Health care data security has always been a concern. But in the last year, health care and digital safety have become even more urgent topics in government, business and in the public at large. The reason is the sudden and enormous rise in attacks, both in number and impact. Where are those health care cyberattacks coming from? And, how can cybersecurity teams protect health care data?

Health Care Data in the News

Check Point software reports an incredible 45% increase in attacks on health care in the last two months of 2020 — twice the rate of other verticals. HIPAA Journal reports 642 data breaches of 500 or more records in 2020. They also added up the exposed records, which totaled 29,298,012. Emsisoft found that 560 health care facilities were struck by ransomware attacks in 2020.

Some of the attacks against health care data have done a lot of damage. In one attack in the U.S., some 5,000 network computers were inoperable for 40 days. The total cost of that attack was over $63 million.

Crime does pay, it seems. Ransomware gangs made at least $350 million in 2020, according to the blockchain analysis firm Chainalysis. That’s a 311% increase over 2019.

Why Health Care Data Presents Unique Problems

Health care cybersecurity attacks are rising fast because the data is so sensitive and worth a lot. An attack that disables internal systems in this industry can threaten lives. The incentive to pay is high.

Another factor not talked about enough is the dramatic increase in the health care attack surface, resulting from new life-saving technologies. The Internet of things (IoT) revolution has introduced a wide range of Internet of medical things. IoT security is somewhat new and mostly untested.

Medical biometrics poses unique challenges for health care, as does a new generation of medical imagery technologies. There are also significant supply chain risks when dealing with health care data.

In response to hospital cybersecurity becoming more important, some are responding by moving to paper record keeping and faxes. Making matters worse, busy hospital staff have had little time to fully understand the extent and damage of the breaches. We won’t even know the scale of the attacks on this sector for months.

A security software company called Irdeto found that 88% of executives working for Fortune 1000 medical device makers, digital and mobile health companies and telehealth providers say their organizations are unprepared for a cyber attack. That’s an alarming admission, given that 80% of these companies have suffered at least one cyberattack in the past five years. One problem is the equipment itself — only 18% believe the defense built into their medical device products is strong.

How Attackers Steal Health Care Data

Ryuk and REvil are the top malware culprits in these attacks. The Ryuk ransomware gained huge public attention when threat actors used it to attack six U.S. hospitals during a 24-hour period in October 2020.

It was derived from the Hermes ransomware and first spotted in May 2018. It’s operated by a Russian criminal gang called Wizard Spider. The gang’s specialty is extremely high ransoms, with the average demand exceeding a quarter of a million dollars. Ryuk malware involves a dropper that places Ryuk into a system. A second executable does the work of encryption, and also deletes the dropper.

REvil, named after the Resident Evil video game series and also called Sodinokibi, is ransomware-as-a-service malware that steals data — health care data or otherwise — then threatens to release it unless the victim pays the ransom. REvil has two strange features. First, it includes a ransom note that threatens to double the amount demanded if the victim doesn’t pay. Second, it includes a ‘trial’ decryption that proves it can decrypt the data once the victim pays.

The Compliance Connection

The need to safeguard health care data isn’t just about patient privacy and safety, or the financial health of the enterprise. It’s also about complying with regulations.

For example, the Department of Health and Human Services (HSS) has levied fines for lack of compliance with the Health Insurance Portability and Accountability Act (HIPAA) of nearly $130 million. The U.S. HHS Office for Civil Rights enforces this law. It covers all industries related to health care, and governs the digital transmission of any health data. It requires that these groups protect data, and also disclose any health care data breaches if they do occur.

Protecting data in a way that complies with HIPAA means maintaining the right admin controls, policies and employee training; good security practices around physical access to the machines that house data; encryption of data; and auditing user access and good practices around media, including the destruction of data on storage media that is no longer used. Compliance with HIPAA means safeguarding the personal information of both patients and clients.

Other regulations health care organizations need to comply with include:

1. The Code of Federal Regulations. Part 2 protects patient records in federally-funded substance abuse programs.
2. Federal Trade Commission Act. Part of this act requires for-profit entities, including those in the health care sector, to safeguard computer systems.
3. Local regulations. These include the European Union General Data Protection Regulation (GDPR), Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and others, depending on where a health care group operates, provides services or sells products.

What To Do Now

Health care providers of all sizes and types should review the suggestions and best practices laid out in HIPAA. Take special care in preparing to thwart ransomware attacks. That means getting back to basics. Enable multi-factor authentication on all relevant endpoints. Keep current with all security patches. Don’t hold back on cybersecurity training, and maintain great backups, including offline backups that you can quickly restore.

After all, health care cybersecurity can be a life-or-death matter, not just a financial or business one.