The healthcare industry is an ideal target for cyberattackers, even more so than most other industries. There are two main reasons for this:
- the value of vulnerable, highly sensitive protected health information (PHI)
- the excessively vulnerable attack surfaces and infrastructure
Unfortunately, cyberattacks can be costly to healthcare organizations, upsetting day-to-day and long-term operations. Furthermore, not all healthcare organizations implement the necessary safeguards under the HIPAA Act, leaving themselves open to attacks. Such attacks wreak havoc on the industry, leading to interrupted services, poor care capabilities, and possibly even the death of patients.
Learn more: HIPAA compliant email: The definitive guide
Growing threats and consequences in healthcare
According to a KnowBe4 report, the global healthcare industry experienced 1,613 cyberattacks per week in the first quarter of 2023. Such incidents can be from insider threats, random hackers, state-led agencies, or even employees by error. Cyberthreats and their effects can vary, ranging from simple scams to highly sophisticated exploits, such as:
- Malware (e.g., ransomware), social engineering, and phishing
- Man-in-the-middle (MITM) attacks
- Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks
- Zero-day attacks
- Internet of Things (IoT) attacks
Successful cyberattacks on healthcare organizations can have devastating consequences. KnowBe4 claims that the average breach cost healthcare organizations $11 million. Then, a 2023 survey by the Ponemon Institute stated that 57% of organizations reported poor patient outcomes due to such attacks. Additionally, over 20% of healthcare organizations recounted increased patient mortality rates following a cyberattack.
Other consequences include shutdown services, unusable electronic record systems, high financial burdens, and patients withdrawing due to mistrust. Implementing HIPAA compliant cybersecurity measures to protect organizations from such disruptions increases patient safety and well-being. Let’s look at some recent case studies to see what happens to healthcare organizations after different types of attacks.
Case study 1: Geisinger Health System
In November 2023 Geisinger Health System discovered that a former employee of its IT service provider, Nuance Communications Inc., maliciously accessed patient data two days after he was terminated. Geisinger immediately informed Nuance, who revoked the employee's access and initiated an investigation. The health system had to notify more than one million patients that their PHI was accessed. The former employee has been arrested and faces federal charges.
An insider threat refers to the potential risk posed by someone who has authorized access to an organization’s system, like the Nuance employee, but may misuse that access to gain sensitive information. Such threats erode public trust in a provider, resulting in higher operational costs and higher insurance premiums. Even more, a patient just filed a lawsuit against Geisinger, with the attorney stating that the theft of PHI can have “grave and lasting consequences.”
If security protocols had been in place to revoke the former employee’s access, this breach and the circumstances that followed could have been avoided. Providers must withdraw employee access upon termination, ultimately preventing unauthorized access to PHI.
Case study 2: Britain's National Health Service (NHS)
In June 2024, the Russian Qilin hacking group targeted Synnovis. The organization is a private NHS joint venture that provides pathology services in Great Britain. The breach exposed highly confidential PHI, such as the results of blood tests for conditions like HIV and cancer, for over 300 million NHS patients.
A statement from the NHS Foundation Trust stated, “The cyber attack has had a significant impact on our services, and this is likely to remain the case for some time yet.” Several hospitals felt the effects of the attack weeks after the breach and even asked medical students to volunteer their time. Thousands of blood samples were discarded, and hundreds of operations were postponed.
Nation-state threat actors, sponsored by or affiliated with a governmental organization, can be very sophisticated hackers. They often have political or financial motivations. Their targets tend to be specific to agencies critical to governments, like the NHS in Britain. Preventing nation-state attacks requires organizations to stay up to date with the protocols and best practices dictated by cybersecurity experts.
Case study 3: Ascension Health
A May 2024 ransomware attack on Ascension, a prominent United States healthcare network, was due to employee error. An employee downloading a corrupt file onto one of the organization's devices. Once inside the network, the hacker impacted critical electronic systems, including the organization’s electronic health records. The hack affected 13.4 million customers.
The healthcare network was forced to take some devices and systems offline. Furthermore, employees had to track procedures and medications manually. Non-emergent procedures were postponed, and emergency services were redirected to avoid delays.
The KnowB4 report noted that phishing and social engineering are still primary methods for initiating breaches, with hackers looking for employees to fall victim to schemes. Employee training may have prevented the attack by equipping staff with the knowledge to recognize and avoid phishing attempts and suspicious downloads.
Case study 4: Baxter Welch Allyn medical devices
In May 2024, the Cybersecurity and Infrastructure Security Agency (CISA) identified remotely exploitable vulnerabilities in two Baxter Welch Allyn medical devices. Exploiting these flaws could give unauthorized access to credentials and lead to the modification of device configurations and firmware data. According to Health & Human Services (HHS), only one patch is currently available with the other accessible later in the year.
Baxter does not believe that either flaw has been exploited, but CISA and HHS recommend taking defensive measures when dealing with product issues such as:
- Using provided patches and updates
- Minimizing access to the intern
- Applying proper network and physical security controls
- Using virtual private networks when needing remote access
Flaws, such as with Baxter Welch Allyn products, can expose sensitive information, including medical data and banking details, to unauthorized access. Medical device vulnerabilities could lead to delayed or impacted patient care.
Case study 5: Panorama Eyecare
On June 5, 2024, Panorama Eyecare filed a notice of a data breach with HHS. The company had discovered that an unauthorized party accessed its computer network nearly a year earlier, between May 2022 and June 2023. The compromised data includes names, Social Security numbers, birth dates, driver’s license numbers, financial details, and medical information.
In the Breach Notification Rule, HHS states that “individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach.” It is unknown why Panorama Eyecare waited as long as it did.
Panorama Eyecare’s late breach notification raises concerns about the potential prolonged exposure of sensitive consumer information to unauthorized parties. Such delays can increase the risks for affected individuals, allowing potential misuse of their compromised information for an extended period. Healthcare organizations must ensure timely and transparent communication in data breach response protocols.
Conclusion: prevent disrupted services with HIPAA compliant security protocols
Organizations must implement a layered HIPAA compliant security plan to prevent the spread of cyberattacks and disrupted services. Proper cybersecurity tools can enhance defenses, streamline operations, reduce costs, and keep operations running. Investing in integrated solutions and taking proactive measures helps to mitigate the risk of cyberattacks and safeguard sensitive patient data. Understanding threats and the necessary measures to protect patient privacy maintains operational stability and safeguards healthcare providers.
FAQs
What is HIPAA, and how does it relate to cybersecurity?
The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. law designed to protect sensitive patient health information from being disclosed without the patient's consent or knowledge. HIPAA's Security Rule requires healthcare organizations to implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of electronic PHI (ePHI).
What steps should be taken in the event of a HIPAA breach?
Organizations should promptly investigate the breach, mitigate any harm to affected individuals, notify affected individuals and relevant authorities as required by law, and take steps to prevent future breaches. This may involve implementing additional security measures, conducting staff training, and revising policies and procedures.
Do business associates have the same responsibility as covered entities in protecting PHI?
Business associates have similar responsibilities as covered entities in protecting PHI under HIPAA. Both must ensure the confidentiality, integrity, and security of PHI. Business associates are required to implement appropriate safeguards, comply with the terms of business associate agreements, and report any breaches of PHI. While covered entities are directly responsible for PHI, business associates must also adhere to HIPAA regulations to protect patient information from unauthorized access or disclosure.
Subscribe to Paubox Weekly
Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.