[author: Doug Austin, Editor of eDiscovery Today]
Go to just about any news site today and there is probably a new story about a data breach that costs a company millions of dollars.
Just in the past few weeks, we’ve seen Colonial Pipeline pay as much as $5 million in response to one ransomware attack (during which gas shortages caused long lines at the pumps) and meatpacker JBS USA paying a ransom equivalent to $11 million to another group of hackers in that case. And that’s just one category of data breach affecting organizations today.
Failing to protect data from threats – internal as well as external – can also potentially cost companies millions in fines and litigation judgments and settlements.
Healthcare organizations are also at risk – perhaps more than other types of organizations – as the data they track is even more sensitive. Not only that, the stakes are much higher – not just monetary, but potentially life threatening.
More Data to Protect Leads to More Data Exposed
According to statistics compiled by Dell EMC, healthcare organizations have seen an explosive health data growth rate of 878% since 2016.
As discussed in my “alphabet soup” post here, some of this data falls under the category of Protected Health Information (PHI), or individually identifiable health information, regulated by the Health Insurance Portability and Accountability Act (HIPAA). Other data is considered electronic protected health information (ePHI).
Either way, there is more of it than ever to protect. And much of it is not being protected.
IPRO conducted a search of the U.S. Department of Health and Human Services Office for Civil Rights (OCR) for a 10-month period in 2019 looking at only hacking, theft, and unauthorized access breaches and found over 39 million exposed patient records from 370 healthcare providers.
Under HIPAA, organizations are mandated to perform enterprise-wide risk analyses to “determine whether any vulnerabilities to the confidentiality, integrity, and availability of PHI exist”. Clearly, for many healthcare providers, those vulnerabilities have existed – and financial penalties and settlements that those organizations have been assessed have been in the millions of dollars.
Your Money or Their Lives
And, for healthcare organizations, the stakes are even higher than that.
Back in the early 18th century, robbers known as “highwaymen” used to stop and rob coaches on the road threatening travelers with the saying “your money or your life” (it’s where the phrase “highway robbery” originated to refer to being cheated or swindled).
Today, however, those robbers are often halfway around the world and it’s not your life they’re threatening, it’s the lives of the patients in many hospitals and medical facilities.
According to this article in The Wall Street Journal (subscription required), an Eastern European group known as Ryuk has attacked at least 235 facilities since 2018, raking in more than $100 million! As noted in the article, hospitals are the perfect target as their security systems are “notoriously lax”, and the high stakes of patient lives makes them more likely to pay the ransom.
“They do not care. Patient care, people dying, whatever. It doesn’t matter,” Bill Siegel of the ransomware recovery firm Coveware stated. “Other groups you can at least have a conversation. You can tell them, ‘We’re a hospital, someone’s going to die.’ Ryuk won’t even reply to that email.”
Think it can’t happen? Well, according to the New York Times, the first known death from a cyberattack was reported last September after cybercriminals hit a hospital in Düsseldorf, Germany, with a ransomware attack that caused a woman in a life-threatening condition to be sent to a hospital 20 miles away where she died because of treatment delays.
With more data to protect than ever, more risk of data breaches and higher stakes (including the lives of patients), healthcare organizations have many considerations regarding protection of PHI and ePHI.