Healthcare: Mitigating cyber risk in Healthcare

As technology advances, so does cybersecurity risks, and the US Healthcare sector is proving to be a prime target as revealed by recent research from Bitglass

Data breaches across organisations are becoming more and more common, this is also the same within the healthcare sector. Several major providers announced they suffered data breaches in 2020, with Pittsburgh-based UPMC and Omaha-based Nebraska Medicine being the latest to share their experience. Those breaches alone affected 255,000 individuals.

With most members of society having healthcare records including highly sensitive information, from personally identifiable information such as Social Security numbers, names and addresses to sensitive health data such as Medicaid ID numbers, health insurance information and patients’ medical histories, a healthcare breach poses a severe risk of data loss and theft. Particularly in the US, where healthcare is primarily a paid for service, data could also include company details and bank information, posing a larger target for cyberattacks.

Ransomware attacks likely account for a significant proportion of data breaches in US healthcare organisations. Maze, Ryuk, REvil (Sodinokibi), SunCrypt, Snake and Clop are just some of the ransomware groups that have attacked hospitals and healthcare organisations. A report from Check Point earlier this year named Ryuk and REvil the top threats for the healthcare sector at a global level.

At the end of October 2020, the US Government released a warning about Ryuk ransomware attacks targeting hospitals and healthcare providers. An earlier notification, in April, sounded the alarm about ransomware groups breaching hospitals by exploiting a remote execution vulnerability in Pulse Secure VPN servers.

News about ransomware hitting various hospitals in the US trickled all through 2020, most of them towards the end of the year and some organisations ending up paying the hackers hundreds of thousands of US dollars to return to normal activity.

The motives behind cyber attacks on healthcare companies are clear: hospitals, urgent care clinics, pharmacies, health insurance companies and other healthcare providers keep records of very valuable information that can be used for identity theft more than almost any other industry. What’s more, the healthcare industry is widely regarded as having rather weak security; a recent report from SecurityScorecard ranks healthcare 9th out of all industries in terms of overall security rating.

This is not a small problem. A February 2017 survey from Accenture reveals that healthcare data breaches have affected 26% of US consumers, or more than one in every four Americans. Additionally, the survey also found that 50% of breach victims eventually suffered medical identity theft, with an average of $2,500 out-of-pocket costs. Even worse, half of the survey respondents reported that they learned of the breach themselves – as opposed to an official company or law enforcement notification – after they had been alerted to an error on their benefits explanation, credit card statement, or similar documents.

These are sobering facts, especially when you consider the broad reach of the healthcare industry; nearly everyone has healthcare records somewhere within the healthcare system.

Since 2018, the number of hacking and IT incidents has increased each year, meaning that IT resources are increasingly used by organisations and targeted by malicious actors. Such incidents were, by far, the top cause of healthcare breaches in 2020, leading to 403 out of 599 breaches (67.3%)–more than three times that of the next highest category. Hacking and IT incidents also led to larger breaches than other categories did, compromising 91.2% of all exposed healthcare records in 2020 (about 24.1 million out of 26.4 million).  

“The vast majority of healthcare organisations process and store protected health information (PHI) such as Social Security numbers, medical history and other personal data. It is no surprise that these entities would be targeted by malicious cyber criminals seeking to access sensitive data for monetary gain,” said Anurag Kahol, CTO of Bitglass. “The exceedingly high number of hacking and IT incidents highlight the shifting strategies of malicious actors. As healthcare organisations continue to embrace cloud migration and digital transformation, they must leverage the proper tools and strategies to successfully protect patient records and respond to the growing volume of threats to their IT ecosystems.”

Bitglass recently released its seventh annual Healthcare Breach Report. Each year, Bitglass analyses data from the US Department of Health and Human Services’ “Wall of Shame,” a database containing information about breaches of protected health information (PHI). In 2020, there were 599 healthcare breaches that collectively affected over 26 million individuals. Bitglass’ latest report takes an in-depth look at the breaches that healthcare organisations faced, comparing them to previous years and revealing key trends and cybersecurity challenges facing the industry. Breaches recorded in the DHHS database are classified into the following categories:

• Hacking and IT Incidents: Breaches related to malicious hackers and improper IT security–cybersecurity events stemming from external parties. 
• Unauthorised Disclosure: Unauthorised sharing of PHI by internal parties or systems.
• Loss or Theft: Breaches that involve the loss or theft of endpoint devices. 
• Other: Miscellaneous breaches and leaks.

With the rapid acceleration of cloud, bring your own device (BYOD) and remote work adoption due to the global pandemic, 2020 looked significantly different than any other year in history. What kind of impacts did these changes have? 

In 2014, lost and stolen devices were the leading causes of security breaches in healthcare, while hacking and IT incidents were the least common causes. Today, things have essentially inverted. Hacking and IT incidents are now the primary forces behind healthcare breaches–as they have been each year since 2017. As organisations continue to embrace cloud migration and digital transformation, healthcare organisations must leverage the proper tools and strategies to successfully protect patient records and respond to the growing volume of threats to their IT ecosystems. 

Each year since 2015, hacking and IT incidents have been exposing more records than any other breach type. Additionally, the scales of these incidents have been increasing each year since 2018, suggesting that organisations are increasingly leaning on their IT resources, and criminals have been increasingly targeting them. With over 24 million individuals affected, organisations must equip themselves with modern tools capable of preventing hacking and IT incidents and stopping data leakage. This is particularly true now that most organisations have shifted at least in part to a remote style of operations.

In 2020 there were 49 healthcare breaches in California, which was more than that of any other state and surpassed last year’s leader, Texas, which suffered 43 breaches in 2020. Michigan had the highest count of individuals affected, but this was primarily due to the Trinity Health breach, which impacted 3.3 million victims on its own. Overall (and in keeping with prior years), states with denser populations suffered more breaches. This year, breach numbers were up across the board, with 37 out of 50 states suffering more breaches than they did in 2019.

Cost of a data breach

According to Ponemon, the average cost of a breach in healthcare remained higher than that of every other industry in 2020, and increased 10.5% since 2019. Likewise, the cost per breached record also increased, rising from $429 to $499 this year (a 16.3% increase). On average, healthcare firms take the longest to identify breaches, at about 96 days, and take the longest to recover from them, at about 236 days. 

Year over year changes can be seen below, with total healthcare breach costs calculated by multiplying the cost per breached record each year by the number of breached records each year. As the data shows, billions of dollars are being wasted annually due to either cybersecurity negligence or the use of legacy tools that are incapable of securing data in modern work environments. To address this challenge, healthcare firms should turn to comprehensive platforms designed to secure any interaction between any devices, apps, web destinations, on-premises resources, or infrastructure. 

Fighting back

Due to the significant financial impact of data breaches in healthcare, health informatics and other professionals are playing an important role in ensuring that medical organisations remain secure. According to HealthIT.gov, individual health care organisations can improve their cyber security by implementing the following practices:

1. Establish a security culture: Ongoing cybersecurity training and education emphasize that every member of the organisation is responsible for protecting patient data, creating a culture of security.
2. Protect mobile devices: An increasing number of healthcare providers are using mobile devices at work. Encryption and other protective measures are critical to ensure that any information on these devices is secure.
3. Maintain good computer habits: New employee onboarding should include training on best practices for computer use, including software and operating system maintenance.
4. Use a firewall: Anything connected to the internet should have a firewall.
5. Install and maintain anti-virus software: Simply installing anti-virus software is not enough. Continuous updates are essential for ensuring health care systems receive the best possible protection at any given time.
6. Plan for the unexpected: Files should be backed up regularly for quick and easy data restoration. Organisations should consider storing this backed-up information away from the main system if possible.
7. Control access to protected health information: Access to protected information should be granted to only those who need to view or use the data.
8. Use strong passwords and change them regularly: The Verizon report found that 63 percent of confirmed data breaches involved taking advantage of passwords that were the default, weak or stolen. Health care employees should not only use strong passwords, but ensure they are changed regularly.
9. Limit network access: Any software, applications and other additions to existing systems should not be installed by staff without prior consent from the proper organisational authorities.
10. Control physical access: Data can also be breached when physical devices are stolen. Computers and other electronics that contain protected information should be kept in locked rooms in secure areas.

In addition to these recommendations, health data professionals are continually developing new strategies and best practices to ensure the safety of sensitive health data, protecting both the patient and organisation from financial loss and other forms of harm.

The Bitglass full report can be downloaded here: https://pages.bitglass.com/CD-FY21Q1-HealthcareBreachReport2021_LP.html 

Commentary: Thomas Schulz, EMEA Product Marketing Director, ASSA ABLOY Opening Solutions

Security stakes are high at healthcare premises. Patients expect and deserve privacy and safety. Yet most medical buildings must remain welcoming spaces, many open around the clock. The protection of drugs and confidential data is critical — and every breach demands thorough investigation. Such needs go way beyond what the mechanical security was designed to meet.

Hospitals, for example, are often large and spread out. Their locks may need to integrate with fire detection, CCTV and other building systems. Labs and pharmacies are safer when access is managed with time-limited “keys” which can be revoked. In care homes, security must be matched by user-friendliness for a client group who may have limited dexterity or learning skills. Here, real-time control and monitoring can help managers to react quickly.

We ask too much of a traditional metal key if we expect it to do all this. Yet wired security doors can be an expensive retrofit option. Fortunately, there is a solution: wireless access control.

Commentary: Paul Baratta, Healthcare Segment Development Manager at Axis Communications

Equipping patients’ rooms with solutions that combine video, two-way audio and analytics can act as a force multiplier for medical teams. By integrating with the electronic patient records system (ERMS) the staff can observe the patient’s physiological monitors, as well as listen for audible indicators of the patient having difficulties and provide a proactive response to a medical event.  With acoustic analytics, alarms can be identified and responded to quicker through microphones and on-board camera edge acoustic analytics. Video can be directly integrated with patient telemetry monitoring devices, giving the clinical staff eyes and ears to the patient, without having to check patients remotely. This reduces the use of personal protective equipment (PPE) and exposes staff to infection risk.

The ability to observe patients through the video allows medical staff to monitor patient activity and proactively respond to a patient in distress or pre-empt an incident such as a seizure or fall risk. Using analytics such as crossline detection can alert staff to a patient who may be a wandering risk and trigger an immediate alert to the nurse or patient watch observer.  This rapid response can make the difference between life and death.

Patient observation solutions and video monitoring of patients, analytics and access control systems can be used today to secure infectious disease areas and tomorrow in a more traditional role. Hospitals are able to secure assets and equipment by limiting access to restricted areas and provide solutions to improve patient quality of care and optimised response to emergencies.