A Prosperous Year for Hackers
More than 550 organizations reported healthcare data breaches to HHS in 2021, impacting over 40 million individuals. The potential fine amounts could be staggering, and with the government looking for every dime it can get, I expect that that is exactly what they will be.
The HITECH and HIPAA laws require that covered entities report healthcare data breaches of unsecured protected health information (PHI) affecting 500 or more individuals to HHS’s Office for Civil Rights (OCR). Those breach reports are public information and are posted on the HHS “HIPAA Wall of Shame” portal (https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf).
What Can My Firm Do?
The 10 biggest reported healthcare data breaches of 2021 (by number of individuals affected) were all hacking / IT incidents. Healthcare organizations need to adapt and prepare for cyberattacks and data breaches by implementing solid cyber defense:
- Education: People will always be the weakest link in the security chain. Give your staff the best chance at recognizing spear phishing attacks, credential capturing sites, and other threats to your organization. It can be the most important investment you make.
- Third-Party Risk Assessments: The HHS SRA self-assessment tool used by many practices really doesn’t cut it when it comes to assessing your technical risk. It is very generic and doesn’t address the specific risks that individual practices face. If your organization doesn’t have an internal security department, have an external organization that can recognize cyber risks perform your annual assessments. Remember, you can’t protect yourself from risks that you don’t know you have.
- Technical Safeguards: There are several technical safeguards that organizations should take to protect themselves from attacks and limit the blast radius if one occurs. The best approach is one where multiple safeguards are layered on top of each other to provide a backstop when a single measure gets beached. Just running an antivirus system on your workstations won’t provide the protection that you need. Talk to us about what you have in place and how you can make it stronger.
- Cyber Incident Response Plans: What happens when an attack occurs? If you don’t have a plan in place when the incident occurs, it is too late to avoid significant pain and chaos. Having an incident response plan in place can limit the damage and get your organization working again as quickly as possible.
Selected 2021 Low-Lights
Florida Healthy Kids Corporation: 3,500,000 records exposed
Health plan Florida Healthy Kids Corporation reported the biggest healthcare data breach of 2021 on January 29. The breach impacted 3.5 million individuals. Florida Healthy Kids Corporation said it was notified of the incident on December 9, 2020. Social Security numbers, birth dates, names, addresses, and financial information may have been accessed by threat actors during the cyberattack.
Investigation of the attack revealed that the health plan’s website, maintained by Jelly Bean Communications Design, had significant security vulnerabilities that were overlooked. Remember, the cybersecurity problems of your business associates are your responsibility too. Have all of your BAs been assessed for their security posture?
20/20 EyeCare Network: 3,253,822 records exposed
Florida-based 20/20 Eye Care Network reported a healthcare data breach to HHS on May 24. 20/20 discovered suspicious activity on its Amazon Web Services (AWS) cloud environment on January 11, 2021.
20/20 notified the FBI immediately after it deactivated and reset access credentials. Some information was accessed and possibly deleted after a cyber criminal accessed the provider’s AWS cloud environment.
Using cloud services can help with your cyber defense posture, but it is by no means a silver bullet when it comes to your security (and liability). Access credentials can be stolen through key logging software and credential harvesting web sites. They can be used directly or sold to many criminal operations and your PHI is exposed to the world.
Capture RX: 1,656,569 records exposed
You have probably heard the phrase “size doesn’t matter”, well that is often true when it comes to cybersecurity. CaptureRx is an IT services organization that helps healthcare organizations manage their 340B drug program; they are part of NEC Networks umbrella. This business associate experienced a healthcare data breach in February that impacted over 1.6 million people and impacted more than 16 healthcare organizations.
NEC is a Japanese technology conglomerate with annual revenues of $25B. Just because a business associate is a major enterprise does not mean it is immune to cyber breaches.
St. Joseph’s / Candler Health System: 1,400,000 records exposed
St. Joseph’s/Candler (SJ/C) Health System in Savannah, Georgia fell under attack from ransomware attack on June 17 that led to complete shutdown of their EHR system. Forensic investigation of the attack determined that the initial breach occurred on December 18, 2020 and that the attackers were in the network for six months planting malware to be launched in a coordinated attack.
The hospital system’s computers and telecommunications systems were inaccessible, and clinicians had to document clinical notes on pen and paper. According to staff, “It wasn’t a simple software glitch or temporary power outage. It was, instead, a complete information technology meltdown”.
“Everything, from electronic medical record[s] (EMR) used to document encounters to the lab, radiology and billing software, went down. Even the phones, which are formatted as voice over the internet protocol (VOIP) devices, stopped working. All of St. Joseph’s/Candler usual patient encounter protocols were immediately rendered ineffective. The hospital system was, in essence, flying blind.”
For St. Joseph’s/Candler, it isn’t just the loss of revenue during the attack, the reputational destruction, or even the inevitable fines that will be coming from the government. There are at present two class action lawsuits pending against the health system and more may be on the way.
Does your layered cybersecurity approach include proper network segmentation to limit where potential attacks can go? Do you monitor the internal network to look for devices talking to each other that shouldn’t be? Call Alaris and talk with us about monitoring your network.
For more information related to this article, contact@alaristmc.com