Companies in any industry can be susceptible to data breaches. Despite the ongoing pandemic which has many people working from home, cyberattacks aren’t slowing. This goes to show that cybercriminals will stop at nothing to steal your information and disrupt the status quo. At a time when people should be working together to combat a global crisis, there are individuals out there who see an opportunity to take advantage of others.
Perhaps the most despicable of these attacks are carried out against health care companies, the very organizations that need the most support during a pandemic. Their workers are on the frontlines working incredibly hard to save lives. But where most people see a brave group of health care workers, others see an opportunity.
The health care field is a significant target for cyberattacks. Why? On a day-to-day basis, they handle a vast amount of sensitive information. Protected health information (PHI) can include a person’s demographics, medical history, test and lab results, mental conditions, insurance information, and other data. This information is so private that the U.S. government imposes two strict regulations on how health care companies handle it, HIPAA and HITECH.
You already know what the health care industry is, but what’s a data breach? A data breach occurs when confidential information gets released (intentionally or unintentionally) to an untrusted environment. A data breach can happen to an organization of any size, and the stolen data need not be related to a person’s health; it can include credit card numbers, trade secrets, proprietary information, or any other confidential materials.
Data breaches that affect health care companies are especially damaging to the victims. A hospital, for instance, needs to hold a vast amount of information about every person that they serve, including health records, social security numbers, addresses, and more.
Health care providers can reduce the risk of data breaches by teaching employees how to properly dispose of documents and how identify phishing attacks. They also need to comply regularly and completely with HIPAA, HITECH, and other regulations mandated by the government since they are designed to protect people.
Data breaches have not slowed in 2020. In fact, they’ve occurred at a steady pace. To put this into perspective, here are five of the largest health care breaches of 2020 (so far). As you read, keep in mind that these numbers represent real people who have fallen victim and had their information stolen.
Top Data Breaches
- Health Share of Oregon (January 2, 2020): A laptop was stolen from one of Health Share’s vendors and put 654,000 patients’ information at risk because the laptop was not encrypted.
- Florida Orthopaedic Institute (April 9, 2020): The personal information of about 640,000 patients were compromised in this data breach. A ransomware attack was able to encrypt data stored on FOI’s servers, and the attackers were able to retrieve it beforehand.
- Elite Emergency Physicians (April/May 2020): This provider had a vendor that improperly disposed of their patients’ records, and the resulting breach affected 550,000 patients.
- Magellan Health (April 6, 2020): One of their servers was compromised after a phishing scheme impersonating a Magellan client successfully downloaded credential-stealing malware. Hackers were then able to steal data before delivering a ransomware payload. Close to 365,000 patients and employees were affected. This was not the first time an attack of this type has affected Magellan.
- BJC HealthCare (May 1, 2020): 287,876 patients were affected by a breach resulting from a phishing attack. Three employees were unaware of this attack and fell right into its trap, giving the attacker access to their email, allowing the hackers to then steal medical records, account numbers, Social Security numbers, and health insurance data. The hacker had access for only one day before the security team detected the breach.
- University of California San Francisco (June 2020): The School of Medicine paid $1.14 million to recover data on several of their servers that had been encrypted by NetWalker ransomware.
- Blackbaud (August 2020): A ransomware attack affected the an associated of the Northern Light Health Foundation in, compromising the data of 657,392 donors, potential donors, and patients.
- Universal Health Systems (October 2020) Computer systems across UHS’s 250+ facilities went down after a suspected ransomware attack. Test results, medical history, and other digital information was inaccessible to medical personnel, forcing them to resort to using a pen and paper for records.
These few examples provide some insight into what can happen when even one person in a much larger organization makes a mistake. It can be something as simple as improperly disposing records or clicking a link in a legitimate-looking phishing email. In fact, in 2019, nearly one-third of all data breaches involved phishing in one way or another. Something so small and simple to avoid can jeopardize the futures of hundreds of thousands of people when overlooked.
The Threat of Ransomware
You may have noticed that several of these data breaches involved ransomware. Ransomware often finds its way onto a computer system through successful phishing attacks that trick users into downloading it. If downloaded and not quarantined by antivirus, the software takes information, encrypts it so that it is inaccessible to the user or the owner, and then holds it “ransom.” The victim is told they have to pay a certain about of money—usually in the form of a harder-to-trace cryptocurrency—to get their information back.
This type of malicious software continues to be a significant threat to the health care industry at world at large. According to Check Point Research, quarter three saw a 50% increase in ransomware attacks compared to the first half of 2020. In the health care industry specifically, there has been a nearly twofold increase in organizations being affected by ransomware.
When it comes to protecting yourself from ransomware, we’ve actually written a blog on the best way to protect yourself.
But how about protecting yourself from phishing attacks? You can’t stop attackers from trying to trick you, but you can educate your employees. Something as simple as having them read our short blog on identifying phishing emails is one place to start. Another is to start critically examining your cybersecurity practices. Are your systems and networks adequately protected from theft or damage? Can one employee’s mistake grant a hacker the keys to the castle, or are there policies in place to limit their effectiveness? Finally, are you ensuring that you are updating known flaws? The Department of Homeland Security CISA recently warned that patch management needs to improve in the health care industry. This is an example of easy–to–avoid but easy–to–overlook vulnerabilities. In summary, following the cybersecurity industry’s best practices is key to avoiding data breaches for yourself.
If you’re interested in getting additional help securing yourself against threats to your health care company, our team at Machado Consulting is more than happy to show you! You can reach us here or at (508) 453-4700.