Health care data security has always been a concern. But in the last year, health care and digital safety have become even more urgent topics in government, business and in the public at large. The reason is the sudden and enormous rise in attacks, both in number and impact. Where are those health care cyberattacks coming from? And, how can cybersecurity teams protect health care data?

Health Care Data in the News

Check Point software reports an incredible 45% increase in attacks on health care in the last two months of 2020 — twice the rate of other verticals. HIPAA Journal reports 642 data breaches of 500 or more records in 2020. They also added up the exposed records, which totaled 29,298,012. Emsisoft found that 560 health care facilities were struck by ransomware attacks in 2020.

Some of the attacks against health care data have done a lot of damage. In one attack in the U.S., some 5,000 network computers were inoperable for 40 days. The total cost of that attack was over $63 million.

Crime does pay, it seems. Ransomware gangs made at least $350 million in 2020, according to the blockchain analysis firm Chainalysis. That’s a 311% increase over 2019.

Why Health Care Data Presents Unique Problems

Health care cybersecurity attacks are rising fast because the data is so sensitive and worth a lot. An attack that disables internal systems in this industry can threaten lives. The incentive to pay is high.

Another factor not talked about enough is the dramatic increase in the health care attack surface, resulting from new life-saving technologies. The Internet of things (IoT) revolution has introduced a wide range of Internet of medical things. IoT security is somewhat new and mostly untested.

Medical biometrics poses unique challenges for health care, as does a new generation of medical imagery technologies. There are also significant supply chain risks when dealing with health care data.

In response to hospital cybersecurity becoming more important, some are responding by moving to paper record keeping and faxes. Making matters worse, busy hospital staff have had little time to fully understand the extent and damage of the breaches. We won’t even know the scale of the attacks on this sector for months.

A security software company called Irdeto found that 88% of executives working for Fortune 1000 medical device makers, digital and mobile health companies and telehealth providers say their organizations are unprepared for a cyber attack. That’s an alarming admission, given that 80% of these companies have suffered at least one cyberattack in the past five years. One problem is the equipment itself — only 18% believe the defense built into their medical device products is strong.

How Attackers Steal Health Care Data

Ryuk and REvil are the top malware culprits in these attacks. The Ryuk ransomware gained huge public attention when threat actors used it to attack six U.S. hospitals during a 24-hour period in October 2020.

It was derived from the Hermes ransomware and first spotted in May 2018. It’s operated by a Russian criminal gang called Wizard Spider. The gang’s specialty is extremely high ransoms, with the average demand exceeding a quarter of a million dollars. Ryuk malware involves a dropper that places Ryuk into a system. A second executable does the work of encryption, and also deletes the dropper.

REvil, named after the Resident Evil video game series and also called Sodinokibi, is ransomware-as-a-service malware that steals data — health care data or otherwise — then threatens to release it unless the victim pays the ransom. REvil has two strange features. First, it includes a ransom note that threatens to double the amount demanded if the victim doesn’t pay. Second, it includes a ‘trial’ decryption that proves it can decrypt the data once the victim pays.

The Compliance Connection

The need to safeguard health care data isn’t just about patient privacy and safety, or the financial health of the enterprise. It’s also about complying with regulations.

For example, the Department of Health and Human Services (HSS) has levied fines for lack of compliance with the Health Insurance Portability and Accountability Act (HIPAA) of nearly $130 million. The U.S. HHS Office for Civil Rights enforces this law. It covers all industries related to health care, and governs the digital transmission of any health data. It requires that these groups protect data, and also disclose any health care data breaches if they do occur.

Protecting data in a way that complies with HIPAA means maintaining the right admin controls, policies and employee training; good security practices around physical access to the machines that house data; encryption of data; and auditing user access and good practices around media, including the destruction of data on storage media that is no longer used. Compliance with HIPAA means safeguarding the personal information of both patients and clients.

Other regulations health care organizations need to comply with include:

  1. The Code of Federal Regulations. Part 2 protects patient records in federally-funded substance abuse programs.
  2. Federal Trade Commission Act. Part of this act requires for-profit entities, including those in the health care sector, to safeguard computer systems.
  3. Local regulations. These include the European Union General Data Protection Regulation (GDPR), Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and others, depending on where a health care group operates, provides services or sells products.

What To Do Now

Health care providers of all sizes and types should review the suggestions and best practices laid out in HIPAA. Take special care in preparing to thwart ransomware attacks. That means getting back to basics. Enable multi-factor authentication on all relevant endpoints. Keep current with all security patches. Don’t hold back on cybersecurity training, and maintain great backups, including offline backups that you can quickly restore.

After all, health care cybersecurity can be a life-or-death matter, not just a financial or business one.

More from Data Protection

How to craft a comprehensive data cleanliness policy

3 min read - Practicing good data hygiene is critical for today’s businesses. With everything from operational efficiency to cybersecurity readiness relying on the integrity of stored data, having confidence in your organization’s data cleanliness policy is essential.But what does this involve, and how can you ensure your data cleanliness policy checks the right boxes? Luckily, there are practical steps you can follow to ensure data accuracy while mitigating the security and compliance risks that come with poor data hygiene.Understanding the 6 dimensions of…

Third-party access: The overlooked risk to your data protection plan

3 min read - A recent IBM Cost of a Data Breach report reveals a startling statistic: Only 42% of companies discover breaches through their own security teams. This highlights a significant blind spot, especially when it comes to external partners and vendors. The financial stakes are steep. On average, a data breach affecting multiple environments costs a whopping $4.88 million. A major breach at a telecommunications provider in January 2023 served as a stark reminder of the risks associated with third-party relationships. In…

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today