Discover how ransomware has caused a rise in healthcare data breaches and what you can do to protect your organization.
Healthcare organizations have been hit especially hard by the global pandemic, forced to change in myriad ways — including their preparation for, and response to, cybercrime.
The rise in cyberattacks in recent years has led to what some are calling a “cyber pandemic.” In 2020, the average cost of a data breach was $3.86 million, and personal data was involved in 58 percent of breaches.
Of those businesses affected by data breaches, the healthcare industry saw the highest industry cost: $7.13 million on average, almost double the $3.86 million average in all other sectors.
According to the Ponemon Institute and Verizon Data Breach Investigations Report, the healthcare industry also experienced more data breaches than any other sector last year. Healthcare data breaches are up 55.1 percent, from 386 in 2019 to 599 in 2020.
Hacking and IT incidents accounted for two-thirds of data security compromises in the healthcare sector in 2020. They affected a staggering 24.1 million people.
The well-defined and legally mandated reporting requirements of the Health Insurance Portability and Accountability Act (HIPAA) do make it more likely that healthcare breaches will be reported compared to breaches in other industries. Still, healthcare data is clearly more appealing to cybercriminals than other types of data.
Why? For several reasons.
Health data, including medical records, contain protected health information (PHI), which is more valuable on the dark web than credit card credentials or regular personally identifiable information (PII).
Whereas a credit card number can sell on the dark web for around $1.50, a single electronic health record (EHR) can sell for upwards of $300. This is largely because PHI doesn’t change over time.
Healthcare records and patient records often include personal information such as names, Social Security numbers, dates of birth, payment information, insurance identification numbers, and more. Those facts can’t easily be canceled or changed like, say, canceling a credit card.
The permanent nature of this information makes it more valuable to cybercriminals, since they can use it to commit identity theft. Long story short: healthcare hacking is profitable.
Healthcare businesses are also particularly tempting targets for ransomware attackers. Especially during a pandemic, healthcare organizations are generally more concerned with providing medical services to those in need than with the cybersecurity of their organization.
Many healthcare organizations don’t invest enough in cybersecurity for this very reason, but cyber criminals know this. They also know that a healthcare organization is more likely to pay up when its data is held for ransom, so medical staff can resume operations as quickly as possible.
So what are the main causes of healthcare data breaches, and how can healthcare organizations protect themselves from a data breach that could potentially halt their operations entirely?
What Is the Main Cause of Healthcare Data Breaches?
A report from cybersecurity firm Tenable attributes the overall spike in healthcare data breaches last year to the rise in ransomware attacks. According to the report, ransomware attacks accounted for 55 percent of healthcare data breaches in 2020.
The numbers for 2021 are even higher. Hacking incidents and IT incidents (which include malware and ransomware attacks) accounted for 68 percent of all reported breaches. In April 2021 alone, the top three data breaches were all ransomware attacks and involved 1.3 million healthcare records.
Ransomware groups know that healthcare organizations are especially vulnerable to ransomware attacks during a global pandemic. At the same time, they have also shifted the way in which they conduct ransomware attacks.
In the past, ransomware groups merely encrypted their victims’ data and then held it for ransom. Today, ransomware attacks also involve data theft prior to encryption. This lets ransomware groups threaten to release and sell that data on the black market, should the victim company refuse to pay for a decryption code.
Even when attackers do receive payment, there is no guarantee that the ransomware groups will provide a decryption code in exchange — leaving healthcare organizations high and dry.
The healthcare industry has unique cybersecurity vulnerabilities that make it more prone to cyberattacks in general. The cause of healthcare data breaches may include malware, ransomware, hacking, phishing, insider threats, third-party data breaches or the loss or theft of laptops and other devices.
Network server incidents, most of which involved ransomware or malware, have surpassed phishing as the most common cause of healthcare data breaches. Phishing emails, however, are often the root cause of many of these ransomware attacks.
Phishing occurs when malicious actors send emails from email accounts purporting to be from reputable sources, to trick individuals into revealing personal information such as log-in credentials. The pilfered information is then used to access a system and upload ransomware.
Even on secured devices, a medical facility’s own staff is vulnerable to phishing attempts. A medical professional without cybersecurity training might inadvertently open a phishing email using a secured device, leading to a ransomware attack.
Threat actors have also shown a preference for exploiting known vulnerabilities that have been left unpatched. A ransomware group might scan for known vulnerabilities and hit a large number of healthcare organizations with opportunistic ransomware attacks; or it might specifically scan healthcare facilities for such vulnerabilities. Either way, the attacker will quickly latch onto and exploit unpatched vulnerabilities as an entry point.
The perpetrators behind ransomware attacks are rarely identified to the public, but the most common names in 2020 were the big ransomware groups that tend to operate affiliate programs.
Ryuk accounted for 8.6 percent of ransomware attacks on healthcare facilities. Maze accounted for 6.2 percent, and Conti for 3.7 percent. Although some ransomware groups pledged to stop attacks on hospitals during the pandemic, few kept this promise.
So, what can healthcare organizations do to protect themselves against future ransomware attacks and protect their patient data?
How to Prevent Healthcare Data Breaches
Many healthcare organizations structure their cybersecurity efforts around HIPAA compliance.
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that protects sensitive patient data against the unwelcomed eyes of hackers, identity thieves, spammers, and others — and an integral policy of the U.S. Department of Health and Human Services (HHS). It requires compliance for organizations that are defined as “covered entities” (those that transmit and collect PHI) and “business associates” (those that have access to the data of covered entities).
A HIPAA breach is “an impermissible use of disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.” In other words, a breach occurs when information is shared with entities that don’t have the authority to see it.
HIPAA consists of the Security Rule, the Privacy Rule, the Omnibus Rule, and the Breach Notification Rule. These rules aim to safeguard patient data through a variety of approaches, and primarily serve as guidelines that covered entities need to follow to be considered compliant.
The HIPAA Security Rule requires health service providers to protect EHRs using proper physical and technical safeguards to assure the safety of consumer health information.
As the data shows, however, compliance with HIPAA is oftentimes not enough to protect healthcare organizations from a ransomware attack.
The truth is that HIPAA compliance is a great starting point for healthcare data security — but organizations in the healthcare sector need to do more. They need to employ comprehensive cybersecurity programs that can better prepare for a ransomware attack that could lead to a devastating data breach.
Healthcare organizations should budget for cybersecurity programs accordingly. Although the upfront cost of investing in cybersecurity might seem high, it is far less than the cost of recovering from a cyber attack (especially a ransomware attack, where you have remediation costs plus whatever ransom you might be tempted to pay).
Healthcare organizations should also prioritize and remediate the vulnerabilities that are most likely to be targeted by coordinated ransomware attacks, and assure that continuous monitoring and patching is in place.
Healthcare providers need to assess the cybersecurity of any third-party vendors and business associates thoroughly as well. According to Demi Ben-Ari, co-founder and chief technology officer (CTO) at Panorays, third-party data breaches accounted for one-quarter of the threats to healthcare organizations in 2020.
Here are some more specific things your organization can do to prevent healthcare data breaches:
Control access to sensitive healthcare information and systems. The best way to keep data secure is to make it available only on a need-to-know basis. Your healthcare organization should determine what information is relevant and who should have access, and set access controls accordingly.
Restrict access to data and applications with two-factor authentication and other methods beyond usernames and passwords; encrypt all sensitive data; log and monitor all access attempts; adopt role-based access controls (RBAC); secure all mobile devices; lock down all remote-access connections by using virtual private networks (VPN); and isolate Internet of Things (IoT) devices that connect to healthcare networks.
Perform continual risk assessments. Healthcare risk assessments help hospitals, clinics, and doctors’ offices identify where they’re vulnerable to cyberattacks. They will allow your healthcare organization to locate potential threats from within and outside an organization, estimate the damage such threats could inflict if exploited, and measure the likelihood of an attack.
HIPAA regulations require risk assessments, which will allow your organization to better understand your weaknesses and vulnerabilities so you can protect yourself. Ultimately, risk assessments allow healthcare organizations to act preemptively to prevent security breaches, stop network and system shutdowns, and circumvent other security incidents.
Educate users about their role as the first line of defense. Most ransomware attacks require users to take some sort of action such as following a link, opening an email, or downloading a file. Increasing awareness about threats to data security can help healthcare providers make more secure decisions.
All healthcare organizations should invest in employee training for cybersecurity in healthcare. Train your employees to identify emails that attempt to trick them into clicking on a link or performing some other action that infects the network with a virus; focus employee training on security policies designed to reduce human errors, and educate employees to recognize the techniques that cybercriminals use to breach healthcare systems and plant ransomware or other malware; and teach workers how to spot other social engineering techniques that cybercriminals use to plant ransomware in healthcare networks.
Prepare for an attack and breaches with a backup and recovery plan. Planning for worst-case scenarios will allow your healthcare organization effectively to limit the potential damage of a ransomware attack. HIPAA regulations mandate that healthcare organizations have data backup plans, disaster recovery plans, and emergency operation plans.
Your contingency plan should include the following: the use of off-site data backups to protect against natural disasters as well as cyberattacks, ransomware attacks, and data breaches; a method for applying the latest patches and upgrades as soon as they are available to keep all applications and systems current; and the ability to restore full backups quickly in the event of a breach or ransomware attack.
Adopt a zero-trust security model. Zero-trust security models operate under the premise that everything requires verification before being allowed to connect to your organization’s system, and periodically during access. Using tools like multi-factor authentication, encryption, and analytics to evaluate the security of a request for access, zero-trust models provide only the bare-minimum access needed to accomplish tasks.
For healthcare organizations, where operations are focused on life and death situations, preparing for a ransomware attack can easily become overwhelming.
Healthcare providers and their business associates must balance the protection of patient privacy while also delivering quality patient care and meeting the strict regulatory requirements set forth by HIPAA and other regulations.
Fortunately tools do exist that can help your organization develop a healthcare data security plan to keep you safe and compliant.
ZenGRC Helps Healthcare Organizations Stay Safe and Compliant
Your patients rely on your healthcare organization to keep their health information private and secure. But HIPAA compliance can be a daunting task:; there are more than 100 pages of rules to follow, and HIPAA regulations constantly change to address new aspects of electronic PHI (e-PHI), patient rights, and cybersecurity.
Healthcare is a demanding field, and nobody can do it all. Using quality governance, risk management, and compliance software can make the job of HIPAA compliance and preparing for a potential ransomware attack much easier, allowing your organization to focus on its primary objectives: caring for patients and improving their health.
ZenGRC from Reciprocity is a software-as-a-service (SaaS) that performs HIPAA self-audits, including risk assessments, in just a few clicks and as often as you like, for real-time views of your organization’s security and risk posture.
Easy compliance templates make self-audits a breeze, while a central dashboard tells you where gaps exist in your compliance documentation, and how to fill them.
Moreover, ZenGRC can audit your compliance documentation across frameworks so you can streamline your efforts, whether they be for HIPAA, NIST, HITECH Act, or any other healthcare related requirements.
Continuous monitoring features also assure that you can understand your third parties’ compliance. It keeps track of vendors’ compliance with multiple frameworks, and provides continuous auditing. Its user-friendly dashboards show you in a glance who’s compliant, and who isn’t.
GRC automation will enable your organization to focus on the fundamental issues of compliance while eliminating the tedious tasks that often make compliance feel like a burden. Not only does this help compliance officers to be more effective at their jobs; it also makes healthcare organizations more efficient at the ongoing task of governance and continuous monitoring.
With ZenGRC automating your governance, risk management, and compliance tasks, your healthcare organization can focus on other, more important tasks — like saving lives.
Schedule a demo to find out how ZenGRC can help your healthcare organization stay HIPAA compliant, and avoid debilitating ransomware attacks today.