11 min read
Trends for 2024: Paubox’s state of cybersecurity 2023 report
Abby Grifno December 27, 2023
This year, Paubox covered a range of breaking news events – from HIPAA violations and settlements to evolving cyberattack strategies. The healthcare space is facing new challenges but also exciting technological developments.
Here is our 2023 year-end review, our predictions and the trends we expect to see in 2024.
Our report includes:
- Most impactful breaches from 2023
- Common breach types
- Rising challenges to cybersecurity
- Evolving attack strategies
- Government initiatives and guidances
- On the frontlines: patients and providers
- Recommendations
- The big picture
Most impactful breaches from 2023
Data breaches have a wide range of impacts, from preventing patients from receiving life-saving care to financial implications that can result in hospitals shutting their doors forever. The impact of a breach can be challenging to quantify, but one of the primary metrics used is patients impacted.
Here are the 3 breaches that impacted the most patients in 2023:
- HCA Healthcare: The leading healthcare provider announced on August 14th that it had faced a massive breach in July. With 182 hospitals and over 2,300 sites, it's estimated that the breach impacted approximately 11 million patients. HCA determined the breach had occurred when data such as names, emails, and phone numbers was found online. While sensitive information such as driver's license and Social Security numbers were not included, the breach was among the largest ever reported in healthcare, impacting patients across 20 states.
- Perry Johnson & Associates: After experiencing a major data breach in March, PJ & A, which provides transcription services to hospitals, announced that up to 9 million patients may have been impacted. The attack included protected data, including names, addresses, Social Security numbers, and health care information. The severity of the situation helped prompt the New York Attorney General to propose new cybersecurity regulations.
- Managed Care of North America: Alongside their partner, MCNA Dental, MCNA faced a ransomware attack that resulted in a leak of 8.9 million patients' data. The ransomware organization responsible, LockBit, demanded $10 million to delete the data. The ransom was not paid, and the data was published to LockBit's leak site in April.
While the above breaches showcased some of the largest numbers we've seen, smaller attacks also significantly impact patients.
Zero-day vulnerabilities
Zero-day vulnerabilities, or attacks that have been patched but could still result in vulnerability, can also wreak havoc. Many third parties like software companies or operational programs–work with hospitals and centers. If these companies are attacked, the breach can have a lasting impact on healthcare organizations.
Google Chrome faced a zero-day vulnerability in November. While they quickly patched the vulnerability, organizations and individuals who didn't update their Chrome browser could be at risk. Currently, Paubox has not reported any healthcare victims.
MOVEit Transfer and MOVEit Cloud also faced critical vulnerabilities. Although patched, many healthcare organizations fell victim to the attack before the patch was fully rolled out. The vulnerabilities were discovered on June 9th and May 31st. Since then, more and more organizations have announced the impact.
Common breach types
Paubox also tracked some of the most common types of data breaches throughout the year. While data from December has not yet been analyzed, we can make several predictions based on what we know so far.
Here are the top breaches by type:
- Network server: According to our reports, approximately 72,402,578 individuals were impacted by network server breaches. These breaches occur when a nefarious actor gains access to one or more systems. As a result, data may become encrypted or exfiltrated.
- Email: Email breaches impacted approximately 1,447,484 individuals. Often, these breaches can result from phishing or unsecure email platforms. Utilizing HIPAA compliant software can be a solid strategy to ensure messages are secure and encrypted.
- Other breaches: Electronic medical records and paper or film breaches resulted in 7,523,400 patients being impacted.
Moving forward
As we head into 2024, we will likely see some of the same breach trends.
Month-to-month, according to the Paubox breach reports, network breaches, email breaches, and medical records breaches have dominated the field. Reports also show that most months have been higher than in years past.
Malicious organizations are continually adapting and developing new strategies to infiltrate networks. Email breaches, particularly phishing, continue to be a common strategy because employees are often undertrained when it comes to reacting to suspicious email activity.
We predict that breaches will continue to rise, with smaller hospitals and healthcare centers most likely to be impacted, as they sometimes lack proper security infrastructure.
While data is critical to understanding rising trends, it's important to note that attacks are underreported out of fear. Organizations should always report breaches.
Rising challenges to cybersecurity
Paubox has covered various breaking news events throughout the year, allowing us to keep a pulse on events impacting healthcare security. Breaches are, unfortunately, just one of many challenges organizations face - changes in healthcare technology further security risks.
These changes pose exciting avenues for advancement and treatment but also pose challenges for companies that are slow to adapt.
According to Andy Flynn, President and Co-CEO of Healthcare Performance Group (HPG), adopting new technologies is necessary: "Technology is allowing more advanced attacks that the average user will not detect. We need to look at every point of entry and weakness in our systems. We need to adopt new tech ourselves that ensures, to any degree possible, that those systems will be difficult to attack."
The deluge of AI
While Artificial Intelligence has been part of technology and healthcare for some time, its impact is being felt more and more.
James Manyika, a researcher at Google and speaker at the 2023 HLTH Conference, focuses on using AI to diagnose conditions by spotting patterns in, for example, cancerous skin. This could dramatically cut down the time spent pouring over images for diagnosis but has also led to concerns about privacy. Manyika cut through the noise by stating that looking for image patterns does not always require identifying data.
Nevertheless, there are other realistic concerns when it comes to AI. Some research shows that AI can be biased or limited based on the training received. Manyika further warns of future "misuse and misapplication," from "individuals, or criminals, or corporations, or governments."
As with all technology, AI has also posed security risks when vulnerabilities are exposed. ChatGPT, for instance, experienced compromises between June 2022 and May 2023. With some employees using ChatGPT for sensitive information, this could potentially result in data leaks.
Pixels and third-party tools
Pixels and other third-party tools also saw significant coverage this year–and it was rarely positive. A spring report revealed that 98.6% of hospital websites use third-party tracking, potentially resulting in privacy breaches, targeted advertising, and other liabilities.
Federal regulators are still catching up to the use and challenges but warned that HIPAA covered entities could be at risk of penalties and fines if found using pixels. They strongly encourage covered entities to cease the use of any tracking technologies.
Even though the federal government's stance is becoming increasingly clear, that doesn't make the next steps any easier for hospitals. Many have grown reliant on third parties for operational use, and those third parties–like Meta and Google–aren't eager to let go of their current tracking policies. Meta claims hospitals are responsible for any HIPAA violations.
The Office of Civil Rights (OCR) even released a letter directly naming hospitals that are still using tracking technology. With clear lines in the sand, lawsuits are continuing to pile up. According to a summer report, one firm was handling 50 cases related to pixel use. Paubox expects that number to grow significantly during 2024.
Cloud-based networks
Cloud-based networks have been gaining popularity in recent years. Now, more than ever, they offer hospitals the chance for significant growth, allow some workers to complete tasks remotely, and provide services unavailable on localized networks.
While there are many benefits – and some organizations may find the transition inevitable – various security risks are associated with the move. Many attacks are conducted against cloud-based networks because of their ease of access. Not every service is equally safe. Paubox provided a guide to ensure companies remain HIPAA compliant once they transition.
As transitions gain momentum, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) published a factsheet with suggestions on how organizations can prevent, detect, map, and identify malicious activity.
Evolving attack strategies
Alongside tech advancements and potential vulnerabilities, organizations must remain exceptionally diligent against cyber attackers.
According to CISA Deputy Director Nitin Natarajan, healthcare organizations are seen as "target rich, cyber poor," meaning that many organizations have highly-valued data and limited security. Healthcare organizations often handle personally identifiable information, healthcare information, and financial information. Furthermore, because disrupting network systems could lead to delays in care, hospitals are frequently hard-pressed to comply with demands.
As a result, healthcare organizations are finding themselves targeted more than ever.
Rising attack tactics
This year, the FBI released information outlining two threat strategies. In the first strategy, the FBI noted a trend of attacking the same victim multiple times. Attack organizations will utilize two different ransomware variants, which can increase the risk of harm.
The FBI also noted that ransomware organizations are increasingly using custom data theft, wiper tools, and malware.
Double-extortion is also becoming increasingly popular, wherein a malicious actor both encrypts data to make it inaccessible by the victim organization and steals data. Actors will frequently demand that a ransom be paid for the network to be operational or for the data not to be published.
Organizations are advised to refuse to pay ransoms, as it can embolden attackers.
Lastly, phishing is becoming increasingly common and remains a difficult vulnerability for companies to guard against. This year, CISA conducted a risk and vulnerability assessment on one organization in an effort to better understand how healthcare organizations fare when confronted with realistic security threats. The tests revealed that while no data was stolen from phishing, the tested healthcare organization's employees were not fully trained on phishing response.
Furthermore, another report revealed that while many healthcare workers understand that privacy and security are important, many feel that protocols aren't strictly enforced and that they would not know how to respond to a potential data breach.
As 2024 approaches, we will likely see more methods to combat ransom attacks. Attackers will also likely roll out new strategies or programs to infiltrate and exfiltrate data.
Government initiatives and guidances
Throughout 2023, we've seen efforts from the government to keep up with new technology, circumstances, and patient privacy expectations.
There is often a lag between when events occur and when a government statement or ruling takes place. The wait is even longer to see change go into effect.
National and sector-specific strategy
In July, the Biden-Harris Administration released the 2023 National Workforce and Education Strategy, which prioritized cyber education as both a workforce tool and an individual acumen. More recently, the HHS released a strategy paper specifically for healthcare cybersecurity, which follows in the footsteps of the workforce and education strategy and the Administration's national cybersecurity strategy.
Paubox expects the HHS cybersecurity strategy document to be further updated and specified in 2024. For now, it focuses on:
- Establishing voluntary cybersecurity performance goals
- Providing resources to incentivize the implementation of cybersecurity best practices
- Implementing HHS-wide strategy to improve enforcement and accountability
- Expanding the HHS to become a "one-stop shop" for the sector's cybersecurity
Guidance from the CISA
Several guides and mitigation suggestions have been released by various government organizations.
Paubox found one of the most encompassing guides was released by the CISA, which focuses on threats specific to the healthcare sector. The 25-page document includes the following mitigation strategies:
- Asset management and security
- Identity management and device security
- Vulnerability, patch, and configuration management
The document also discusses another effort, Secure by Design, which concentrates on building security features into healthcare systems.
In the early fall, the Joint Commission released a Sentinel Event Alert about the importance of quickly responding to cyberattacks. They note the significance of accurately reporting and preparing for attacks; in the healthcare sector specifically, failing to prepare or respond can result in patient harm.
Preparation includes:
- Evaluate hazard vulnerability analysis
- Create a downtime planning committee
- Develop downtime plans and procedures
- Designate response teams
- Train team leaders, teams, and all staff on downtime operations
- Establish situational awareness with effective communication with patients
- Evaluate response after the attack
New resources
The government has provided several new resources to help healthcare organizations prepare for attacks, educate their workforce, and quickly recover. Here are some of the top resources available:
- HHS educational resources: the HHS Task Force released three educational resources providing workforce education, cybersecurity practices, and a report on the state of hospital cybersecurity.
- CISA & HHS Cybersecurity Toolkit: In a collaborative effort to prevent cyberattacks in healthcare, the toolkit features a cyber hygiene service, best practices, and a security implementation guide.
- HHS OCR telehealth resources: With the rapid rise of telehealth, the OCR has released guidances for patients and practitioners on best practices for telehealth operations.
- HHS Security Risk Assessment Tool: The HHS has released a tool designed to help healthcare providers evaluate and manage the security of their health information. The tool can be downloaded and provides a step-by-step process to identify and address vulnerabilities.
- HSCC Incident Response Template: The Cybersecurity Work Group has released a template designed to ensure continuity of care for patients if a cyberattack occurs.
- #StopRansomware Guides: Released by the U.S. Joint Ransomware Task Force (JRTF), these are ongoing alerts on ransomware threats. The JRTF monitors ransom attacks and the attackers' strategies to better prepare the healthcare sector.
Preparing for 2024
In the new year, we expect some of these changes – particularly HHS's "one-stop shop" - to go into effect. We will also hopefully see more relevant resources to tackle sophisticated phishing and ransomware events. More guidance regarding pharmacy medical records and reproductive rights will also likely be released.
On the frontlines: patients and providers
If anyone feels the effects of cybersecurity the most, it's the patients and providers. This year has seen a rise in lawsuits over data breaches. A multitude of factors contribute to this, namely that there is an increasing number of cyber incidents, and the public is becoming more aware of proper privacy practices.
Many patients feel the impact of data breaches –from being unable to receive care to being threatened by a malicious organization or having their private data released on the dark web.
Paubox spoke to several experts on the frontlines of healthcare cybersecurity for their expectations in 2024.
New challenges in 2024
According to Dean Hoffman, IT Manager at Path Mental Health, the largest challenge facing the healthcare sector is ransomware. "Organizations need to be very vigilant against the bad actors' methods. This includes phishing, smishing, and any other methods the bad actors use." Education should be a priority, says Hoffman, so that "employees can identify [threats] and report them accordingly."
Andy Flynn, President and Co-CEO of Healthcare Performance Group (HPG), says the complexity of attacks has posed renewed challenges. "For many in cybersecurity, spotting a phishing attack in the past was simple, but I believe those days are over. You can't count on emails with sloppy spelling, weak spoofing, and other obvious attacks anymore…The new attacks are more complex," Flynn says.
Tony Cox, Chief Information Officer at Henderson Behavior Health, agrees with these challenges. "I feel that the threat actors are both growing in number and growing in skillset/success rate."
Cox notes that for those in IT, patching has to be available. While Cox can act quickly when a threat is received, he says he relies "on the security community developing and making available to my team a proper path." Unfortunately, he fears that vulnerabilities are not able to be fixed as quickly as they have in the past.
Ryan Winchester, Director of IT at Heritage Management Services, says any healthcare organization is only "as strong as the weakest employee, meaning they still write passwords on paper at their desks and click on links in emails." Winchester cites a Deloitte study which found that "91% of all cyberattacks begin with a phishing email." While phishing is a huge problem, constantly having IT check the validity of an email can lead to lags in communication, "there is a fine line," he says.
Even so, Hoffman says that every threat should be taken seriously. "One breach, depending on scale, could shut an organization down without being able to recover," he warns.
The path to security
While the challenges are steep, those in the field work hard to keep attackers at bay.
Winchester says Paubox has specifically been able to ease Heritage Management Services' burden, "Paubox, I would say, cut out 98% of phishing emails, which is also a huge step in the right direction."
Hoffman also recommends organizations enforce two-factor authentication, including SMS and phone calls, and deploying security keys.
Flynn says that HPG makes a point of working "with outside organizations to help us review all our systems and weak areas, update our policies and procedures, and make changes to improve our security." Flynn says the work can't stop, "We must continue to do this every year to ensure we keep up and stay ahead where possible."
Winchester also advises patients to take security seriously, "We all take it for granted that our provider is secure, we don't even question if a hospital or doctor's office doesn't leave paper laying around or has updated fully patched computers and firewalls."
Recommendations
While an array of resources exist, not all are created the same. Paubox recommends looking at the resources provided on our webpage, which provides specific, data-backed guides on security strategy and threat actors.
Unfortunately, one of the biggest gaps we see is in cybersecurity implementation. While many know the importance of security, employees often hold subpar standards in the workplace. Training, testing, and monitoring can help ensure that employees are aware of the implications of an attack and prevention methods.
With the prevalence of phishing, it's necessary that organizations diligently work hard to secure their email networks. Paubox takes out the guesswork by seamlessly working with the email systems already used by employees. No intensive training is necessary.
Learn more: Start for free with any Paubox solution.
The big picture
As we move into 2024, we predict we will see some of the same trends continue; lawsuits will likely increase, as well as crackdowns against those who fail to uphold HIPAA compliance.
Many predict that ransomware will continue to be a rising problem, with novel ways of execution. With millions impacted, network security and email security remain areas of deep concern.
Technology continues to improve, both for the sector and for the attackers. Organizations should pay close attention to new types of breaches and privacy challenges created by technology. Despite the frequent demands for changes to HIPAA, the law will take some time to catch up with innovation.
Paubox will continue to monitor current and rising trends, new breaches, lawsuits, and technological developments to keep you in the loop. In turn, your company will be better able to protect patients and employees alike.
With diligence and effort, every healthcare organization can set a high standard of security and prevent breaches from interfering with patient care.
Go deeper: Keep up with the latest cybersecurity news with Paubox.
Subscribe to Paubox Weekly
Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.