As we noted in a recent blog, 2020 was a record year for data breaches in the U.S., as well as a record year for data breaches in the healthcare industry. Breaches in the healthcare industry are the most expensive of any industry at $7.1 million per event.
Healthcare has become particularly vulnerable to ransomware attacks in recent years. In this article we explore the reasons for that vulnerability and how ransomware attacks can be prevented by healthcare providers.
Scope of Security Problem in Healthcare
Data breaches in healthcare are growing steadily each year, with breach incidents jumping by 25% from 2019 to 2020. And ransomware is on the rise.
Healthcare Providers Most Vulnerable
Last year, 642 large data breaches (those affecting 500 records or more) were reported by healthcare providers, health plans, healthcare clearinghouses, and business associates.
More than three-quarters of these data breaches were suffered by healthcare providers (77%). By contrast, only 11% of data breaches in 2020 affected healthcare insurers, with another 11% affecting business associates, as this HIPAA Journal chart illustrates.
Spectacular Ransomware Attacks of 2020
The largest and most spectacular data breach of 2020 resulted from a ransomware attack on a cloud services provider. Blackbaud serves clients in many industries, including healthcare. The ransomware attack on Blackbaud affected more than 100 healthcare organizations and more than 10 million records.
Another of the largest breaches in 2020 affected one million healthcare records maintained by Magellan Health. In what is becoming a classic two-step attack, this breach began with a phishing email scheme that ultimately led to a ransomware attack.
In all, some 560 healthcare organizations in the U.S. suffered ransomware attacks in 80 separate incidents last year, according to antivirus/antimalware software developer Emsisoft.
Why are Healthcare Providers So Vulnerable?
There are several reasons that healthcare providers experience more breaches, including ransomware attacks, than healthcare insurers and business associates. There are far more healthcare providers than insurers, of course, but there are also tens of thousands of business associates who furnish supplies, equipment, and systems to the providers. So, it is not simply a matter of critical mass.
Healthcare providers span a huge spectrum. On one hand, they are solo or small practices and medical groups. On the other hand, they are local and regional hospitals and national hospital systems. They range from general practitioners to a vast array of specialists and include doctors as well as dentists, optometrists, and pharmacists.
What they share in common is the collection and maintenance of personal data and ePHI, which command a high price on the black market.
However, they differ widely in their focus on data security, the size of their security budgets, and their in-house IT knowledge. In more cases than not, healthcare providers invite ransomware attacks and other data breaches due to these four shortfalls:
- Incomplete compliance with HIPAA Security Rule requirements
- Weak adoption of accepted security protocols and best practices
- Inadequate employee security training
- Insufficient online safeguards, including tools, software, and other protections
These weaknesses create risk and liability for healthcare providers and should not be ignored.
Five Things You Can Do Now
There are at least five actions healthcare providers can take to reduce their risk of being victimized by ransomware attacks.
-
Backup Data Regularly
Regular data backups are one of the most significant actions you can take to foil ransomware threats. Fully backed-up data from the previous business day is your get-out-of-jail-free card.
When you are able to access very recent data for your healthcare organization, you are much less likely to feel pressured into buying your data back. This is as true for private practices and groups as it is for medical centers and hospital systems. A current data backup is a security blanket that renders you virtually impervious to blackmail.
If you are backing up data for the first time, test the process by recovering the backup. Then, review the data, even if only on a random basis, to make sure it’s all accounted for. Test your backups periodically for the same reason. Save on data storage capacity by over-writing older backups and retaining only the most current data.
Having a complete, daily data backup that you know you can access in the event of a ransomware attack is priceless in terms of peace of mind.
Routine ePHI backups are probably the foremost defense against a ransomware attack, according to Rema Deo, CEO & Managing Director for 24By7Security.
-
Install Software that Protects Email and Flash Drives
Most ransomware attacks begin with phishing emails that trick employees into divulging sensitive data about the practice or its patients. Phishing schemes may also prompt employees to reveal login credentials, enabling cybercriminals to access the network or database to capture and encrypt data.
Phishing emails may appear to come from the office manager or hospital administrator, making them seem real and therefore difficult to ignore. Cybercriminals often spoof the email addresses of authority figures, knowing that most employees will take such messages at face value and act upon them promptly.
The prescription? Install software that includes email scans and flash drive scans to detect suspicious emails or downloadable content. You may research various software options online and compare features and pricing or contact a cybersecurity firm for assistance.
Speaking of software, make a point to keep it current and never miss an opportunity to install patches. Patches usually incorporate security improvements as well as upgraded features and functionality. Software firms will either automatically push updates to your systems or will advise you when they are available to be downloaded and installed. When you get that notification, act on it immediately.
-
Train Employees to be Suspicious
Employees are always the weakest link in the security chain. That’s why the anti-phishing security software described above is vitally important. But that doesn’t mean you can neglect employee security training. It’s a necessary line of defense against social engineering schemes, such as phishing, that can lead to ransomware attacks.
Some phishing schemes target individual employees, while others cast a wider net hoping for more unsuspecting victims. Even managers and physicians have fallen for these ploys. That’s why it’s vital to train all employees thoroughly and to retrain everyone on a fairly regular basis. We get busy, we forget what we learned four months ago, we make a mistake. And suddenly we’re guilty of a HIPAA Security Rule violation as well as what could be a costly and embarrassing ransomware experience.
In addition to training in HIPAA requirements, professional cybersecurity firms provide formal security training that addresses known current threats of all types, including ransomware. Many offer choices of classroom training, online training, webinars, self-paced training, and other options, because individuals learn differently. In addition, job roles may suggest that certain types of training are more effective.
-
Consider a Cyber Insurance Policy
There are some concerns that having cyber insurance may encourage a healthcare provider to pay the ransom to recover their data — rather than taking the upfront steps necessary to install specific software, implement routine data backups, train employees, and otherwise harden their cybersecurity to prevent breaches.
There are also widespread concerns that the payment of ransoms by victims provides positive reinforcement for bad behavior and encourages more ransomware attacks by cybercriminals.
Despite these considerations, cyber insurance remains a viable component of a comprehensive security program. Learn more about cyber insurance in this article by ZDNet.
-
Conduct a Security Risk Assessment
Solo practices and small offices often lack the resources to implement the preceding security measures. Even larger healthcare providers can find themselves short-staffed or otherwise challenged to implement these security measures. A Security Risk Assessment can assist healthcare providers in these scenarios to strengthen their security programs in a timely and efficient manner.
Besides being an excellent security safeguard, a regular security risk assessment is a HIPAA requirement for healthcare providers, insurers, and business associates. A proper assessment should follow the risk assessment methodology recommend by the National Institute of Standards & Technology (NIST) in order to cover all the necessary bases.
A security risk assessment should include internal and external penetration testing and vulnerability assessments. It should assess web applications and asset management procedures to ensure optimum security safeguards. Social engineering testing is also a vital component since it reveals vulnerabilities to phishing exploits, which often precede ransomware attacks and other security breaches.
A comprehensive assessment will also review recent risk assessments that have been completed by your business associates, reviewing findings, their relative severity, and whether they have been addressed. The objectives of your security risk assessment include (1) remediating all vulnerabilities that could affect your ePHI, (2) ensuring that policies and procedures are HIPAA-compliant, and (3) documenting these actions for potential future review.
As the enforcement arm of the Department of Health and Human Services (HHS), the Office for Civil Rights (OCR) has become much more proactive in monitoring HIPAA compliance and in penalizing healthcare providers for violations. The first thing OCR will request in an audit is documentation demonstrating your security and compliance measures.
Summary
Ransomware attacks are some of the most malicious and high-profile security breaches in the healthcare industry today. The lucrative nature of these attacks, which net cybercriminals millions in ransom payments, ensures that ransomware will remain a crime of choice.
Healthcare providers, who range from solo practices to national hospital systems, are particularly vulnerable to data breaches and ransomware attacks for several reasons. Incomplete HIPAA compliance, insufficient online safeguards, and inadequate employee security training are major contributing factors.
Several security measures have proven effective in preventing ransomware attacks in healthcare. These include regular data backups, anti-phishing software, frequent security training for all employees, and annual security risk assessments. In addition, cyber insurance policies can help to reduce the effects of a ransomware attack or other data breach. Professional resources are available to healthcare providers to assist with the implementation of these and other cybersecurity safeguards.