Introduction
Key Takeaways
For the 11th year in a row, healthcare is at the top of IBM’s “Cost of a Data Breach Report,” ranking number one among all industries for the highest average cost of a data breach. For the 2021 report, that number is now more than $9 million, far surpassing the just more than $7 million average cost of a breach in 2020.
The attacks on the healthcare industry aren’t just getting more expensive, they’re also increasing in frequency and complexity. This can be attributed, in part, to the changing technological landscape for healthcare-covered entities and business associates as a result of the coronavirus pandemic, which began in 2020.
That year and stretching into 2021, as stay-at-home and social distancing mandates went into place around the globe, healthcare providers were forced to rapidly adopt new technologies to continue to offer new and expanded services such as telehealth and remote health monitoring.
This necessary adoption of technology, coupled with an already unprecedented rollout of more industrial internet of things (IIoT) devices in healthcare facilities and patient homes, has created a new threat landscape today that’s vast and more rapidly changing than ever before. As a result, the healthcare industry faces an ever-increasing number of new threats that most IT and security teams can’t keep up with.
Attackers are well aware, using tactics such as phishing schemes and ransomware to access systems that store, maintain, and transmit sensitive data such as protected health information (PHI) and personally identifiable information (PII).
The Rise of Ransomware
It used to be the common thinking that cyber-attacks were only a risk to larger healthcare organizations such as big hospital systems or multiple providers operations. Yet, now what we’re seeing increasingly more often is that any organization that has PHI, PII, or other sensitive data can be at risk.
A recent report from Coveware, for example, says that more than 75% of ransomware attacks happen to organizations with fewer than 1,000 employees.
Many cybersecurity professionals are now urging organizations across all industries to change their mindsets from preparing for what happens if an attack occurs to building business continuity and cyber resilience plans that approach it from a "when it happens" viewpoint.
And if we take the number of successful data breaches, especially related to the rise in ransomware into account, it’s easy to see why healthcare organizations must be prepared, especially in light of some of the many shortcomings we’re seeing in security, compliance, and privacy measures after industry changes brought on by pandemic response.
According to the U.S. Department of Health and Human Services’ Cybersecurity Program, the Healthcare and Public Health Sector experienced 48 ransomware incidents through May 25, 2021, affecting health or medical clinics, healthcare industry services, hospice or elderly care, hospitals, and medical universities or medical research facilities.
In these attacks, 72% resulted in the leaking of victim data including either full file dumps, samples, or screenshots. While some of the smaller attacks, according to HHS, were just a few screenshots of sensitive data, others resulted in leakage of terabytes worth of victim data.
In that same survey for Healthcare and Public Health Sector organizations worldwide, 34% said they had a ransomware attack in the past year, and those attacks, 65% said that cyber-attackers had successfully encrypted their data. While 93% ultimately got data back, less than 70% of that data was restored after ransom payment.
How are attackers getting through defenses, especially those with security controls that are HIPAA or another framework compliant? According to the Center for Internet Security, the most common attack method is through a phishing email. These emails often look like they’re from a legitimate source, possibly mimicking a name or similar email address for people within your organization or from outside your organization, like your partners or vendors.
In some instances, even the most well-trained and repeatedly educated team members can make a mistake and accidentally or inadvertently click on a malicious link through a phishing email or possibly click on a malicious link from an infected web page.
These phishing schemes deploy a range of tactics from those malicious links to social engineering, which convinces a victim to give up credentials, thereby opening the door for malicious lateral movement and additional ransomware deployment within your networks.
While some of these attacks are happening right within a healthcare organization’s systems, the industry is also seeing an alarming increase in the number of attacks that originate within systems operated by their partner business associates.
One of the largest data breaches to date for healthcare happened with a business associate in 2019, when a business associate, the American Medical Collection Agency (AMCA), a billing collections company, was hit by an attack that ended up exposing records for more than 26 million individuals, including Social Security numbers, as well as medical and financial details.
A Record Number of Breaches
The Office for Civil Rights is responsible for investigating HIPAA violations and through the HITECH Act, posts a list of all breaches that affect the PHI of 500 or more individuals.
Based on data available in the breach portal, between Jan. 1, 2020, and Dec. 31, 2020, OCR investigated 346 breaches affecting 500 individuals or more. In 2021, between Jan. 1 and the end of August, that number skyrocketed to 433, with four more months of the year to go.
Not only are there more reported breaches than in previous years, but we’re also seeing impressive numbers of records exposed in these attacks. In 2021, for example, there were two breaches within the first eight months of the year where more than 3 million records were exposed in each incident—the Florida Healthy Kids Corporation reported in January, and another that affected the 20/20 Eye Care Network reported in May.
The rise in these ransomware attacks and successful breaches is painting a picture of caution—there are holes in healthcare cybersecurity and privacy that need our attention.
Risk Analysis and Risk Management Shortcomings
All healthcare-covered entities and business associates can be subject to an OCR audit, not just where there is an investigation or suspected HIPAA violation.
There are two major rounds of OCR audits of note, the Phase 1 audits in 2011-2012 and Phase 2 audits in 2016-2017. What OCR found in many of these audits is that often both covered entities and business associates fail to conduct risk analysis and risk management as outlined in the HIPAA Security Rule.
Some of the organizations say the issue lies within no formal, clear guidance on what these OCR risk analysis and risk management processes should include. However, the reality is, OCR has been clear about what it expects in both for years. It just doesn’t prescribe a step-by-step guide. Instead, it recommends organizations take a range of factors into account when determining which controls and processes make the most sense for each organization while meeting HIPAA requirements.
Another issue may be a common swapping of terms across the industry, especially among cybersecurity professionals between a HIPAA compliant risk analysis and risk assessments, which, while similar, are not the same. HIPAA has a clear distinction between a risk analysis (as outlined in the Security Rule) and a risk assessment, which is part of the HIPAA Breach Notification Rule. Many things some professionals categorize as a risk assessment don’t meet the full requirements of a HIPAA risk analysis.
For organizations that struggle with OCR compliant risk analysis and risk management, you may find it beneficial to adopt standards based on guidelines from the National Institute of Technology (NIST), which has guidance and control recommendations to protect PHI and other sensitive data.NIST frameworks such as 800-151, 800-53, and NIST CSF are all available within the Apptega platform.
Lack of Asset Awareness
Another issue affecting many healthcare organizations centers around a lack of understanding of which assets an organization actually has, how they’re used, who has access, what information can be accessed from each asset, and which assets and functions are mission-critical. Often, that’s because organizations just don’t know how to conduct a comprehensive and ongoing asset inventory, nor are they prepared to do a risk assessment or business impact analysis on those assets.
This issue was further complicated during the pandemic when many organizations allowed Bring Your Own Devices (BYOD) options for employees who needed instant access to remote devices in this changing work environment. This helped further proliferate vulnerabilities in practices and processes and also highlighted several deficiencies in employee education, training, and retention.
But this issue isn’t a new one. A notable healthcare data breach which resulted in some stiff OCR penalties happened back in 2013 and 2017 when New York-based University of Rochester Medical Center (URMC) reported the loss of unencrypted devices–first a flash drive, then a laptop—that resulted in the potential exposure of more than 500 patient records.
As a result, URMC had to pay a $3 million settlement and faced a range of other actions including completing an OCR compliant risk analysis and risk management plan.
If your organization is struggling with asset inventory, you may find it helpful to download Apptega’s Asset Management Policy Template. It’s free and can be used across a range of industries, not just healthcare. Included in the template, you’ll find:
- Overview
- Purpose
- Scope
- Policy
- Audit Controls and Management
- Enforcement
- Distribution
- Related Standards, Policies, and Processes
- Definitions and Terms
You can use this template to help your organization create and maintain a comprehensive inventory of all of your assets as well as your security controls for these devices.
Some other Apptega templates that may be helpful include:
- BYOD Policy Template
- Encryption and Cryptology Policy Template
- Media Protection Policy Template
- Risk Assessment Policy Template
- Risk Management Policy Template
- Security Awareness and Training Policy Template
Interested in other templates? Check out a full list of what’s available (with more coming soon) at https://www.apptega.com/templates.
Disconnect Between Cybersecurity and Business Continuity
In ransomware attacks, attackers are able to laterally move through networks, often undetected. And unfortunately, research shows that it’s becoming increasingly difficult for many organizations to discover and stop these movements.
According to the IBM report, in 2021 it took an average of 212 days to identify a breach and upwards of 75 days to contain it. That makes the average total breach lifecycle (the time between the first detection of a breach to when it’s fully contained) about 287 days, which is about a week longer than the average breach lifecycle in 2020.
The more time these attackers spend inside your network, the more access they have to data and the more opportunities exist for them to continually thwart your defenses.
And what happens when, for example, a ransomware attack is successful? Often, entire networks are shut down and sometimes even backups are lost or encrypted fully stopping or significantly negatively impacting your ability to operate.
Yet, even with this known impact, some healthcare organizations still aren’t including cyber response in their business continuity plans. This lack of correlation between security and business goals and objectives can mean that even when you discover and contain a breach, you don’t have the proper plans in place to quickly mitigate its impact and resume operations as normal.
If your organization hasn’t included cyber resilience in your business continuity and disaster recovery plans, or if you haven’t prepared a business continuity plan at all, Apptega can help. Check out our Business Continuity Plan Template that covers:
- Purpose
- Scope
- Business Continuity Policy
- Succession Planning
- Office Locations
- Alternate Physical Location(s) of Employees
- Data Backup and Recovery
- Operational Assessments
- Mission Critical Systems
- Alternate Communications with Stakeholders
- Critical Business Constituents and Third Parties
- Related Standards, Policies, & Processes
- Definitions and Terms
We also have templates free templates available for:
- Disaster Recovery Plan
- Cybersecurity Incident Response Tabletop Exercises
- Penetration Testing Methodology
You can find all of them at https://www.apptega.com/templates.
Lack of Visibility Into Vulnerabilities and Weaknesses
Earlier we discussed challenges some organizations have when it comes to identifying and managing their assets. Similarly, many organizations, even if they know which assets they have in play, struggle with the ability to identify vulnerabilities and other security weaknesses associated with those devices.
Others just don’t know—or don’t have the staffing or resources—to tackle the ever-growing list of vulnerabilities that may or may not directly affect their organization. How do you know which vulnerabilities pose the most risk? Where do you focus your efforts first? What’s most important for your organization?
These vulnerabilities pose a range of risks for your organization and failure to discover and remediate them could result in a range of penalties and corrective actions, not just for HIPAA but for other compliance requirements such as PCI DSS or CMMC.
So where do you begin? How do you know which vulnerabilities need your attention and what should you do about them? While there is a range of options, you may find it helpful to focus on some of those that could put your organization at risk. Did you know that there are common vulnerabilities, for example, that are most frequently used in successful ransomware attacks?
Many of these vulnerabilities are within Microsoft’s Remote Desktop Protocol (RDP) and your organization may be relying on these now more than ever with remote teams and workforces as a result of the pandemic. Are your servers, systems, and files at risk?
Check out Apptega’s on-demand webinar, “Addressing the Vulnerabilities Used in 63.5% of Ransomware Attacks,” you’ll learn more about how your organization can minimize and eliminate these vulnerabilities, how to spot vulnerability indicators, and review some of the most common mistakes that could leave your healthcare organization vulnerable to an attack.
Your HIPAA Compliance Journey
Managing your risks associated with PHI and other sensitive data is certainly more complicated post-pandemic than before. And, since customer expectations for service delivery models in healthcare have changed, we will probably continue to see both continued adoption of new technologies and as a result, an ongoing, evolving and expanding threat landscape.
Managing these risks is not only important for HIPAA compliance, but it can also be critical for patient safety. Don’t be caught off guard by an unexpected breach or wait for an OCR or similar audit to discover where you have deficiencies.
Not sure where to start or how to meet all of your requirements? Download our HIPAA Compliance Guide that includes:
- HIPAA Overview and History
- HIPAA Stakeholder Roles and Responsibilities
- HIPAA Rules Breakdown
- Risks of Non-Compliance
- Security Rule Summary
- Privacy Rule Summary
- Breach Notification Rule Summary
- OCR Audit Process
- References and Supporting Materials
Need help addressing some of the most common security and privacy risks facing healthcare organizations today post-pandemic? Contact an Apptega advisor and we’ll be happy to help.