Cyberattacks on health care organizations have become rampant in 2020. With multiple data breaches and ransomware attacks, the health care providers continued to be the primary target for cybercriminals. According to the “U.S. Health Care Data Breach Statistics” survey, around 70% of the U.S. population is affected by health care data breaches, with over 230,954,151 health records lost, stolen, or exposed in various security incidents. 2018 and 2019 witnessed a sharp increase in the number of individuals affected by health care data breaches, with a six-fold increase between 2017 and 2019.
By Rudra Srinivas, Feature Writer, CISO MAG
Nearly two-thirds of global health care organizations suffered a cyberattack in their lifetime, while 53% were attacked within the last 12 months. The most commonly reported cyberattacks in the health care sector are phishing (68%), malware (41%), and web-based attacks (40%).
The recent outbreak of ransomware attacks on hospitals globally indicates the threat these attack vectors pose. Many industry experts opined that the current cyberthreats to the health care industry might continue in the coming year. Here are four ransomware attacks that took a toll on the health care sector in 2020:
1. Blackbaud Data Breach
Cyberattack on Blackbaud, a third-party cloud-based service provider, is considered one of the largest data breaches of the year, which exposed over 3.4 million patients’ personal information. On July 16, 2020, Blackbaud stated that it discovered unknown ransomware operators accessing its network systems between February 7, 2020, and May 20, 2020 — and illicitly obtained backups of databases used by its customers. Two Minnesota-based organizations – Children’s Minnesota Foundation and Allina Health were severely affected in the data breach incident.
2. Florida Orthopaedic Institute
Tampa-based health care provider Florida Orthopaedic Institute (FOI) reported a data breach in April 2020 that affected over 640,000 patients’ data. FOI alleged that an unknown ransomware group encrypted information stored on its servers. The compromised information included patients’ personal data like names, birth dates, social security numbers, and medical information like appointments, medical claims, addresses, diagnosis codes, insurance plan identification numbers, payer identification numbers, and payment amounts. FOI also faced a class-action lawsuit filed by the law firm Morgan & Morgan, alleging that FOI failed to protect its patients’ personal data. The lawsuit demanded $99 million in compensation.
3. Health Share
On January 2, 2020, Health Share stated that the personal information of over 654,000 patients was compromised by its third-party vendor GridWorks. Burglars broke into GridWorks’ office and stole a laptop that contained PII of its members including names, contact details, addresses, birth dates, social security numbers, and Health Share ID numbers. The nature of the theft suggested that the stolen data was potentially compromised, however, no medical histories were involved in the data breach.
4. A String of Ryuk Ransomware Attacks
Recently, a string of Ryuk ransomware attacks targeted multiple U.S. hospitals in Oregon, California, and New York. Nearly six hospitals were attacked on the same day, which disrupted their entire operations. Even the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) jointly issued a red alert to all hospitals and health care institutes across the U.S. The agencies stated that malicious actors targeted hospitals and health care providers with Ryuk ransomware, TrickBot, and BazarLoader malware, which lead to ransomware attacks, data theft, and the disruption of services.
Cybersecurity in Health Care Sector
The research “Moving Forward: Setting the Direction” highlighted that health care supply chain security is one of the lowest-ranked areas for the National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF) conformance. Only 44% of hospitals and health care providers are following the security protocols outlined by the NIST CSF.
The main factors affecting health care security include poor security planning, lack of organizational focus, inadequate reporting structures and funding, confusion around priorities, lack of necessary staff, and inaccurate planning.
In addition, there are huge cyberthreat risks to connected medical devices, as most organizations are running their medical devices on outdated operating systems, leaving them vulnerable to cyberattacks. According to a research from Atlas VPN, 83% of health care providers in the U.S. are running on outdated software. Out of the 1.2 million IoT devices used in thousands of health care organizations across the U.S., 56% of devices were still running on the Windows 7 operating system, for which Microsoft discontinued support in January 2020.
Fear of Unhealthy Insiders
Every organization or industry is vulnerable to insider threats, and the health care sector is no exemption. A recent survey revealed that over 71% of health care providers are worried about the risks of data theft due to the negligence or mistakes of their employees and IT admins. Organizations in the health care sector are mostly concerned about employees accidentally sharing sensitive data (88%) and rogue admins (80%), spear-phishing attacks (87%), admin mistakes (71%), and data theft by employees (71%).
Cyberattacks on hospitals and vulnerable medical devices are likely to be continued until and unless the health care organizations boost their cybersecurity posture. While patient forms and charts are on paper, the medication procedure and reports are maintained online. Ransomware can take an entire health care institute to a road of destruction and cause dire consequences for patients. If systems go down because of cyberattacks, there is a possibility of patients losing their life. It is high time for health care organizations to increase their cybersecurity budget and enhance their security standards.
About the Author
Rudra Srinivas is a Feature Writer and part of the editorial team at CISO MAG. He writes news and feature stories on cybersecurity trends.