Side A: Ransomware, Hackers / Side B: Aging Medical Devices, Unpatched Software
Health records are low-hanging fruit for cyberthieves for several reasons. One, they command a high price on the dark web. Two, they often include payment card and social security data in addition to ePHI. And three, healthcare organizations are generally known for sub-par security due to incomplete compliance, making them easy to hack. Like a broken record, it just keeps repeating itself, over and over again.
In 2023, Hacking Caused 76% of Healthcare Data Breaches
In the first half of 2023, more than three-quarters (76%) of the security incidents reported to the HHS Office for Civil Rights cited hacking as the cause of the breach. Other causes reported were improper disposal, theft, and unauthorized disclosure. In OCR reporting, hacking covers a lot of ground, including ransomware and phishing scams, so a finer breakdown of these incidents isn’t available. We do know that breached data was located on network servers in 210 of these incidents (67%), which corresponds pretty closely to the prominence of hacks as a cause. In another 57 incidents (18%) the breached data was located in emails and email systems.
Of the 315 security incidents reported between January 1 and June 30, 2023, the majority were attributed to healthcare providers (60%). While business associates had primary responsibility for 82 incidents (26% of the 315), they were also involved in another 35 incidents. By comparison, health plans were responsible for just 14% of the reported breaches.
Geographically, California led the country with 42 reported breaches, followed closely by New York at 36. Massachusetts reported 24 breaches, Texas 21, and Pennsylvania 19. Florida reported 11 breaches.
The OCR requires covered entities to report all data breaches affecting more than 500 records.
Annual Rise in Healthcare Data Breaches Since 2009
According to the HIPAA Journal, a total of 5,150 healthcare data breaches were reported to the OCR from 2009 through 2022, exposing more than 382 million health records to potential theft.
And the problem is growing annually. In 2018, roughly one data breach was reported each day—a number that nearly doubled in just five years until, by 2022, an average of 1.94 healthcare data breaches were being reported each day.
Most Serious Healthcare Cybersecurity Challenges of 2023
Healthcare providers, health plans, and business associates are vulnerable to a wide range of hacking activities aimed at stealing patient data and disrupting operations.
Following are the most serious sources of cybercrime according to recent surveys:
- Ransomware attacks, and the hacking of healthcare data bases, networks, and systems
- Internet-connected medical devices with unpatched software, and legacy systems and equipment that are often unsupported.
Budget constraints are an underlying theme that contributes to these healthcare cybersecurity challenges.
Meeting the Challenges Begins with HIPAA Compliance
HIPAA compliance is the foremost way to harden defenses and reduce opportunities for malicious exploitation for healthcare organizations of all types—whether providers, plans, or business associates. Specifically, the HIPAA Security Rule requires all covered entities to “implement a security management process to prevent, detect, contain, and correct security violations.”
This requirement for a complete and effective security program must include the conduct of regular risk analyses, as per these provisions of 45 CFR 164.308(a)(1)(ii)(A)-(B):
- The risk analysis must assess potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. It must implement security measures sufficient to reduce those risks and vulnerabilities to a reasonable and appropriate level.
- The risk analysis must be accurate, thorough, and use processes that identify potential technical and non-technical vulnerabilities. Technical vulnerabilities, for example, may result from poor system development work or incorrectly implemented or misconfigured information systems.
- The risk analysis should also include use of a vulnerability scanner to detect obsolete software, missing patches, and other vulnerabilities, as well as penetration tests to identify weaknesses that could be exploited by an attacker.
Once the risk analysis has identified, assessed, and prioritized all known vulnerabilities, the covered entity must implement appropriate measures to mitigate these vulnerabilities—such as applying patches, hardening systems, retiring or upgrading equipment, training employees, developing compliant policies and procedures, eliminating access and authentication weaknesses, and various other mitigations.
Medical Device Vulnerabilities Keep Healthcare Executives Up at Night
Medical devices and hospital equipment can be expensive to procure, and the return on investment can take years. Too frequently, they lack adequate security safeguards—despite the fact that most of them developed in the past decade are intelligent devices with built-in computers and internet connectivity. This renders them vulnerable to hacking, ransomware attacks, and other criminal exploitation, and that causes healthcare executives serious concern.
Greatest Threats: Internet Connectivity, Legacy Devices. According to a recent survey by the Ponemon Institute, two-thirds (67%) of healthcare executives surveyed agree or strongly agree that internet connectivity presents a threat to patient data and security.
Asked what threats their healthcare organizations were most concerned about, it’s not surprising that 64% cited insecure medical devices. On average, healthcare organizations have more than 26,000 connected devices.
In a close second, 63% see vulnerabilities in legacy systems as prime threats to patient data and security. Typically, legacy systems are older and may be unsupported by security patches and other updates, even though they are intelligent and/or connected to the internet.
Healthcare Ransomware Has Doubled. When asked to name the threats of greatest concern to their individual healthcare organizations, 60% of healthcare executives surveyed by the Ponemon Institute pointed to ransomware, and with good reason.
Research completed by JAMA, the Journal of the American Medical Association, in late December 2022, reveals that “the annual number of ransomware attacks on healthcare delivery organizations more than doubled from 2016 to 2021, exposing the personal health information of nearly 42 million patients.” Conclusions drawn based on the research include, “ransomware attacks on healthcare delivery organizations are increasing in frequency and sophistication” and “disruptions to care during ransomware attacks may threaten patient safety and outcomes.”
Victims of ransomware attacks have taken radical measures while their medical systems and devices were under cybercriminal control, including canceling diagnostic and surgical procedures, referring patients to other healthcare facilities, and reverting to manual records. All of these actions affect patient care.
New Powers: FDA to Enforce Cybersecurity of Medical Devices
In recognition of the widespread vulnerability of internet-connected medical devices and legacy devices, the Food and Drug Administration (FDA) was recently granted the power to ensure that cybersecurity protections are baked in to new medical devices from inception in order to render them more effective in protecting patient safety and data security.
On December 29, 2022, the Consolidated Appropriations Act, 2023 ("Omnibus") was signed into law. Section 3305 of the Omnibus, titled Ensuring Cybersecurity of Medical Devices, in turn updated the federal Food, Drug & Cosmetic Act (FDCA) by adding a new Section, 524B, on Ensuring Cybersecurity of Devices. The new section took effect on March 29, 2023.
The new cybersecurity requirements govern all applications for approval of medical devices submitted to the Food and Drug Administration after March 29, 2023. Among the specifics of Section 524B, new medical devices must come with a bill of materials for the software components which, like any computer software, must be able to accept security patches and software updates. The new requirements will ultimately result in intelligent, computer-driven medical devices being treated as such, with all appropriate security safeguards.
A six-month transition period is currently in effect to allow medical device developers ample time to prepare premarket submissions that include the information required by Section 524B. By October 1, 2023, the FDA will begin refusing to accept submissions that fail to meet the new cybersecurity requirements.
Cybersecurity Advice from HHS OCR
The HHS Office for Civil Rights has provided excellent recommendations for mitigating several common cyberattacks in healthcare, including phishing scams, exploitation of known vulnerabilities, and weak access and authentication practices. In addition, the article includes detailed advice for employee cybersecurity awareness training.
Summary
The responsibility for meeting healthcare cybersecurity challenges is not only on the shoulders of healthcare organizations, including providers, health plans, and business associates, who must comply with HIPAA Security Rule requirements to protect patient data. That responsibility also extends to manufacturers and developers of medical devices that are computer-driven and internet-connected.
With new authority given to the FDA effective March 29, 2023, makers of intelligent medical devices are now required to incorporate cybersecurity into their equipment before it will be approved for use. It is time for the healthcare industry, at every step of the supply chain, to take cybersecurity and compliance more seriously. Only by collaborating toward the common goal of protecting patient safety and patient data will we begin to drive down the annual rise in healthcare data breaches.