Hackers Will Not Only Take Your Money, They Could Also Take Your Patients’ Lives

Ipro Tech
Contact

Ipro Tech

[author: Doug Austin, Editor of eDiscovery Today]

Go to just about any news site today and there is probably a new story about a data breach that costs a company millions of dollars.

Just in the past few weeks, we’ve seen Colonial Pipeline pay as much as $5 million in response to one ransomware attack (during which gas shortages caused long lines at the pumps) and meatpacker JBS USA paying a ransom equivalent to $11 million to another group of hackers in that case. And that’s just one category of data breach affecting organizations today.

Failing to protect data from threats – internal as well as external – can also potentially cost companies millions in fines and litigation judgments and settlements.

Healthcare organizations are also at risk – perhaps more than other types of organizations – as the data they track is even more sensitive. Not only that, the stakes are much higher – not just monetary, but potentially life threatening.

More Data to Protect Leads to More Data Exposed

According to statistics compiled by Dell EMC, healthcare organizations have seen an explosive health data growth rate of 878% since 2016.

As discussed in my “alphabet soup” post here, some of this data falls under the category of Protected Health Information (PHI), or individually identifiable health information, regulated by the Health Insurance Portability and Accountability Act (HIPAA). Other data is considered electronic protected health information (ePHI).

Either way, there is more of it than ever to protect. And much of it is not being protected.

IPRO conducted a search of the U.S. Department of Health and Human Services Office for Civil Rights (OCR) for a 10-month period in 2019 looking at only hacking, theft, and unauthorized access breaches and found over 39 million exposed patient records from 370 healthcare providers.

Under HIPAA, organizations are mandated to perform enterprise-wide risk analyses to “determine whether any vulnerabilities to the confidentiality, integrity, and availability of PHI exist”. Clearly, for many healthcare providers, those vulnerabilities have existed – and financial penalties and settlements that those organizations have been assessed have been in the millions of dollars.

Your Money or Their Lives

And, for healthcare organizations, the stakes are even higher than that.

Back in the early 18th century, robbers known as “highwaymen” used to stop and rob coaches on the road threatening travelers with the saying “your money or your life” (it’s where the phrase “highway robbery” originated to refer to being cheated or swindled).

Today, however, those robbers are often halfway around the world and it’s not your life they’re threatening, it’s the lives of the patients in many hospitals and medical facilities.

According to this article in The Wall Street Journal (subscription required), an Eastern European group known as Ryuk has attacked at least 235 facilities since 2018, raking in more than $100 million! As noted in the article, hospitals are the perfect target as their security systems are “notoriously lax”, and the high stakes of patient lives makes them more likely to pay the ransom.

“They do not care. Patient care, people dying, whatever. It doesn’t matter,” Bill Siegel of the ransomware recovery firm Coveware stated. “Other groups you can at least have a conversation. You can tell them, ‘We’re a hospital, someone’s going to die.’ Ryuk won’t even reply to that email.”

Think it can’t happen? Well, according to the New York Times, the first known death from a cyberattack was reported last September after cybercriminals hit a hospital in Düsseldorf, Germany, with a ransomware attack that caused a woman in a life-threatening condition to be sent to a hospital 20 miles away where she died because of treatment delays.

Conclusion

With more data to protect than ever, more risk of data breaches and higher stakes (including the lives of patients), healthcare organizations have many considerations regarding protection of PHI and ePHI.

[View source.]

Written by:

Ipro Tech
Contact
more
less

Ipro Tech on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.