COVID-19 has presented a number of unique challenges to the healthcare sector over the past year. Healthcare providers have been placed on the frontline and tasked with treating patients, educating the population, and distributing vaccines. With the industry’s attention and resources focused squarely on the pandemic, however, new threats to the healthcare system have emerged.
In the last year, healthcare providers and institutions have increasingly found themselves the target of cybersecurity attacks. A recent report issued by Check Point Software Technologies found that there has been a 45% increase in cyberattacks targeting healthcare providers globally since November 2020. It is estimated that in 2020 alone, 26 million patient records were exposed to unauthorized parties, the overwhelming majority of which were the result of healthcare cyberattacks.
The recent increase in cyberattacks begs the question: Why healthcare? For starters, medical records contain a variety of sensitive, protected health information (PHI) that serve as a “one-stop-shop” for identity theft. Recent studies suggest that the average healthcare data breach costs approximately $500 per record and $7.1 million per attack, making these attacks a nearly 14 billion dollar industry in 2020 alone. The tremendous value of the information sought after coupled with the struggle to adapt medical technology to meet updated cybersecurity needs makes the healthcare industry an attractive target for cyber criminals. The recent uptick in attacks further suggests that attackers are taking advantage of a sector overwhelmed by the pandemic.
PHI can be accessed by attackers in a variety of different ways including phishing scams, ransomware attacks, credential theft and exploiting cybersecurity vulnerabilities within healthcare networks. The pandemic has not only led to an increase of attacks on healthcare providers but has also changed the manner in which these attacks are carried out. Attackers have coordinated phishing and spear-phishing attacks under the guise of COVID-19, often leveraging subject lines and content related to the pandemic to distribute malicious software to healthcare providers. Additionally, ransomware attacks drastically increased in the later-half of 2020. This trend underscores the notion that attackers are aware that shutting down healthcare systems can adversely impact patients’ health thus making an attack more likely to elicit payment. In addition, the industry has seen an increased number of attacks geared towards telemedicine and COVID PPI and vaccine supply chains.
The following are several examples of cybersecurity attacks on healthcare providers and institutions in 2020:
- Blackboud, a third-party cloud computing vendor for healthcare entities, non-profits, educational systems and foundations, was hit with a ransomware attack on February 7, 2020. The attack continued until it was discovered on May 20, 2020. The data breach resulted in the release of PHI and other identifiable information via multiple sectors. Inova Health System in Virginia was one of the many healthcare networks who contracted with Blackboud and it is estimated that data relating to over one million Inova patients and donors may have been compromised.
- BJC Health System, a healthcare system consisting of 19 hospitals, was attacked in March 2020 when one of its employees fell victim to a phishing scam. The breach was identified on the same day but an investigation revealed that the attacker may have gained access to patients’ medical records, health insurance data, and social security numbers. The breach impacted roughly 300,000 individuals.
- The University of Vermont Health Network was the target of a cyberattack in October 2020, rendering the network’s devices and patients’ online portal inaccessible. The system outage lasted for over 40 days. UVM reported that it lost approximately 1.5 million dollars per day during the outage.
Though the end of the pandemic nears, there is, unfortunately, no indication that cyberattacks on the healthcare industry will decline. IBM analysis predicts that attacks on healthcare providers will continue to expand into 2021 and the foreseeable future. There are a number of ways in which healthcare providers can mitigate risk including: staying aware of and implementing measures to protect against possible threats, regularly auditing and reviewing both their data practices and the data practices of third-party vendors to ensure HIPAA and HITECH compliance, emphasizing employee training to minimize human error, and keeping up to date with best practices and recommendations published by the Health Care Industry Cybersecurity Task Force.
Even with the appropriate safeguards in place, cybersecurity experts agree that future breaches are inevitable. In the event of a breach it is important to have a response plan in place that complies with state and federal law. The Department of Health and Human Services, through the Health Information Technology for Economic and Clinical Health (HITECH) Act, has implemented data breach rules applicable to PHI. These rules are complex and can vary based on the severity of the breach. As such, it is important that healthcare professionals consult with their cybersecurity or appropriate insurance provider in the event of a suspected breach. These carriers generally have emergency procedures and a response team in place to assist with mitigating the damages from the breach, preserving evidence and ensuring compliance with notice requirements. Failing to comply could result in loss of coverage, civil penalties, or in some cases, criminal prosecution.
James Darrah (Jay) is an Associate in PK Law’s Medical Malpractice Group where he concentrates his practice on representing healthcare professionals and institutions. Jay also has considerable experience representing clients in tort-related litigation in Maryland and the District of Columbia. He can be reached by phone at 410-769-6148 or email at jdarrah@pklaw.com.
