The security of health data has always been a concern. But over the past year, healthcare and digital security have become even more pressing issues for government, businesses and the general public. The reason is the sudden and huge increase in attacks, both in number and impact. Where do those health cyberattacks come from? And, how can cybersecurity teams protect healthcare data?
Health care data in the news
Check Point software reports an incredible 45% increase in health attacks over the last two months of 2020, twice as many as the rest of the verticals. HIPAA Journal reports 642 data breaches of 500 or more records by 2020. They also added exposed records, which totaled 29,298,012. Emsisoft found that 560 health centers were hit by ransomware attacks in 2020.
Some of the attacks on health data have done a lot of harm. In an attack in the United States, about 5,000 network computers were inoperable for 40 days. The total cost of this attack exceeded $ 63 million.
It looks like the crime pays off. Ransomware gangs earned at least $ 350 million by 2020, according to blockchain analysis firm Chainalysis. This represents an increase of 311% compared to 2019.
Why health data present unique problems
Health cybersecurity attacks are on the rise because data is so sensitive and worth a lot. An attack that disables the internal systems of this industry can be life threatening. The incentive to pay is high.
Another factor that is not talked about enough is the dramatic increase in the area of health attack, resulting from new technologies that save lives. The Internet of Things (IoT) revolution has introduced a wide range of the Internet of Things. IoT security is a bit new and mostly untested.
Medical biometrics poses unique challenges for healthcare, as does a new generation of medical imaging technologies. There are also significant risks in the supply chain when it comes to healthcare data.
In response to the fact that hospital cybersecurity is becoming increasingly important, there are those who respond by going through the registration of documents and faxes. To make matters worse, the hospital’s busy staff has had little time to fully understand the scope and harm of the infractions. We will not even know the extent of the attacks on this sector for months.
A security software company called Irdeto found that 88% of executives working for Fortune 1000 medical device manufacturers, digital and mobile healthcare companies and telehealth providers say their organizations are unprepared for a cyberattack. This is an alarming admission, as 80% of these companies have suffered at least one cyberattack in the last five years. One of the problems is the equipment itself: only 18% believe that the defense built into their medical device products is strong.
How attackers steal health data
Ryuk and REvil are primarily responsible for these attacks. Ryuk ransomware gained a lot of public attention when threat actors used it to attack six U.S. hospitals over a 24-hour period in October 2020.
It was derived from the Hermes ransomware and was first seen in May 2018. It is operated by a Russian criminal gang called Wizard Spider. The gang’s specialty is an extremely high ransom, with an average demand in excess of a quarter of a million dollars. Ryuk’s malware consists of a dropper that places Ryuk in a system. A second executable does the encryption job and also removes the dropper.
REvil, named after the Resident Evil video game series and also called Sodinokibi, is malware as a theft service that steals data (health care data or not) and then threatens to release it unless that the victim pays the ransom. REvil has two strange features. First, it includes a ransom note that threatens to double the amount demanded if the victim fails to pay. Second, it includes a “test” decryption that demonstrates that you can decrypt the data once the victim pays.
The compliance connection
The need to safeguard healthcare data is not just about patient privacy and safety, nor is the company’s financial health. It is also about complying with regulations.
For example, the Department of Health and Human Services (HSS) has imposed fines for non-compliance with the Health Insurance Portability and Liability Act (HIPAA) of about $ 130 million. The U.S. HHS Office of Civil Rights enforces this law. It covers all healthcare-related industries and regulates the digital transmission of any health data. It requires these groups to protect the data and also disclose any breaches of health data when it occurs.
Protecting data in a HIPAA-compliant manner means maintaining proper administrative controls, policies, and employee training; good security practices around physical access to machines containing data; data encryption; and auditing user access and best practices around media, including data destruction on storage media that is no longer used. HIPAA compliance means safeguarding the personal information of both patients and clients.
Other regulations that health organizations must comply with are:
- The Code of Federal Regulations. The second part protects patient records in federally funded substance abuse programs.
- Federal Trade Commission Act. Part of this act requires that for-profit entities, including those in the healthcare sector, protect computer systems.
- Local regulations. These include the General Data Protection Regulations of the European Union (GDPR), the Personal Information and Electronic Documents Protection Act of Canada (PIPEDA) and others, depending on where you operate, provide services or sell a health group.
What to do now
Healthcare providers of all sizes and types should review the suggestions and best practices established in HIPAA. Be especially careful when preparing to thwart ransomware attacks. That means going back to basics. Enable multi-factor authentication at all relevant endpoints. Keep up to date with all security patches. Don’t hold back on cybersecurity training and keep great backups, including offline backups that you can restore quickly.
After all, health cybersecurity can be a vital or deadly issue, not just financial or business.