Data breaches in the healthcare industry have been on the rise in recent years. Attackers are looking at new ways to infiltrate perimeters to seize and extort sensitive information on large scales. Inside leaks and human error are also contributing to this upward trend. Part of the problem is simply that it’s becoming easier for attackers to turn a quick buck. Ransomware is now an established favorite method of attack with tools such as ransomware-as-a-service (RaaS) that allow even inexperienced attackers to choose from a selection of ready-made variants to wreak havoc on organizations.

Threat actors are commercializing RaaS platforms and continuing to keep it updated with the most effective tools to compromise a company. If they aren’t creating something internally then they are stealing these tools from industry leaders, like FireEye (1).

With stringent HIPAA security and privacy regulations, the impact of such breaches can be catastrophic to a healthcare institution. When electronic medical records are stolen, sensitive patient information is at risk of being sold on the darknet to cyber criminals looking to steal identities. This is why most healthcare institutions end up paying to get the information back—and the bad guys are banking on it. However, in an effort to discourage the funding of criminal activities, US companies must contemplate a ransomware payment as additional taxes could be imposed on them. In late 2020, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory to companies providing services to victims of ransomware attacks, informing them of the potential “sanctions risks” for facilitating ransomware payments (2).

According to Roger Severino, director of the Office of Civil Rights at the U.S. Department of Health and Human Services, “Our HIPAA breach reports have seen a significant uptick in hacking incidents. Sixty-two (62%) percent of our large breach reports from 2019 to year to date are hacking incidents. Providers really need to take these threats seriously.” (3)

Veristor recommends that you regularly review the O.C.R. data breach portal routinely to review how healthcare providers are getting compromised and the number of records impacted.

To combat attackers and plug security gaps, it is important to understand a healthcare organization’s attack vectors, the impact of a breach and how to mitigate threats by applying a risk-based approach. It takes knowledge of the threat landscape and a thorough assessment of the organization’s security posture in order to identify security weaknesses and prevent data breaches.

As Protenus, Inc. Cofounder and President, Robert Lord noted, “Healthcare executives, at a fundamental level, should stop thinking about security and privacy as a cost center and more as a strategic pillar of their organization.”

To help paint a picture of the current cybersecurity climate in the healthcare industry, we put together some illuminating figures that may surprise you. To learn more about defending your organization from cyber threats read this webpage and schedule a consultation with one of our experts.

Resources:
(1) https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html
(2) https://www.dlapiper.com/en/us/insights/publications/2020/10/new-ofac-guidance-for-ransomware-payments/
(3) https://www.databreachtoday.com/universal-health-services-network-outage-lessons-to-learn-a-15096?rf=2020-10-02_ENEWS_SUB_DBT__Slot1_ART15096