Healthcare Cyber Attacks Affect Roughly 12% of U.S. so far this year
From January 1, 2023, to July 31, 2023, there have been almost 300 reportable “hacking/IT incidents” according to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights’ breach portal. The number of medical records breached add up to just under 41 million. With a population of just under 332 million, assuming these medical records have no overlap and are all U.S. citizens, roughly 12% of the U.S. population was breached this year alone. What is even more concerning is that this represents only 300 hacking/IT breaches that are reportable to HHS. What about the non-reportable, the undiscovered, the ones that were not reported?
"Many medical records breaches are unreported, non-reportable or undiscovered."
Healthcare Cyber Attacks Compared to Prior Year
The same timeframe for 2022 showed approximately 190 reportable breaches amounting to approximately 22.5 million medical records having been breached for the same type incidents. Based on this data, we can clearly see that more records are being reported as breaches this year over last year. The question is, “Why”?
Five Factors Influencing Healthcare Cyber Attacks
In our time working with healthcare organizations, we have discovered that there are several factors influencing these increases:
Poor risk assessments
The risk assessments we see do not allow quality decisions to be made. When we review the Enforcement Highlight site, we can reasonably conclude that the risk assessments should have provided information that could have been used to mitigate the possibility of the activities occurring.
Training
A look at All Case Examples | HHS.gov clearly shows that mistakes have led to many of the issues. These mistakes should have been mitigated through proper training. Social Engineering attacks have doubled this year and are very successful. I am roughly 80% effective in gaining system access using Social Engineering attacks when hired to test employees. Review the Verizon Annual Breach Report and note the following table. You must build a strategy around Social Engineering attacks.
Ransomware
My company gets at least one call per week from organizations who have had ransomware attacks. If they have not properly prepared for the attack in advance, they are likely to lose data. Even when they pay the ransom, they will not get all of the data back.
Poor account management and privilege controls
Any hacker, cybersecurity professional and anyone with any knowledge of cybersecurity practices will tell you that the gold criminals are after is poorly provisioned accounts because they lead to more money, more notoriety, more data. We see tons of accounts with too much access, accounts that should have been terminated (but were not), users with administrative access and anything in between. If I, as a professional hacker, can compromise an account, many times I can evade discovery for long periods of time. In healthcare, not only do you have the normal HIT accounts, but also medical device accounts. Most healthcare organizations forget to deal with medical device security.
Medical devices
The convergence of HIT into the medical device arena has left us with
a mess for cybersecurity efforts. Medical devices MUST be secured! I could write a thesis paper on this topic and barely scratch the surface. Medical devices must be risk assessed and managed; split tunneling and multiple unmanaged access to these systems MUST be controlled. Default credentials must be changed, and credentials SHALL NOT be shared.
These are not all of the issues found in healthcare cybersecurity attacks, but are some of the primary concerns. I challenge you to take a look at your risk assessment and see if it clearly and accurately identifies these and other issues. Review your risk assessment and build a five-year plan. If your answer is that your risk assessment does not help you to build a five-year plan, your risk assessment is broken and needs to be rewritten.
Are you ready to mitigate your healthcare cyber risks?
Get started by sending us a message, and we’ll set up a healthcare risk assessment review.