Health care data security has always been a concern. But in the last year, health care and digital safety have become even more urgent topics in government, business and in the public at large. The reason is the sudden and enormous rise in attacks, both in number and impact. Where are those health care cyberattacks coming from? And, how can cybersecurity teams protect health care data?

Health Care Data in the News

Check Point software reports an incredible 45% increase in attacks on health care in the last two months of 2020 — twice the rate of other verticals. HIPAA Journal reports 642 data breaches of 500 or more records in 2020. They also added up the exposed records, which totaled 29,298,012. Emsisoft found that 560 health care facilities were struck by ransomware attacks in 2020.

Some of the attacks against health care data have done a lot of damage. In one attack in the U.S., some 5,000 network computers were inoperable for 40 days. The total cost of that attack was over $63 million.

Crime does pay, it seems. Ransomware gangs made at least $350 million in 2020, according to the blockchain analysis firm Chainalysis. That’s a 311% increase over 2019.

Why Health Care Data Presents Unique Problems

Health care cybersecurity attacks are rising fast because the data is so sensitive and worth a lot. An attack that disables internal systems in this industry can threaten lives. The incentive to pay is high.

Another factor not talked about enough is the dramatic increase in the health care attack surface, resulting from new life-saving technologies. The Internet of things (IoT) revolution has introduced a wide range of Internet of medical things. IoT security is somewhat new and mostly untested.

Medical biometrics poses unique challenges for health care, as does a new generation of medical imagery technologies. There are also significant supply chain risks when dealing with health care data.

In response to hospital cybersecurity becoming more important, some are responding by moving to paper record keeping and faxes. Making matters worse, busy hospital staff have had little time to fully understand the extent and damage of the breaches. We won’t even know the scale of the attacks on this sector for months.

A security software company called Irdeto found that 88% of executives working for Fortune 1000 medical device makers, digital and mobile health companies and telehealth providers say their organizations are unprepared for a cyber attack. That’s an alarming admission, given that 80% of these companies have suffered at least one cyberattack in the past five years. One problem is the equipment itself — only 18% believe the defense built into their medical device products is strong.

How Attackers Steal Health Care Data

Ryuk and REvil are the top malware culprits in these attacks. The Ryuk ransomware gained huge public attention when threat actors used it to attack six U.S. hospitals during a 24-hour period in October 2020.

It was derived from the Hermes ransomware and first spotted in May 2018. It’s operated by a Russian criminal gang called Wizard Spider. The gang’s specialty is extremely high ransoms, with the average demand exceeding a quarter of a million dollars. Ryuk malware involves a dropper that places Ryuk into a system. A second executable does the work of encryption, and also deletes the dropper.

REvil, named after the Resident Evil video game series and also called Sodinokibi, is ransomware-as-a-service malware that steals data — health care data or otherwise — then threatens to release it unless the victim pays the ransom. REvil has two strange features. First, it includes a ransom note that threatens to double the amount demanded if the victim doesn’t pay. Second, it includes a ‘trial’ decryption that proves it can decrypt the data once the victim pays.

The Compliance Connection

The need to safeguard health care data isn’t just about patient privacy and safety, or the financial health of the enterprise. It’s also about complying with regulations.

For example, the Department of Health and Human Services (HSS) has levied fines for lack of compliance with the Health Insurance Portability and Accountability Act (HIPAA) of nearly $130 million. The U.S. HHS Office for Civil Rights enforces this law. It covers all industries related to health care, and governs the digital transmission of any health data. It requires that these groups protect data, and also disclose any health care data breaches if they do occur.

Protecting data in a way that complies with HIPAA means maintaining the right admin controls, policies and employee training; good security practices around physical access to the machines that house data; encryption of data; and auditing user access and good practices around media, including the destruction of data on storage media that is no longer used. Compliance with HIPAA means safeguarding the personal information of both patients and clients.

Other regulations health care organizations need to comply with include:

  1. The Code of Federal Regulations. Part 2 protects patient records in federally-funded substance abuse programs.
  2. Federal Trade Commission Act. Part of this act requires for-profit entities, including those in the health care sector, to safeguard computer systems.
  3. Local regulations. These include the European Union General Data Protection Regulation (GDPR), Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and others, depending on where a health care group operates, provides services or sells products.

What To Do Now

Health care providers of all sizes and types should review the suggestions and best practices laid out in HIPAA. Take special care in preparing to thwart ransomware attacks. That means getting back to basics. Enable multi-factor authentication on all relevant endpoints. Keep current with all security patches. Don’t hold back on cybersecurity training, and maintain great backups, including offline backups that you can quickly restore.

After all, health care cybersecurity can be a life-or-death matter, not just a financial or business one.

More from Data Protection

The Importance of Modern-Day Data Security Platforms

Data is the backbone of businesses and companies everywhere. Data can range from intellectual property to critical business plans to personal health information or even money itself. At the end of the day, businesses are looking to grow revenue, innovate, and operationalize but to do that, they must ensure that they leverage their data first because of how important and valuable it is to their organization. No matter the industry, the need to protect sensitive and personal data should be…

Meeting Today’s Complex Data Privacy Challenges

Pop quiz: Who is responsible for compliance and data privacy in an organization? Is it a) the security department, b) the IT department, c) the legal department, d) the compliance group or e) all of the above? If you answered "all of the above," you are well-versed in the complex world of compliance and data privacy! While compliance is a complex topic, the patchwork of regulations imposed by countries, regions, states and industries further compounds it. This complexity has turned…

The Digital World is Changing Fast: Data Discovery Can Help

The rise in digital technology is creating opportunities for individuals and organizations to achieve unprecedented success. It’s also creating new challenges, particularly in protecting sensitive personal and financial information. Personally identifiable information (PII) is trivial to manage. It’s often spread across multiple locations and formats and can be challenging to find and classify. Organizations need a modern data discovery and classification solution to identify sensitive data across physical, virtual and public clouds. The Current State of Sensitive Data Discovery and…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…