Hacking Healthcare: Critical Infrastructure at Risk
- FBI warns of “increased and imminent cyber threat against hospitals and healthcare systems across the country”
- Sources and impact of recent healthcare hacking incidents
- Hope for healthcare: mitigating risk
Read more below.
Water, gas, food, healthcare — as reports of new cyberattacks target critical infrastructure, Americans are asking who will be the next target of crippling disruption. Chiefly, is healthcare at an increased risk for data breach and are covered entities prepared for possible breaches?
Major compromises on our nation’s critical organizations — including healthcare — could have a “debilitating effect” on the U.S. economy and security, reports CNN. According to the U.S. government’s Cybersecurity and Infrastructure Agency (CISA), healthcare is included in one of 16 industries cited as critical infrastructure sectors that are at risk along with energy, financial services, and transportation.
After a recent breach of the Colonial Pipeline system, the FBI warns of an “increased and imminent cyber threat against hospitals and healthcare systems across the country.”
News about hacks and data breaches continues to plague industries across the nation, including healthcare. Peter Marks, Chief Information Officer at WakeMed, underscores the seriousness of these hacks especially, “Every organization is facing these kinds of attacks every day.”
When it comes to cyber troubles, the healthcare industry is not a newcomer.
Healthcare Hacking: Data, Sources, and Impact
For the fifth straight year, hacking incidents targeting healthcare increased with publicly reported incidents climbing 42% from 2019 and impacted 31 million patient records.
These types of incidents in healthcare are common, as evidenced in the U.S. Department of Health and Human Services (HHS) Breach Portal, where the Office for Civil Rights (OCR) posts healthcare data breaches involving more than 500 individuals.
In its Verizon 2021 Data Breach Investigations Report (DBIR), Verizon found that 61% of healthcare incidents were caused by external threats and personal data was more compromised than medical data.
“The biggest risk is to your reputation,” states Ted Lotchin, Chief Compliance Officer at WakeMed. “We’ve been here for 60 years and our mission is to provide outstanding and compassionate healthcare to anyone who walks in through our doors. If folks don’t have faith and trust in protecting your information, it’s hard to get over that. The privacy side and the security side are really about as intertwined as you can imagine.”
“Worst Year Ever” for Extortion-Related Attacks
The U.S. Department of Justice declared 2020 the worst year ever for extortion-related cyber-attacks and created a ransomware task force in April 2020, according to CNN.
Ransomware can do a lot of damage to any organization, as we have seen with recent critical infrastructure attacks that affect supply chains and the public. Per HIPAA Journal, healthcare ransomware attacks:
- Cripple IT systems
- Prevent patient medical records from being accessed
- Disrupt patient care
- Put patient safety at risk
Recovering data and restoring systems from these sorts of incidents can take weeks or months and mitigating the attacks is expensive, with considerable loss of revenue due to downtime.
Hope for Healthcare
Is it all doom and gloom? No. Privacy incidents will continue to happen but the reality is that 93% of privacy incidents in the healthcare industry were not notifiable in 2020.
According to the 2021 Privacy Incident Benchmark Report, only 6.5% of all incidents in the healthcare sector that passed through a proper multi-factor risk assessment and were sufficiently risk mitigated, were actually notifiable data breaches. This is based on metadata from our Radar incident response management platform, consistent with our findings over the past three years.
Learn if your HIPAA incident is a reportable breach and what’s notifiable in Healthcare Incident Response Done Right.
Security and privacy are intertwined, as Lotchin with WakeMed states. With the influx of hacks and concern over critical infrastructure security, combined with complex privacy and compliance regulations facing the healthcare industry, it has become that much more important to assess your organization’s privacy processes and practices.
When it comes to incident response, now is a good time to see how you stack up against your competitors and identify where you can improve. Read KPIs to Drive Healthcare Incident Response Planning to learn more about how benchmarking can improve your privacy efforts and effectiveness. Improving your incident response might be the best prescription.
You may also be interested in:
Topics: Incident Response Management