April 10, 2024
Ransomware and Cyber Threats in Healthcare
- by Shanon Moore, Director, OSHA/HIPAA Compliance
Malware, ransomware, and phishing are serious threats to computer systems, with ransomware denying access to data and phishing using fake emails to spread malicious links. Healthcare organizations are particularly at risk due to the sensitive patient data they hold, and recent years have seen a sharp increase in cyber-attacks reported to the Office of Civil Rights (OCR). To combat these threats, HIPAA requires healthcare entities to implement security measures and provide employee training. DoctorsManagement now offers specialized training to help staff recognize red flags and prevent attacks and breaches before they happen.
What is Malware?
Malware is software that is specifically designed to disrupt, damage, or gain unauthorized access to a computer system and its data.
What is Ransomware?
Ransomware is a type of malicious software that attempts to deny access to a user’s data until a ransom is paid. This is usually accomplished by encrypting the data with a unique key known only to the hacker who deployed the malware. Hackers may direct the user to pay the ransom in order to receive a decryption key, or they may deploy ransomware that destroys the user’s data.
What is Phishing?
Phishing is the practice of infecting what appears to be a legitimate email with malicious links and may be considered the most prevalent cybersecurity threat currently posed to healthcare.
Cyber Threats on the Rise
According to the Office of Civil Rights (OCR), “Ransomware is growing to be one of the most common cyber-attacks and leaves patients extremely vulnerable”. Over the past five years, there has been a 256% increase in large breaches reported to OCR involving hacking and a 264% increase in ransomware. In 2023, hacking accounted for 79% of the large breaches reported to OCR. The large breaches reported in 2023 affected over 134 million individuals, a 141% increase from 2022.
OCR recommends health care providers, health plans, clearinghouses, and business associates that are covered by HIPAA take steps to mitigate or prevent cyber threats. The HIPAA Security Rule requires covered entities and business associates to implement policies and procedures that define an organization’s response and recovery methods in the event of a ransomware attack. Entities should consider maintaining backups offline and testing recovery procedures periodically to test restoration capabilities.
Recent Settlements and Data
In 2023, healthcare organizations experienced 725 data breaches with over 133 million health records breached. Hacking was cited as the cause of many of these incidents prompting HHS to identify the Cybersecurity Performance Goals (CPGs). CPGs are voluntary practices and healthcare-specific to help organizations prioritize cybersecurity best practices and strategies.
In February 2024, the HHS’ Office for Civil Rights reached a settlement with a practice that reported a breach due to ransomware infecting their network server. This ransomware attack resulted in the data and PHI of more than 14,000 individuals being hacked and encrypted. The practice agreed to pay $40,000 and implement corrective actions that will be monitored by OCR for three years.
In March 2024, the HHS’ Office for Civil Rights issued a letter addressing the cybersecurity incident impacting a unit of UnitedHealthcare Group (UHG) and other healthcare entities. This cyberattack disrupted health care and billing operations nationwide.
Training Solutions from DoctorsManagement
Employee negligence, even when unintentional, is a primary contributor to exposing an organization’s data. Healthcare organizations store large amounts of sensitive data about their patients, and data theft is a common goal of attackers targeting healthcare organizations. Providing training to employees regularly reinforces the employee’s critical role in protecting privacy and security. While HIPAA requires that an entity’s employees receive appropriate security training, cyber threats have become more aggressive and sophisticated. DoctorsManagement has created Security and Phishing Awareness training to provide employees with a unique, interactive experience designed to provide tools and tips to spot attacks and stop data breaches.