Cybersecurity and the Healthcare Industry - Part 1: Diagnosis

If healthcare cybersecurity was a patient, it may be time to activate a code blue. Threats continue to escalate to emergency-level proportions, as the healthcare industry is besieged by an onslaught of attacks from cybercriminals and complex regulatory requirements. With organizations beset with staff shortages, budgets stretched to their breaking point, and an ever-increasing reliance upon technology, the result is an industry eminently vulnerable to cybersecurity threats.

While documenting every type of cyber threat that can impact a healthcare organization would fill a near-infinite number of times, the following is but a small sampling of common cybersecurity issues that have been curated from past incidents:

• Ransomware: The origins of ransomware began in 1989 in the healthcare industry. By utilizing a stolen registration list, 20,000 malware-infected floppy disks were sent to attendees of the World Health Organization’s AIDS conference. Labeled as “AIDS Information - Introductory Diskettes,” the media contained a secret trojan horse that encrypted the files on the victim’s hard drive, forcing each victim to pay a $189 ransom in order to regain access to their files. Today’s ransomware attacks are significantly more expensive, with attacks costing hundreds of hours and millions of dollars in downtime, recovery costs, and increased revenue reserves caused by delays in billing as a result of the outage. For example, Universal Health Services, a Fortune 500 company that specializes in telemedicine and appointment facilitation, reported an "unfavorable impact" of $67 million dollars as a result of a cyberattack they suffered in 2020.
• Healthcare Regulation Breaches: While most healthcare organizations focus on external threats, there are other, seemingly benign causes of data breaches, including breaches of healthcare regulations related to protected health information (PHI). In 2013, the Office for Civil Rights of the Department of Health and Human Services reached a settlement with Affinity Health Plan, Inc. after their copiers were turned in at the end of a lease without realizing that the devices contained protected health information for over 300,000 individuals on the internal hard drives. This data breach led to a settlement of $1.2 million dollars to address HIPAA violations related to these compromised records.
• Spear Phishing: In January of 2015, the largest breach of healthcare data came to light when Anthem Inc. disclosed that 79 million patient records had been appropriated by cybercriminals. This colossal compromise began with a single spear phishing email opened by an employee, which ultimately led to criminal hackers surreptitiously gaining remote access to other systems and data in the environment. The information that was breached contained sensitive data such as Social Security numbers, home addresses, and birth dates. When all was said and done, Anthem paid well over $100 million dollars in settlements and lawsuits.
• Medical Equipment Vulnerabilities: The Department of Homeland Security (DHS) released an advisory in 2019 related to vulnerabilities in medical equipment that could result in potentially life-threatening situations. It was determined that sophisticated hackers with knowledge of certain widely used cardiac defibrillators could remotely exploit them to inflict harm. According to the DHS, hackers within close proximity could stop a defibrillator or deliver a shock to a patient.

Studying these past scenarios is important for all healthcare organizations to avoid becoming the next case study or headline. To help your cybersecurity defenses achieve a clean bill of health, consider setting up a meeting to discuss how Citrin Cooperman can help protect your business. To get started, please contact Kevin Ricci at kricci@citrincooperman.com or Michael Camacho at mcamacho@citrincooperman.com.

Read Part 2: Prognosis here >>