September was a challenging month for healthcare cybersecurity professionals.
According to the HIPAA Journal, there were 95 reported healthcare data breaches with 500 or more records breached that month. That’s nearing twice the highest single-monthly report in the past year—53 in October 2019—and almost 157% more than the previous month, August 2020, with 37 reported breaches.
Maybe even more unsettling is the significant increase in the number of compromised records—approaching nearly 10 million for September 2020 (9,710,520) compared to more than 2 million compromised records in August.
Exposed record numbers for much of 2020 have been at or above the 1 million mark each month, compared to the final months of 2019, where compromised records ranged in the 600,000s, with pre-COVID numbers in December 2019 and January 2020 falling well below the half a million mark.
These breaches range from hacking to theft or loss.
The Blackbaud Breach
What happened in September 2020 that pushed numbers so high? Much of the damage is attributed to a data breach that originated with philanthropy database company Blackbaud, which serves a number of higher education, nonprofit groups, and healthcare providers.
Blackbaud became aware of a ransomware attack in May. Attackers intended to prevent access to the company’s data, but Blackbaud team’s stopped it without a service disruption. Unfortunately, attackers exfiltrated user data and then demanded a ransom to destroy it, which Blackbaud agreed to pay. The company said it received “credible information” the attacker destroyed the stolen data, but has not released details on how much it paid for the ransom.
And while the Blackbaud breach compromised a staggering number of records, it’s not the largest breach nor most costly in healthcare history. That unfortunate top spot goes to Anthem for a 2015 breach that affected some 78 million records and, according to my analysis in my forthcoming book Stop the Cyber Bleeding, cost the company more than $424 million in OCR notification costs, security improvements, credit protection fees, settlement fees, and class action law suit settlements.
Why is Healthcare Targeted?
Bad actors continue to target healthcare records because they’re highly valuable. Attackers generally have one goal for their nefarious activities, and that’s to make as much money as quickly as possible.
Since healthcare entities have millions of medical records, and those records contain a gamut of personally identifiable (PII) and protect health information (PHI), it’s a potential windfall for a successful breach.
Attackers can sell stolen data on the dark web. It can be used to infiltrate other accounts and fuels identify theft, where there are more than 2 million victims each year. And, in most cases, it takes on average $13,000 for a victim to recover from identity theft.
Interestingly, it’s not just medical records they’re after. Bad actors also target medical devices and medical images.
So, as a healthcare entity, what can you do to decrease the chance of a breach and keep your sensitive data safe?
Comprehensive privacy and security measures need an evolving focus, one that incorporates attention to compliance, security and enterprise cyber risk management (ERCM), patient safety, and medical professional liability.
As a healthcare entity, your responsibilities are three-fold:
- Ensure there’s not an unauthorized disclosure of or access to this information.
- Ensure that an unauthorized person cannot modify, delete, or change this information.
- Ensure the information is accessible and accurate when it’s needed and it remains stored where it should be.
You can remember these core responsibilities simply as: Avoid the compromise of CIA— confidentiality, integrity, and availability.
Don’t Compromise CIA
These core responsibilities—ensure the confidentiality, integrity, and availability of ePHI—are foundational to any security program and a core requirement of the HIPAA Security Rule at 45 CFR §164.306 (a)(1):
Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits.
Here’s how to think about these core requirements on a personal level:
- Confidentiality: What happens if my personal, intimate information is shared?
- Integrity: What if my sensitive information is not complete, up-to-date, and accurate?
- Availability: What if my sensitive information is not there when it’s needed?
If you closely consider the requirements of CIA, you can easily draw correlations between patient information and patient safety. Any compromise of CIA can have an adverse effect on quality of care, safe care and/or timely care. That makes what historically has been treated as “an IT problem” a business risk management issue.
Now, let’s take a look at some of the ways breaches can occur within your core CIA.
On the Front Lines with CIA
Just a bit ago we mentioned three core responsibilities for healthcare data security. The first, ensuring there’s not an authorized disclosure of or access to this information, is confidentiality.
Confidentiality is important because, as we discussed with some recent breaches, medical records contain PHI, PII, and other sensitive data. This data is covered by a variety of regulations, such as HIPAA, and failure to meet those standards could result in healthy fines and possible civil and criminal penalties.
We mentioned the Anthem breach, which compromised almost 80 million patient records and emphasizes the critical role of confidentiality.
The Anthem breach originated not long after the company, formerly known as Wellpoint, changed its name. In early 2015, employees received an email that looked like it was from Wellpoint, asking them to complete paperwork. When users clicked the link, it downloaded malware that logged keystrokes, giving attackers access to login credentials such as usernames and passwords.
How did employees fall the phishing scheme? It was well-orchestrated where attackers replaced two letters—the Ls within the URL with the numbers 11, making what looked official, wellpoint.com, actually a malicious link.
Anthem is just one example. There have been thousands of healthcare breaches during the last 10 years with about 94% of U.S. hospitals affected and where phishing remains one of the most efficient attack methods. The more tailored attackers make the phishing email, like the URL in the Anthem (then Wellpoint) attack, the higher chance it is that it will be successful.
Now let’s look at the second: integrity. In this scenario, when we discuss integrity, we’re talking about verification that your protected data is not altered.
Unfortunately, unlike a confidentiality breach, an integrity breach may not be as obvious and harder to detect.
Integrity breaches are less common than confidentiality breaches, but they can be more dangerous. Why? Because an integrity breach, for example, modification of lab results or medical images, could affect patient care and result in patient death.
Here’s an example of a integrity-based attack: Cybersecurity researchers based in Israel were able to successfully hack into a radiology lab at a hospital and then compromise it’s picture archiving and communications (PACS) network in less than 30 seconds.
Once inside, they successfully created fake CT scans, including scans that showed healthy patients with tumors, and patients with cancer as tumor-free.
While most attackers are looking for monetary gain—most aren’t focused on malicious death for innocent patients—it does expose an increasing range of vulnerabilities within medical imaging services, which is likely to continue to grow as technology advances and becomes more interconnected.
Finally, there’s the issue of availability. When it comes to healthcare data security, this means ensuring data is accessible by authorized users when it’s needed.
Unlike integrity breaches, availability breaches are more obvious and they can cause significant harm to patients, including death.
For example, if a healthcare provider can’t access important data from a medical device, it could significantly impact the provider’s ability to provide timely, accurate care, or if the device fails, it could result in patient death.
Availability breaches are likely to increase as healthcare increases dependency on connected medical devices—everything from patient wearables like pacemakers to other devices that function within healthcare facilities, such as MRI and CT machines.
It’s estimated there are least 15 million medical devices in use in the U.S. and unfortunately, many of these devices are outdated, unpatched and unprotected, and run by proprietary operating systems that leave them susceptible to attacks.
Here are some examples of proven attacks targeting medical devices:
- Muting alarms
- Activating false alarms
- Manipulating display data
- Restoring system
- Ransomware
- Patient-to-image disruption
- Mechanical disruption of motors
- Disruption of results
- Altering results
- Leaking patient information
- Denial of service
A well-known example of an availability breach is the WannaCry ransomware worm back in 2017. The worm spread for four days before a researcher successfully stopped it. Yet it already affected more than 200,000 computers in 150 countries, resulting in an estimated $8 billion in damages.
Here in the U.S., an Ear, Nose and Throat (ENT) and hearing center in Michigan experienced a similar ransomware attack in 2019, in which attackers successfully encrypted all of the providers’ patient medical records. Attackers demanded $6,500 in ransom to decrypt them. When the center’s owners refused to pay, attackers deleted all the patient records—everything from appointment schedules to PHI. Instead of rebuilding, the owners retired.
While ransomware is a proven successful availability attack, there are other versions, such as denial of service as a DoS or DDoS attack, or other malware and similar infiltrations.
Are Cyber-driven Patient Safety Risks Real?
When it comes to patient safety, are CIA compromises and resulting patient safety risks real or theoretical?
First, these types of hacks are sometimes proof of concept (PoC) attacks—where researchers and others just want to see what’s possible or probable, but PoC attacks give insight into other attack methods. And, it’s important to point out that when researchers reveal a PoC, even if at first it seems far-fetched, attackers are almost always looking for realistic and damaging variations.
Second, attacks must make sense for the attacker. As we mentioned earlier, most attacks are fueled by a common thread—a drive to make money. While attackers can participate in malicious behaviors that kill patients, for example, preventing a pacemaker from functioning properly—most attackers would rather take actions that can provide them with big financial payoffs.
And finally, it’s important to remember there is a lot of redundancy in hospital systems, and that’s a good thing. Because of these redundancies, it is a bit easier to spot when something is off or goes wrong. For example, because practitioners understand that errors happen, such as a problem with lab results, they have redundancies in place to double-check these results. When something remains off or askew, many will retest. If the results come back differently, there may be an accuracy issue. However, if a retest reveals the same results, it’s likely correct.
The same can be said for your cyber risk analysis and cybersecurity programs. Effective management, routine analysis, and redundancies can help ensure you don’t compromise the CIA—confidentiality, integrity, and availability—of your sensitive and protected data.
If current trends continue, we can count on cyber criminals continuing to come up with even more clever ways to compromise even more sensitive data, systems, devices in the future.
Want to take a deeper dive into these issues? Keep an eye out for the November release of my new book, Stop the Cyber Bleeding: What Healthcare Executives Need to Know About Enterprise Cyber Risk Management (ERCM). In Stop the Cyber Bleeding, I share 35 years of insight into global healthcare, including the significant deficiencies in how organizations approach compliance and cyber risk management.
I also encourage you to review a special on-demand webinar with Dr. Benoit Desjardins, associate professor of radiology at the Hospital of the University of Pennsylvania. In our recent discussion of patient safety and cyber risk, we take a closer look at the issues discussed in this blog and offer guidance on how you can work to stay ahead of attack.