The Florida company BioPlus Specialty Pharmacy Services, LLC, reported on December 10, 2021, that it was notifying patients of a data security incident that may have involved their information. BioPlus operates specialty pharmacy centers in California, Florida, and North Carolina, and it identified suspicious activity in its IT network on November 11, 2021. On learning of the incident, BioPlus said it immediately took steps to isolate and secure its systems.
The attackers accessed files that contained protected health information (PHI) from thousands of BioPlus patients. The investigation could not rule out the possibility that information pertaining to all current and former BioPlus patients may have been subject to unauthorized access.
COVID-19-related phishing has been an issue during the COVID-19 pandemic, said Eve Maler, Chief Technology Officer at ForgeRock, a global digital identity company headquartered in San Francisco, California. The pandemic has resulted in a digital revolution, with virtual health visits as well as a dramatic change in the purchasing of many goods and services, according to the ForgeRock 2021 Consumer Identity Breach Report. It found that attacks involving user names and passwords increased a staggering 450% in 2020 from 2019. These attacks resulted in more than 1 billion compromised records in the United States alone. “Some of the numbers were eye-popping. It kind of hits you in the face,” Maler said.
Since the previous year’s report, the average cost of a breach in the United States increased 5.5% to $8.64 million. The United States is the costliest place in the world to recover from a breach. The escalating cyberattacks appear to be related to a host of factors, such as more time online, more people working remotely, and limited budgets for IT security. These issues are coupled with supply chain security failures and aging IT infrastructure.
The ForgeRock report states that cybercriminals made the most of the pandemic by exploiting specific vulnerabilities. For the third consecutive year, health care organizations had the highest number of reported breaches (314), comprising 34% of all breaches. Health care is an attractive target because patient data are extremely valuable to cybercriminals, who use the data for insurance fraud and other crimes. “We need to sensitize the world to these trends,” Maler said. “We need to make data better protected and not [rely on] just a single sign-on. There is a big move toward no passwords.”
David Holtzman, founder and principal of HITprivacy LLC, a health information privacy consulting firm in Germantown, Maryland, is among some cybersecurity experts asking if the increasing numbers of hacking incidents targeting health care organizations could be reduced through increased federal oversight of the HIPAA standards. “Today, we are plagued with cybersecurity threats that are taking advantage of information systems that are not being assessed to see if they have adequate safeguards to protect personal information or have not been patched or updated against known threats,” Holtzman said.
Consumers’ health information is vulnerable as a result of health care organization’s failing to replace outdated computer hardware and software. Holtzman said the Department of Health and Human Services'(HHS) HIPAA Breach Reporting Tool website showed that there were more than 700 major health data breaches affecting 45.1 million individuals posted to the site in 2021. “We only have ourselves to blame for not taking prudent action to maintain our information systems,” he said. “Regular update management, identifying vulnerabilities, investing in current operating systems, and applications are critical steps.”
Since the onset of the COVID-19 pandemic, the rate of ransomware attacks has increased across all industries, but health care has seen a greater share of such attacks. The 2020 HIMSS Cybersecurity Survey revealed that 70% of health care organizations reported having experienced “significant security incidents” within the previous 12 months. “Almost every [HHS Office for Civil Rights] enforcement action involving a breach of PHI can be traced back to the HIPAA covered entity or business associate failing to implement a risk management plan that includes continuous assessment and response to constantly evolving threats and vulnerabilities,” Holtzman said.
AI Can Help Improve Cybersecurity
Artificial intelligence (AI) can aid underfunded or outdated security operations by allowing companies to stay ahead of cyber threats. AI has the potential to pool threat intelligence from millions of sources, such as research papers, news stories, and blogs. “Identities are being stolen through malware, and it may be because they have given access to employees who are no longer there. AI can be used to identify bad actors and stop access,” Maler said.
AI leverages sophisticated algorithms to better detect malware. It can also be used to run pattern recognition and detect problems with malware and ransomware attacks before they enter the system. Darktrace, a global leader in cybersecurity AI headquartered in Cambridge, UK, has adopted self-learning AI technology to bolster cyber defenses in a way that goes beyond conventional, rules-based email security. AI is used to intercept subtle email attacks sent to unwitting company employees. Antigena Email uses self-learning AI to identify the “pattern of life” for every user in the company. It can precisely identify and stop never-before-seen malicious email because it has analyzed the activity of the employees behind the email. This security system runs continually in the background to autonomously contain malicious activity and enforce “business as usual.”
Justin Fier, Darktrace’s Director of Cyber Intelligence and Analytics, said cybersecurity organizations have implemented AI in various ways, to include but not limited to, threat detection, investigations, and response. “AI is ideally situated to mine through massive amounts of data in near real-time, looking for patterns and behaviors that seem out of the norm, and in some cases prompting immediate action. We need to embrace autonomous response and triage technologies to stand a fighting chance against machine-speed threats and sophisticated attackers,” Fier said.
Brian Woerner, of the Lane Department of Computer Science and Electrical Engineering at West Virginia University’s Benjamin M. Statler College of Engineering and Mineral Resources, Morgantown, Virginia, said most new computer viruses exploit techniques that have been successful in the past and machine learning systems can be trained to identify suspicious patterns of code based on past experiences. Another example where artificial intelligence plays a key role is in allowing organizations to respond to distributed denial of service (DDOS) attacks, where a bot-net of hijacked computers can be used to overwhelm a website with repeated requests, preventing legitimate users from accessing the services at that website, Woerner said.
In these cases, only an automated system, which can quickly identify and exclude the attacking machines, can respond quickly enough to keep services operational. “Google and Amazon Web Services have both been hit with DDOS attacks in recent years and their responses have employed artificial intelligence techniques,” Woerner said.