COVID-19 has presented a number of unique challenges to the healthcare sector over the past year. Healthcare providers have been placed on the frontline and tasked with treating patients, educating the population, and distributing vaccines. With the industry’s attention and resources focused squarely on the pandemic, however, new threats to the healthcare system have emerged.
In the last year, healthcare providers and institutions have increasingly found themselves the target of cybersecurity attacks. A recent report issued by Check Point Software Technologies found that there has been a 45% increase in cyberattacks targeting healthcare providers globally since November 2020. It is estimated that in 2020 alone, 26 million patient records were exposed to unauthorized parties, the overwhelming majority of which were the result of healthcare cyberattacks.
The recent increase in cyberattacks begs the question: Why healthcare? For starters, medical records contain a variety of sensitive, protected health information (PHI) that serve as a “one-stop-shop” for identity theft. Recent studies suggest that the average healthcare data breach costs approximately $500 per record and $7.1 million per attack, making these attacks a nearly 14 billion dollar industry in 2020 alone. The tremendous value of the information sought after coupled with the struggle to adapt medical technology to meet updated cybersecurity needs makes the healthcare industry an attractive target for cyber criminals. The recent uptick in attacks further suggests that attackers are taking advantage of a sector overwhelmed by the pandemic.
PHI can be accessed by attackers in a variety of different ways including phishing scams, ransomware attacks, credential theft and exploiting cybersecurity vulnerabilities within healthcare networks. The pandemic has not only led to an increase of attacks on healthcare providers but has also changed the manner in which these attacks are carried out. Attackers have coordinated phishing and spear-phishing attacks under the guise of COVID-19, often leveraging subject lines and content related to the pandemic to distribute malicious software to healthcare providers. Additionally, ransomware attacks drastically increased in the later-half of 2020. This trend underscores the notion that attackers are aware that shutting down healthcare systems can adversely impact patients’ health thus making an attack more likely to elicit payment. In addition, the industry has seen an increased number of attacks geared towards telemedicine and COVID PPI and vaccine supply chains.
The following are several examples of cybersecurity attacks on healthcare providers and institutions in 2020:
Though the end of the pandemic nears, there is, unfortunately, no indication that cyberattacks on the healthcare industry will decline. IBM analysis predicts that attacks on healthcare providers will continue to expand into 2021 and the foreseeable future. There are a number of ways in which healthcare providers can mitigate risk including: staying aware of and implementing measures to protect against possible threats, regularly auditing and reviewing both their data practices and the data practices of third-party vendors to ensure HIPAA and HITECH compliance, emphasizing employee training to minimize human error, and keeping up to date with best practices and recommendations published by the Health Care Industry Cybersecurity Task Force.
Even with the appropriate safeguards in place, cybersecurity experts agree that future breaches are inevitable. In the event of a breach it is important to have a response plan in place that complies with state and federal law. The Department of Health and Human Services, through the Health Information Technology for Economic and Clinical Health (HITECH) Act, has implemented data breach rules applicable to PHI. These rules are complex and can vary based on the severity of the breach. As such, it is important that healthcare professionals consult with their cybersecurity or appropriate insurance provider in the event of a suspected breach. These carriers generally have emergency procedures and a response team in place to assist with mitigating the damages from the breach, preserving evidence and ensuring compliance with notice requirements. Failing to comply could result in loss of coverage, civil penalties, or in some cases, criminal prosecution.