A joint cybersecurity advisory was released by the FBI, CISA and HHS detailing an increased threat of Ryuk ransomware targeted at health care organizations.
This shouldn't be surprising. Hospitals have been under cyber-siege for the past few years.
The Department of Health and Human Services is required to inform the public of breaches involving 500 or more patients. In 2012, HHS reported that just 4% of breaches involved email, the lowest of any vector. In 2018, email became the largest vector of breaches, at 29%.
Of the the 676 breaches currently under investigation by the department, an Avanan analysis found that 284, or 42%, involve email. According to the 2020 Verizon DBIR, the healthcare industry suffered the most breaches across all sectors, and breaches increased by 71.38%. A majority of this was through email.
This new threat comes as COVID-19 cases and hospitalizations have begun to increase nationwide.
Beyond the risk of patient data being stolen, ransomware and other cyber attacks on hospitals also dramatically reduce the quality of patient care. In September, Universal Health Services, which has more than 250 hospitals and facilities around the country, was hit with an attack, and employees reported that it resulted in longer ER wait times and all records having to be transferred to paper. In addition, there was mass anxiety and confusion among employees and patients.
And, adding to the confusion is new Treasury rules that make it harder to payback a ransom.
This has become a trend over the last few years. In 2018, a ransomware attack on an Ohio hospital forced emergency room patients to be diverted to another facility. Also that year, a hospital in Missouri had to divert trauma and stroke patients and was forced to shut down its electronic health records system after a ransomware attack. In general, 36% of institutions attacked weren’t able to provide patient care for at least five hours.
More alarmingly, one study found that data breaches not only reduce the quality of care, but actually increase the 30-day mortality rate, not just in the immediate aftershocks, but up to two years later.
It is incumbent upon health care organizations to take proper security measures, ensuring all of their vectors are protected, including Slack.
Keeping health systems operating has never been more important.