Cyberattacks have been in on the upswing since the start of the COVID-19 pandemic. According to a recent white paper from Crowdstrike and Medigate, 82% of health systems experienced some form of cyberattack from March 2020 to September 2021, and 34% of the reported attacks involved ransomware. Interestingly, 33% reported paying the ransom, but only 69% of those who paid the ransom reported having their data fully restored. Crowdstrike is a cybersecurity technology company based in Sunnyvale, California, and Medigate is an international clinical device data security and integration platform company that has headquarters in Brooklyn, New York.
“Physicians in private practice know they are especially vulnerable to cyberattacks,” said Thomas Finn, director of business development at Medigate. “They cite HIPAA penalties as a concern, right along with interruptions to the running of their practices, and the impacts to patient safety as their top worries.”
The Crowdstrike/Medigate paper emphasizes the need for health care delivery organizations (HDOs) to harden their security infrastructures via a renewed focus on defense fundamentals. The report covers various capabilities that health systems should consider in defending their organizations against advanced threats. During the first lockdown of the pandemic, the volume of attacks shot up dramatically and continues to rise. These attacks represent a triple threat because in addition to seeking payment from the HDO, they also coerce payments from patients and business partners.
Medical Files ‘Highly Prized’
“In terms of value, medical files are highly prized because they can be monetized in a variety of ways,” Finn said. “Fake claims to defraud payers often place false diagnosis and treatment information into the medical records of patients whose data was stolen.”
The privacy enforcement standards under HIPAA set substantial penalties for violations related to the theft of private health information (PHI). The recent passing of the HIPAA Safe Harbor Law essentially incentivizes the entire industry to take the steps required to secure PHI, which now includes connected medical assets, Finn said. “The FDA recently recalled nearly a half million pacemakers because of a discovered hacking vulnerability,” he said. “And as we know, private practices are now using telehealth and remote patient monitoring, so once again, they are even more vulnerable now.”
Potentially Devastating Penalties
Penalties for these types of HIPAA violations are based on how proactive a medical practice was at preventing cyberattacks. In some cases, the penalties can be devastating. Some practices are running up 6 figure annual cybersecurity bills. “The amounts can be $250,000 per year for a small physician practice or as much as $400,000 annually for a larger one,” Finn said. “Regardless, a health system that is well-defended from cyberattacks and still suffers a negative experience is obviously better positioned to deal with all the potential liabilities.” Finn said.
Health systems and private practices that do not feel compelled to take the right defensive steps are now viewed as negligent. Health care is a target due to its vulnerable attack surface and the financial payoff from selling the stolen information. “If you were a cybercriminal, where would you focus?” Finn said, adding there are many ways to monetize medical records. “A credit card can be shut off. You can’t shut off your medical history. You don’t get a do-over and the cybercriminals know this,” Finn said.
Companies that offer protection plans should specialize in medical practices, he said. Cybersecurity is a 365-day concern. It is important to thoroughly vet the security entity under consideration. “References should be investigated,” Finn said. “The right firm can remove the headache. The wrong choice will create new ones. Good security practice must enable the benefits of connected health not constraint.”
Fragile Digital Infrastructure
Cyberattacks are increasing and evolving because criminals can exploit vulnerabilities in the health care sector’s fragile digital infrastructure, according to Stéphane Duguin, chief executive officer for the CyberPeace Institute, a nongovernmental organization based in Geneva, Switzerland. Some pandemic-related phishing criminals have impersonated health-focused organizations, including the World Health Organization and U.S. Centers for Disease Control and Prevention.
CyberPeace Institute recently published the Cyber Incident Tracer (CIT) #HEALTH. This platform bridges the current information gap on cyberattacks on healthcare and their impact on people. Data captured on the platform provides details on 293 disruptive cyberattacks against the healthcare sector across 35 countries between June 2020 and November 2021. Across these incidents, the CIT #HEALTH seeks to report on the impact they have had on organizations and individuals, such as operational disruption to services which lasted from a matter of hours to 4 months, averaging 19.1 days per incident.
Medical practices may need to conduct security assessments and make timely patches to their systems to eliminate vulnerabilities, Duguin said. The institute is trying to raise awareness about the level of urgency and to get governments to take the issue more seriously. “Unless we understand the societal impact of cyberattacks on health care, the focus will remain on national security, foreign policy, and financial equities, rather than on the human impact, and will lead to policies that fail to produce a safe and stable cyberspace,” Duguin said.
There are many areas where further action can be taken to better protect health care, according to Duguin. A major concern is that many health care businesses are not forthcoming about a cyberattack for a host of reasons. “It is important to report any incidents to the relevant authority, such as local or national law enforcement agencies, to help prevent the spread of an attack and limit the negative impact of the attack upon other organizations,” Duguin said.
This article originally appeared on Renal and Urology News