10. 02. 23
Every October, Cybersecurity Awareness Month brings an abundance of tips, trends and resources that reinforce the importance of cybersecurity. It’s a good reminder to stay vigilant and shore up cyber defenses, as the healthcare sector remains a prime target for cybercrime. The surge in healthcare data breaches that began at the height of the COVID-19 pandemic has shown no signs of abating, even as life has mostly returned to pre-pandemic conditions.
In this blog, we’ll look at why the healthcare industry is a target for cyberattacks and what your practice can do to protect itself.
According to the Office for Civil Rights (OCR) for the U.S. Department of Health and Human Services (HHS), there were 308 breaches reported by healthcare providers in the first half of 2023. (1)
Surprisingly, the total number of breaches in the first six months of this year was 15% lower than the last six months of 2022 (363 breaches), according to security firm Critical Insight’s Healthcare Breach Report. (2) So far, 2023 is on pace for the lowest number of healthcare breaches since 2019.
But that doesn’t mean conditions are improving. While the first half of 2023 saw healthcare providers report fewer breaches, many of the incidents that occurred were larger than those seen in prior years. The number of personal records compromised in the first half of the year was 40 million—up 31% from the second half of 2022 (31 million).
And breaches have been costly. IBM’s Cost of a Data Breach Report 2023 found that the average cost of a healthcare data breach to be nearly $11 million—up 8% from the previous year and up a staggering 53% since 2020. (3) For 13 straight years, healthcare has had the most expensive data breaches of any industry.
“Healthcare is targeted more than any other industry,” explained Adam Grantz, director of enterprise customer support for Rectangle Health. “A healthcare practice is very attractive to cybercriminals due to the amount of sensitive information on file.”
A recent study by the Journal of the American Medical Association (JAMA) found that the annual number of ransomware attacks on healthcare organizations more than doubled from 2016 to 2021, exposing ePHI of nearly 42 million people. (4) The study concluded that ransomware attacks on healthcare are increasing in frequency and sophistication.
Ransomware attacks are particularly hazardous for the healthcare industry because they put patients’ ePHI at risk and could open providers up to legal action. ePHI is incredibly valuable because it essentially has everything a criminal needs to steal a person’s identity.
Cybercriminals know that putting ePHI at risk can be highly damaging for healthcare providers, and that’s why they are being targeted with ransomware, noted Grantz. “Healthcare organizations pay the requested ransom at a much higher percentage than any other industry,” he said.
Ransomware attackers seem to be changing up their strategies in 2023. Critical Insight noted that some criminals are deploying “double extortion,” in which they demand one payment to unlock the system and another to regain the stolen data. Conversely, others are shifting away from encrypting providers’ computer systems only demanding payment for stolen data. Some of these criminals are even extorting patients for money.
Perhaps the biggest question a medical provider faces when they are hit with a ransomware attack is whether they should pay the fine to regain control of their data. If a provider chooses not to pay, they have to ensure that their backup repositories survive. According to the Veeam 2003 Ransomware Trends Report, cybercriminals attempted to hack organizations’ backup repositories in 93% of cyber events in 2022. (5) And 76% of targeted organizations lost at least some of their backed-up data.
But even having data securely backed up doesn’t mean ePHI isn’t at risk. Anytime that cybercriminals have access to patients’ data—whether the ransom is paid or not—there is nothing stopping them from using the data how they please. That’s why it’s important to have good cybersecurity protocols in place. Most ransomware attacks occur after an employee clicks on a bad link in a phishing email. Training employees to always think before they click can protect the practice and your patients.
Cybercriminals aren’t always going after the big fish. A practice might only have a few people on staff, but everyone is a target—from the physicians to the office managers to a temp who may only be with the practice for a couple weeks. They are looking for the lowest-hanging fruit, and the easiest criminal transaction they can get away with.
Medical practices need to adopt a new mindset when it comes to cybersecurity and protecting patient data. Providers are focused on the health of their patients, and they need to be. But they also need to take time to focus on protecting their patients’ data. “It takes a cultural shift, where from the top down, you’re emphasizing that this is the new age of risk and there are new needs for a successful practice,” explained Brad Deflin, CEO of Total Digital Security. “You care about your patients. You’ve got to care about their data. And you’ve got to care about keeping your practice open, predictable and consistent—for their care, but also for your brand, and your business as well.”
Rectangle Health can take some of the cybersecurity burden off a healthcare practice. Our payment processing software uses the highest level of security, protecting card information and protecting patients from fraud. Additionally, our compliance solutions ensure that your entire staff is following all HIPAA guidelines to secure ePHI.