Among the many challenges of 2020, healthcare organizations in the U.S. took a big hit on the cybersecurity front. As if the COVID-19 pandemic wasn't challenging enough, U.S. healthcare organizations experienced a record number of cybersecurity incidents. IT incidents and hacking accounted for over 67% of all breaches, exposing tens of millions of peoples’ sensitive personal data.
The threat protection company Bitglass, reported a 55.1% increase in breaches from 2019 to 2020 when analyzing data from the U.S. Department of Health & Human Services. The number grew from 386 in 2019 to 599 in 2020.
What was the nature of the breaches? Most were caused by IT incidents and hacking. The breaches exposed sensitive personal data of 24.1 million individuals and resulted in vulnerabilities towards identity theft and phishing attacks.
Surprisingly, despite a significant rise (55.1%) in incidents, the number of individuals affected was lower in 2020 than in 2019.
Other notable findings:
- California had the highest number of breaches (49 incidents). Texas followed in second place (43 incidents).
- The next spots were claimed by New York (39 breaches), with Florida and Pennsylvania tied (38 breaches).
- When looked at total individuals affected by a given breach, Michigan came in first, mainly due to a singular incident at Trinity Health healthcare delivery system, which affected 3.3 million individuals.
- The Ponemon Institute found that healthcare organizations' breaches have the longest recovery time and are the most expensive in terms of damages.
- The average cost per breached record was $499 in 2020.
- The average breach recovery took 236 days.
- On average, healthcare institutions take 96 days to identify a breach, more than any other industry.
Are these all ransomware attacks?
It's important to note that Bitglass does not explicitly identify the type of hacking incidents in their report. However, ransomware attacks are the most likely culprit.
Several key ransomware groups have been known to attack hospitals and healthcare organizations including, but not limited to: Maze, Ryuk, SunCrypt, Clop, Snake, and REvol (Sodinokibi).
Ryuk and REvil were named the top threats in a report from Check Point when identifying top threats to the healthcare sector globally.
The U.S. Government released an official warning in October 2020 regarding Ryuk ransomware attacks targeting hospitals and healthcare providers. Ransomware groups continue to breach hospitals by exploiting remote execution in Pulse Secure VPN servers.
Where do we go from here?
At a minimum, make sure you follow HIPAA closely and perform the required annual Security Risk Assessment (SRA). The results of a SRA can be acted upon by a competent IT Company, which will result in continuous improvement to your cybersecurity posture, which will help keep you safe and out of the news.
TIP: Expect your next cybersecurity insurance renewal to ask extensive questions similar to the SRA. Make those cybersecurity improvements now before you have to do a big IT project to pass your insurance company’s questionnaire!
If you are a healthcare organization concerned about ransomware risks or looking to strengthen your IT security strategy, contact PK Tech today.