The healthcare sector is a prime target for cybercriminals and cyberterrorists, due to the huge amount of sensitive PII (personal identifiable information) that it stores, and the critical need for constant availability of updated patient data in order to provide necessary medical care. Herjavec Group’s 2020-2021 Healthcare Cyber Security Report attributes the attractiveness of healthcare organizations to cybercriminals also to outdated IT systems, fewer cybersecurity protocols and IT staff. The use of web-connected devices increases healthcare institutions’ vulnerability. In the specific case of this sector, cyber attacks can place lives at risk, in addition to severely disrupting routine operation and exposing patients’ most sensitive personal information. Moreover, while passwords can be changed, and credit cards can be reset, health data remains valid forever, and can be used for identity theft, insurance and health care fraud, and other malicious activities.
According to the U.S. Healthcare Cybersecurity Market 2020 report, more than 90% of all healthcare organizations reported at least one security breach in the last three years. Confirmed data breaches in the healthcare industry increased by 58% in 2020 (Verizon). Ransomware attacks on healthcare organizations in the USA alone are estimated by Comparitech to have amounted to $20 billion in 2020. Cybersecurity Ventures estimates that in 2021 the healthcare industry will suffer two to three times more cyber attacks on average than other industries.
Comparitech points to a concerning new trend of double extortion attempts: the hackers do not only deny access, but also call patients with proof of the data collected. This often leaves healthcare organizations with little choice but to pay the ransom, which incentivizes future cyber attacks.
According to the InfoSec Institute, personal health information (PHI) is particularly attractive to hackers, as they can sell it for a sum that is even higher than $360 (as opposed to credit card information, which is sold for as little as $1 – $2).
Rod Piechowski, health IT expert and Vice President of Thought Advisory at the Healthcare Information and Management Systems Society (HIMSS), has voiced concern that if hackers find a way to threaten the integrity of medical data, for example, by changing results of lab tests, they would place patients’ lives at real risk.
Although 91% of hospital administrators regarded data security as a top focus, 62% felt inadequately trained and/or unprepared to mitigate cyber risks that may impact their hospital, according to research from Abbott. An HIMSS survey revealed that despite the above, healthcare organizations dedicated only 6% or less of their IT budgets to cybersecurity.
It is also important to note that a survey conducted in 2018 by Accenture among employees in the healthcare industry in the USA and Canada revealed that 29% of healthcare employees were aware of someone in their organization who was selling access to patient data. 47% stated that they were aware of patient data breaches in their organizations, with many left unreported. And 21% said they would be willing to make a profit by providing authorized access to confidential information.
According to hellohealth.com, the most common types of cyber attacks directed at hospitals include:
- Malware, ransomware and spyware: In the first ten months of 2020, there were more than double the number of ransomware attacks targeting hospitals than in other industries.
- Phishing and spear phishing: According to Security Boulevard, 95% of all attacks that target enterprise networks are caused by spear phishing.
- DDoS attacks, including botnets and remote code execution: Imperva has reported a 372% increase in DDoS and bad bot traffic to healthcare organizations since the end of 2020 alone.
In June 2021, Health IT Security reported that the FBI initiated an investigation into ransomware attacks against at least a dozen US hospitals, health systems and healthcare providers, which took place in the fall of 2020, at the height of the COVID-19 pandemic. One of these was an attack that targeted one of the largest hospital chains in the USA, Universal Health Services, in September 2020, resulting in the shutdown of computer systems for medical records, pharmacies and labs in 250 facilities. Additionally, ambulance needed to be diverted to other hospitals, and critical surgeries were postponed. The attack ultimately cost the company $67 million (hellohealth.com). The following month, a ransomware attack attributed the same group of hackers left Sky Lakes Medical Center, which was overburdened with COVID-19 patients at the time, unable to access medical records. The attack cost the medical center $10 million. It is important to note that beyond the need to purchase new servers, computers, etc., the indirect costs of such attacks include lost revenue due to diversion of patients.
In February 2021, Rehoboth McKinley Christian Health Care Services (RMCHCS), a US non-profit healthcare provider, reported a data breach that impacted more than 200,000 patients and employees. The data potentially accessed included names, addresses, telephone numbers, email addresses, dates of birth, dates of service, Social Security numbers, driver’s license numbers, password numbers, tribal ID numbers, health insurance information, medical record numbers, provider names, diagnoses, treatment information, prescription information, financial account information, and billing and claims data, though not necessarily all above data for every individual compromised (HIPAA Journal).
According to Check Point Software Technologies, the incidence of cyber attacks increased with the spike in COVID-19 cases in November 2020. A regional analysis revealed that hardest hit were Central Europe (a 145% increase), followed by East Asia (137%) and Latin America (112%). In terms of specific countries, the most dramatic increase was reported in Canada (250%), Germany (220%) and Spain (double the number of attacks).
The race to develop a vaccine was not lost on cybercriminals. In December 2020, the European Medicines Agency (EMA) was targeted, and data related to the Prizer’s and BioTech’s Covid-19 vaccine was stolen. IBM’s cybersecurity department and the US Department of Homeland Security subsequently revealed that cyber attacks had also been carried out on Covid-19 vaccine distributers – companies and government organizations – aimed to prevent distribution at the proper temperatures. Hackers who are financially and politically motivated also perpetrated attacks spreading disinformation through the theft and manipulation of data regarding the development of Covid-19 vaccines (Global Risks Insight).
ACID Intelligence and DIP detect the plans cybercriminals and cyberterrorists hatch and develop, most often to steal confidential PII data and hold healthcare institutions to ransom. By providing advance warning, we allow the targeted institutions to take appropriate action in order to continue their important, lifesaving work uninterruptedly or mitigate disruption, avoid the theft of patients’ PII, the need to pay ransom to release records, and often, the heavy recovery costs required to resume normal operation and improve IT system protection, and also to avoid costly class-action lawsuits.