Today, regardless of the industry one is in, cyber-attacks are relevant to their personal lives. This can be seen regardless of industry or state.
According to data from the U.S. Department of Health and Human Services Office for Civil Rights Breach, they have about 875 open incidents as of September 23, 2022, that are currently under investigation, with about 73 million people affected.
According to the Identity Theft Center’s report on the first quarter of 2022, the healthcare industry underwent significantly more breaches than any other industry in 2022. After the passing of the HITECH act in 2009, healthcare organizations started to rely on the electronic health record which connected patients’ medical information with networked medical devices, making it easier for external actors to hack into such systems. Furthermore, private health information from patients is more valuable than even credit card information which could be valued at up to $250 per record on the black market. It becomes important that healthcare providers and their business associates secure against data breaches.
Incidents
Five recent healthcare security incidents will be highlighted here..
One of the largest data breaches of 2022 was that of the Shields healthcare group, reported on July 22, 2022. This data breach affected about 2 million people and happened after an unauthorized party accessed their computer system for about 2 weeks. The company found that the unauthorized access to the computer system started on March 7, 2022, and continued until March 21, 2022. The company informed all individuals impacted by the breach. A class action lawsuit was filed against Shield Healthcare Group, alleging the company should have done more to avoid the risk of the breach. Some actions an organization could undergo to mitigate risk of Ransomware attacks are:
- Scan networks and address any vulnerability: by scanning your network, you could identify existing vulnerabilities and remediate issues to help prevent being exploited.
- Backup your data: It not only helps avoid ransomware attempts because you don’t have to worry about the deletion of data that you have saved but also it can help to rebuild the primary system in the aftermath of a breach.
- Regularly patch operating system and software: This is so you avoid known exploitable vulnerabilities in operating systems.
Another incident was at the Northwestern Medical center, where an unauthorized employee accessed the protected personal information of patients without authorization, including names, birthdates, Social Security numbers and medical histories. The medical center computer system was breached multiple times between May 21, 2021, and June 10, 2022. A class action lawsuit was filed against Northwestern Medicine and one of its vendors, alleging that they failed to guard sensitive data from the breach.
Since this is the case when an unauthorized employee accesses the protected data, proper authorizations should have been in place. Here are some key recommendations to mitigate risk of unauthorized access to data.
- Applying updated security patches and keeping your OS up to date: similar reasons as before, vulnerabilities could be easily exploitable and therefore must be patched.
- Detect and respond to intrusions by establishing an intrusion detection system under which certain actions could be established as suspicious.
- Manage data access roles and restrict data access only as needed.
- Use multi-factor authentication: This can be used to more fully verify through the use of multiple devices that the user being authorized is in fact the correct user
- Use IP Whitelisting to give access to only trusted users.
- Encrypt network traffic and encrypt data-at-rest: this reduces the ability of unauthorized users to decipher sensitive information.
- Use anti-malware to scan and delete malware.
A different type of incident was that of Trident health care, where the attacker obtained physical access on April 17, 2022, to a set of hard drives and other equipment. It was classified as theft and the breach included information regarding names, dates of birth and social security numbers. The breach affected about 6000 people. Local law enforcement was informed, and the impacted individuals were asked to remain vigilant by checking credit reports and account statements.
The incident to physical access to the facility could be prevented by implementing strong physical safeguards to secure the premises.
However, surprisingly, this wasn’t the only data breach that resulted from physical theft. The largest data breach this year was that of SAC Health, where paper records containing names, addresses, dates of birth, and diagnosis codes of patients were stolen. About 150,000 people were impacted and were notified on May 3, 2022. The Lyon firm, a legal firm, is working on a class action lawsuit against SAC health.
Tips to mitigate risk of physical security threats:
- Protect network devices by keeping them in safe locations.
- Protect your office area from physical and digital intruders: by having for example, a separate wi-fi network for visitors, locked doors, security guards, etc. as appropriate.
- Lock and establish 24-by-7 surveillance on your server room, possibly by setting up security cameras and monitoring the cameras regularly.
- Do not leave portable devices unattended and unlocked.
Another incident that could further exemplify this is from the Teamsters Local 812 Retirement Fund, where horizon actuarial, who was providing technical services to the Retirement Fund, was found in November of last year to be a subject of a ransomware attack. Horizon paid a ransom to delete the stolen data. On March 24th of this year, Horizon revealed that about 8152 members of the Retirement Fund had had their information compromised.
Data
It can be seen in the figure above that Hacking incidents are some of the most frequent this year.
It can also be gleaned from the figure above that the entity that is most likely to undergo a breach is the healthcare provider. However, this chart also shows that other entities, such as business associates, are far from safe.
Conclusion
In 2022, the risk of data breaches for healthcare providers and business associates continues to grow. Those who have undergone cyberattacks could face litigation, ransomware attacks, or stolen property. There are suggested actions that have been detailed throughout this article that can be used to address such risks.