The transition to electronic health records (EHR) and electronic medical records (EMR) has continued and increased. While it has allowed efficiency and improvement in medical service delivery, it has also amplified the need for more attention, budget, and planning for better cybersecurity. As our society continues to move more of our social, professional, and medical lives onto the internet, it's not only our social media and email accounts that are being targeted. It's our personal health information (PHI) as well.
According to an interagency report by the U.S. government, "Ransomware is the fastest growing malware threat, targeting users of all types—from the home user to the corporate network. On average, more than 4,000 ransomware attacks have occurred daily since January 1, 2016." Ransomware gangs are criminal hackers that attack their target's systems, stealing data and demanding ransom for its return.
According to another report published by cybersecurity firm Sophos, the healthcare sector is a major target, with the number of attacks doubling from 2020 to 2021 amidst a global pandemic no less. As the saying goes, there is no honor among thieves, and certainly not among Ransomware gangs. These attacks on hospitals result in procedural disruption, loss of vital patient information, appointment cancellations, and even patient mortality. So why are hospitals such lucrative targets for ransomware gangs?
Why Ransomware Gangs Attack Hospitals
Each person's healthcare information is a lucrative mine for hackers and threat actors on the dark web. The selling of this information contributes to the exploitation, misinformation, negative propaganda, and phishing scams of people every day. PHI is reportedly more valuable than credit card information. Credit cards can be canceled, and email addresses and phone numbers can be blocked, but how does a person address medical information theft? That information can be used to obtain free medical care, lobby false medical claims, max out insurance coverage, and leave a person without coverage. Remember that PHI also includes birth dates, social security numbers, and former mailing addresses, which can all be sold or used for other forms of identity theft.
Hospitals and healthcare facilities that operate in the private sector are particularly susceptible to ransomware demands because, unlike government-funded facilities, which use and are funded by taxpayer money and, therefore, seldom pay the ransom, the private sector boards can choose to pay the demanded ransom to have the information returned. Sophos' report indicates that 61% of responding facilities admitted to paying ransom demands.
They've proven they are not only vulnerable to the attacks but that they are likely worth the trouble and risk associated with the attacks to the hackers in the face of criminal charges and violations of HIPAA. Unfortunately, the fact that they tend to pay the ransom has created a vicious cycle. To learn more about HIPAA updates for 2023, you can read our two-part series, with the first and second pieces.
HIPAA 2023 Updates: Health Insurance Portability and Accountability Act
HIPAA Updates 2023: News and Awareness Part 2
What Does HIPAA Stand For?
HIPAA is the acronym for the Health Insurance Portability and Accountability Act of 1996. It is the federal law in place that protects private patient information and prevents it from being shared without express consent.
How Can Hospitals Improve their Cybersecurity?
HIPAA compliance can help prevent malware and ransomware attacks by implementing specific security measures:
- Implementing a security management process, which includes conducting a risk analysis to identify threats and vulnerabilities to electronic protected health information (ePHI) and implementing security measures to mitigate or remediate those identified risks;
- Implementing procedures to guard against and detect malicious software;
- Training users on malicious software protection so they can assist in detecting malicious software and know how to report such detections; and
- Implementing access controls to limit access to ePHI to only those persons or software programs requiring access.
Hospitals can implement the changes necessary to secure cyber insurance. As of 2021, only 78% of healthcare organizations in Sophos' report had coverage. Cyber insurance is a challenge for healthcare facilities to qualify for coverage because insurers seek to reduce risk, and the healthcare industry is well-known as a target. Nevertheless, by shoring up its cyber defenses and meeting the requirements to gain cyber insurance, they are taking important steps to reduce its risk of successful cyber-attacks and protect PHI.
Hospitals can and should increase their allotted budget for cybersecurity. Statista's 2021 report on cyber security budgeting for U.S. healthcare organizations showed very little is set aside to face this massive threat.
- 18% of healthcare organizations reported 1-2% of their budget
- 22% of healthcare organizations reported 3-6%
- 15% of healthcare organizations reported 7-10%
- 6% of healthcare organizations reported more than 10%
- 23% of healthcare organizations said no specific amount is set aside for cybersecurity, but money is spent
- 1% of healthcare organizations reported no money is spent on cybersecurity
- 18% of healthcare organizations said they don't know
The need for better budgeting for cybersecurity will make a hospital or healthcare facility more vulnerable to attack. Hospitals and healthcare facilities often pay ransoms to recover stolen information, but on average, they only recover around 65% of the data. If hospitals and healthcare organizations remain vulnerable to attacks and don't implement necessary security measures, they will remain a lucrative target to ransomware gangs.
