In this blog post
The healthcare industry is prone to various types of cyberattacks, with ransomware incidents causing heavy damages in terms of cost, compromise of data integrity, and reputation, leading to service-threatening repercussions. While several industries globally face the challenge of cyberattacks, the healthcare industry is particularly vulnerable because of:
- Sensitivity of private patient information
- Increasing costs of healthcare and tight budgets not leaving much scope for cybersecurity initiatives
- Need for sharing of healthcare information across several entities
- Heavy reliance on legacy systems/applications that are difficult to maintain & protect
- Increasing use of technology, connected medical devices without the awareness, protection
- High prevalence of illegal sale of patient information
According to the 2021 SonicWall Cyber Threat Report, the number of ransomware attempts against the healthcare industry increased by 123% in 2020! Ransomware can be perpetrated using phishing emails, malvertizing, or malicious links, and could be Strategic campaigns that target victims through compromised networks, or Opportunistic campaigns that employ ‘spray and pray’ tactics, techniques, and procedures (TTP).
Notable Ransomware Attacks
It is observed that 2020 brought the most ransomware attacks on healthcare providers in the past five years. The Tenable Research 2020 Threat Landscape Retrospective reported that ransomware attacks accounted for 54.95% of healthcare data breaches in 2020. Another report from Comparitech states that 92 individual ransomware attacks in 2020 affected over 600 separate clinics, hospitals, and organizations. Some of the massive ransomware attacks in the last 18 months include —
- In May 2021, San Diego-based Scripps Health was besieged by a ransomware cyberattack that forced a portion of its IT system to remain offline for several weeks.
- A massive cyberattack hit universal Health Services (UHS) in October 2020. The ransomware strain known as Ryuk brought down all of its IT systems. Affected hospitals redirected ambulances and moved patients in need of surgery to other nearby hospitals.
- In October 2020, the University of Vermont Health Network was affected by a ransomware attack that shut down the hospital’s applications, costing USD 1.5 million a day in recovery costs and lost revenue.
- Blackbaud, a third-party service vendor, was one of the severely attacked companies in 2020. Inova, a Virginia-based health system, one of the affected companies reported a data breach that affected up to 1,045,270 people, to the Department of Health and Human Services’ Office for Civil Rights.
U.S. Regulations and Preventive Measures
Based on the research report from IHS Markit, the US has the biggest healthcare industry, consisting of 784,626 companies. With one of the robust and advanced healthcare systems in the world, the government has implemented several stringent regulations to protect healthcare players.
- The Health Insurance Portability and Accountability Act (HIPAA) is a federal requirement in the U.S. that includes the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. HIPAA applies to healthcare clearinghouses, health plans, and healthcare providers who electronically transmit any health information.
- Section 5 of the Federal Trade Commission (FTC) Act mandates organizations to safeguard computer systems and infrastructure.
- 42 CFR Part 2 directs healthcare provider organizations to protect patient records created by federally funded programs while guiding them to be aware of other privacy and security laws.
Apart from the regulations, several government agencies have taken preventive measures to raise awareness about cybersecurity and the threats to the healthcare industry. Some of them are:
- As networked medical devices are most affected during ransomware attacks, the HHS’ Office of Inspector General (OIG) conducted a review on mandates given by Centers for Medicare and Medicaid Services (CMS) and Medicare Accreditation Organizations (AOs) to understand the importance given to cybersecurity strategy by hospitals.
- In October 2020, The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) recommended healthcare organizations implement both ransomware prevention and ransomware response measures immediately based on a detailed analysis.
- In January 2021, the Cybersecurity and Infrastructure Security Agency (CISA) announced the Reduce the Risk of Ransomware Campaign that helps organizations implement best practices, tools, and resources that can help them mitigate this cybersecurity risk and threat.
Ransomware Risk Mitigation
Larger healthcare organizations have a robust cybersecurity system with a dedicated CISO, board-level committees & governance, risk management, compliance committees, and BYOD management. However, smaller organizations do not invest in preventive measures such as network segmentation and multi-factor authentications. To mitigate ransomware risks, healthcare CISOs need to be proactive and address vulnerabilities. Some of the measures GAVS recommends are:
- Deploy IT tracking tools to provide complete visibility into devices that connect to the network.
- Heighten defense against ransomware by securing networks, systems, and end-users using backup hardware.
- Ramp up employee training on basic digital hygiene to spot and avoid phishing.
- Protect networks using multi-factor authentication.
- Develop a cyber incident response plan and a risk management plan that maps various critical health services and care to the relevant information systems.
GAVS helps clients manage risk and build effective cybersecurity programs with a range of end-to-end Cyber Security Services. To learn more about our offerings, visit https://www.gavstech.com/service/security-services/.