targeted the healthcare industry.
Ransomware exploits human and technical weaknesses to gain access to an organization’s technical infrastructure, encrypt sensitive data held, and deny the organization’s access to that data. The good news is that healthcare organizations may prevent or reduce the likelihood of ransomware attacks. Particularly, they should follow HIPAA Security Rule which contains required security measures that can help prevent malware intrusion.
First, healthcare organizations must conduct a risk analysis to identify threats and vulnerabilities to PHI. It is also essential to implement security measures to mitigate and remediate those risks. Second, HIPAA requires implementing procedures to guard against and detect malicious software. Third, it is critical to raise awareness on malicious software protection, and implement access controls to limit access to PHI.
Phishing attacks also belong to the prevalent causes of HIPAA security incidents. The main aim of phishing attacks in healthcare is to obtain access to PHI or deliver ransomware. Many successful phishing attacks are attributable to using personal mobile devices at work. It is because employees fail to adjust their professional security measures with personal online activities. Hence, by obtaining a username and password, the hacker will likely be able to access PHI. In cases when phishing aims to install malicious software, it creates gateways to enter an organization’s network remotely. So, hackers take advantage of this opportunity.
Given the high number of phishing cases, healthcare organizations must pay special attention to training their workforce members on recognizing such attacks. The workforce members should always be cautious when receiving suspicious emails asking them to take an action such as opening an attachment or clicking on a link.
For more detailed information about phishing emails and ways to recognize them please see our blog on this topic: #BeCyberSmart: Common Tips To Fight Against Phishing
Not only the hackers but also employees with privileged access to PHI may cause data breaches. There are many cases when healthcare organizations report ‘insider’ data breaches, meaning former employees access sensitive data after termination. Insiders’ data incidents highlight the importance of blocking access to PHI and the organization’s information systems immediately after an employee is terminated, leaves the company, or changes its functional responsibilities.
A study conducted by the data security provider Varonis has revealed the major failures which may lead to the data breach. Analyzing around 3 billion files at 58 healthcare organizations, the study concluded that these failures generally include poor access controls, low restrictions on PHI access, and weak password practices. The study revealed that every employee has access to nearly 20% of the organization’s total files. In addition, 77% of surveyed companies have 501 or more accounts with passwords that never expire, while 79% have more than 1,000 ghost users still enabled. These widespread failures put sensitive data at risk and may lead to substantial penalties for HIPAA non-compliance. To avoid patients’ PHI disclosures and HIPAA violation fines, organizations should adhere to the following HIPAA requirements:
HIPAA Security Rule requires organizations to limit the employees’ access to PHI for work purposes. When granting PHI access, organizations must apply HIPAA minimum necessary standards and provide access to only the minimum amount of PHI. Meanwhile, each user must have a unique username that allows tracking the PHI access. Finally, all HIPAA-regulated entities are required to implement specific password requirements to authenticate users and establish necessary “procedures for creating, changing and safeguarding passwords.”
According to the latest OCR Breach Report results, the most common locations of breached PHI are servers, constituting 16% of all cases. It is no surprise, given the high number of hacking and ransomware incidents reported. Emails are in second place with 20% out of all cases. The third most frequent place where PHI breaches occur is the desktop computers and laptops – 6% out of the total cases. The number and severity of cyberattacks in all locations highlight the necessity to follow the HIPAA security requirements and best security practices.
An increase in reported healthcare data breaches this fall should strike a warning note for organizations working with PHI. We hope that the analysis of possible cyber threat channels, scenarios, and locations will help prevent future data security incidents. To stay updated with the recent security events in the cyberenvironment, keep reading our blog or contact the Planet 9 team. We’ll be happy to assist.