Cyberattacks have been in on the upswing since the start of the COVID-19 pandemic. According to a recent white paper from CrowdStrike and Medigate, 82% of health systems experienced some form of cyberattack from March 2020 to September 2021, and 34% of the reported attacks involved ransomware. Interestingly, 33% reported paying the ransom, but only 69% of those who paid the ransom reported having their data fully restored. CrowdStrike is a cybersecurity technology company based in Sunnyvale, California, and Medigate is an integrated clinical device data security and asset management platform company that has headquarters in Brooklyn, New York.
The CrowdStrike/Medigate paper emphasizes the need for health care delivery organizations (HDOs) to harden their security infrastructures via a renewed focus on defense fundamentals. The report covers various capabilities that health systems should consider in defending their organizations against advanced threats. During the first lockdown of the pandemic, the volume of attacks shot up dramatically and continues to rise. These attacks represent a triple threat because in addition to seeking payment from the HDO, they also coerce payments from patients and business partners. “In addition to health care delivery organizations (HDOs), physicians in private practice also know they are especially vulnerable to cyberattacks,” said Thomas Finn, director of business development at Medigate. “They cite HIPAA penalties as a concern, right along with interruptions to the running of their practices as top concerns. Like their health system counterparts, they also cite the impacts to patient safety as a top worry.”
Medical Files ‘Highly Prized’
“In terms of value, medical files are highly prized because they can be monetized in a variety of ways,” Finn said. “Fake claims to defraud payers often place false diagnosis and treatment information into the medical records of patients whose data was stolen.” The privacy enforcement standards under HIPAA set substantial penalties for violations related to the theft of private health information (PHI). “Fortunately, the recent passing of the HIPAA Safe Harbor Law essentially incentivizes the entire industry to take the steps required to secure PHI, which now includes connected medical assets,” Finn said. “And as we know, private practices have also increased the use of telehealth and remote patient monitoring, so once again, like health systems, they are also more vulnerable now.”
Potentially Devastating Penalties
Penalties for these types of HIPAA violations are based on how proactive a medical practice was at preventing cyberattacks. In some cases, the penalties can be devastating. Some practices are running up 6 figure annual cybersecurity bills. “The amounts can be $200,000 per year for a small physician practice or as much as $500,000 annually for a larger one,” Finn said. “Although a health system that is well-defended and still suffers a negative experience may be better positioned to deal with all the potential liabilities, physician practices are definitely not immune from the same negative consequences,” Finn said. “Regardless, we’ve reached a point where health systems and private practices that do not feel compelled to take the right defensive steps are now viewed as negligent,” he added.
Health care is a target due to its vulnerable attack surface and the financial payoff from selling the stolen information. “If you were a cybercriminal, where would you focus?” Healthcare-specialized IoT security companies that offer the health system the right protections should consider managed service programs for medical practices, he said. “Whether via installed systems or via remotely managed services, the right firms can remove the headache. The wrong ones will create new problems. Bottomline, good security practice must enable the benefits of connected health, not constrain it.”
Fragile Digital Infrastructure
Cyberattacks are increasing and evolving because criminals can exploit vulnerabilities in the health care sector’s fragile digital infrastructure, according to Stéphane Duguin, chief executive officer for the CyberPeace Institute, a nongovernmental organization based in Geneva, Switzerland. Some pandemic-related phishing criminals have impersonated health-focused organizations, including the World Health Organization and U.S. Centers for Disease Control and Prevention.
CyberPeace Institute recently published the Cyber Incident Tracer (CIT) #HEALTH. This platform bridges the current information gap on cyberattacks on healthcare and their impact on people. Data captured on the platform provides details on 293 disruptive cyberattacks against the healthcare sector across 35 countries between June 2020 and November 2021. Across these incidents, the CIT #HEALTH seeks to report on the impact they have had on organizations and individuals, such as operational disruption to services which lasted from a matter of hours to 4 months, averaging 19.1 days per incident.
Medical practices may need to conduct security assessments and make timely patches to their systems to eliminate vulnerabilities, Duguin said. The institute is trying to raise awareness about the level of urgency and to get governments to take the issue more seriously. “Unless we understand the societal impact of cyberattacks on health care, the focus will remain on national security, foreign policy, and financial equities, rather than on the human impact, and will lead to policies that fail to produce a safe and stable cyberspace,” Duguin said.
There are many areas where further action can be taken to better protect health care, according to Duguin. A major concern is that many health care businesses are not forthcoming about a cyberattack for a host of reasons. “It is important to report any incidents to the relevant authority, such as local or national law enforcement agencies, to help prevent the spread of an attack and limit the negative impact of the attack upon other organizations,” Duguin said.