- In addition to fighting off the COVID-19 pandemic, hospitals have been hit by hackers in record-breaking numbers
- Protecting health care organizations is a unique challenge, because it combines traditional security along with stringent regulations securing patient data
- Health care organizations have traditionally been underprepared in terms of security, a problem made worse by the COVID-19 pandemic
The Prescription Isn’t Working
Health care organizations across the world are under attack. Unfortunately, it's not just due to COVID-19.
Hospitals and other health care providers are being inundated with cyber attacks at a record pace. Hackers are taking advantage of the chaos caused by COVID-19 to target institutions at their most vulnerable.
The numbers are staggering. A ransomware attack hit at least 26 U.S. healthcare providers between January and May. Most notable was the case of University of California-San Francisco, which ended up paying $1.14 million in ransom after a malware attack hit the School of Medicine.
Additionally, a hospital in the Czech Republic that is responsible for most of the country's COVID-19 testing was held to ransom and had to shut its IT network. As the pandemic was first making waves, hackers shut down computers at the Champaign-Urbana Public Health District in Illinois in March and forced them to pay $300,000 in ransom.
A DDoS attack hit the U.S. Health and Human Services in March, while the World Health Organization has reported five-times the amount of attacks headed its way. That’s on top of hackers spoofing organizations such as WHO, or the registration of phony COVID-related domain names, or Google detecting 18 million phishing and malware messages a day related to the pandemic. This doesn’t just fall to the spam folder. It has a major impact. A French pharmaceutical company paid $7.25 million to a company purporting to sell masks and sanitizers.
Though COVID-19 has brought an unprecedented spike to attacks against hospitals and the larger medical community, it is not a new phenomenon. Last year, 83% of health care groups reported an increase in cyber attacks. Some two-thirds of global health care groups have experienced an attack in their firm's lifetime—53% of them experienced one within the last year. Some of this is due to the simple fact of value. Patient medical records can go for as much as 50 times more than personal financial information on the black market.
And it’s not just major hospitals. In fact, 70% of ransomware attacks targeted facilities with less than 500 employees. That’s compounded by the fact that 80% of such practices don’t employ an on-site security official.
According to the Council of Foreign Relations, citing records from the HHS Office for Civil Rights, the last 11 years has seen more than 2,500 breaches. The result? The exposure of more than 175 million patient records.
Last year, a private practice in Michigan closed after a ransomware attack, the first known closure due to ransomware. Ransomware attacks don’t just paralyze computer systems. They paralyze patient care. In 2018, a ransomware attack on an Ohio hospital forced emergency room patients to be diverted to another facility. Also that year, a hospital in Missouri had to divert trauma and stroke patients and was forced to shut down its electronic health records system after a ransomware attack. In general, 36% of institutions attacked weren’t able to provide patient care for at least five hours
More alarmingly, one study found that data breaches not only reduce the quality of care, but actually increase the 30-day mortality rate, not just in the immediate aftershocks, but up to two years later.
It’s not just about patient data. It’s about a patient's life.
Failure to Prepare
According to the 2020 Verizon DBIR, the healthcare industry suffered the most breaches across all sectors, and breaches increased by 71.38%. A majority of this was through email. One report found that 72% of organizations experienced downtime due to an email-based cyber attack.
It’s not just that health care organizations are under an onslaught of cyberattacks. They’re largely not prepared. Some 87% of organizations say they don’t have the proper personnel in place to defend against such attacks, an increase of more than 10% from 2017. Another study found that 32% of hospital personnel haven’t received proper security training; 52% of businesses believe that they are at risk due to the lack of employee awareness.
Attacks on health care organizations are skyrocketing and not enough is being done by those organizations to protect themselves. Some organizations are so overwhelmed that EY is recommending adding an additional external Incident Response provider to ease the burden.
And protecting a healthcare organization comes with unique challenges. Organizations must comply with HIPAA, the law governing patient confidentiality, and that includes heavy fines for non-compliance, especially when it comes to the protection of Electronic Personal Health Information (ePHI). Unlike some industries, a security solution for healthcare has to be unique. It’s not enough to just protect against phishing emails. Because patient data sells for more than credit cards and social security information on the black market, there needs to be a two-pronged approach, one that also allows the organization to protect everything and be easily HIPAA-compliant. Attacks don’t just expose data, but also open the organization up to HIPAA violations and fines.
The Right Medicine
The number one cause of breaches is email, and 96% come through social actions like phishing. That means you need a solution that stops breaches before they start. Avanan sits behind email, meaning we can stop malicious attacks before they come into the inbox. Avanan also utilizes machine learning algorithms, combined with role-based, contextual analysis of previous conversations to identify threats that Microsoft and others miss. On deployment day, analysis of one-year’s worth of email conversations builds a trusted reputation network.
You also need a solution that protects this valuable cloud-based data.g. Avanan’s actionable intelligence automates security, compliance and risk management from a single pane of glass view. Using advanced data classification, document fingerprint and optical character recognition, Avanan is able to identify ePHI in files and email and protect accordingly.
Further, flexible controls identify and protect Personal Identifying Information (PII) and encrypt the content. Automated MFA guarantees that only the intended user has access to sensitive information.
Unlike some cloud providers that only encrypt files outside email, with Avanan you can follow the file as it’s being shared. That allows for on-the-fly encryption, preventing unauthorized access regardless of how it’s been shared. Avanan goes beyond encryption, limiting permission like printing, copying and pate or screen capture, while watermarking and file retraction provides audit trails after the document has left the organization.
Because so many users have varying permissions in a health care setting, it can be difficult to find when something is off. Avanan’s real-time data capture builds a profile from each user’s event history to determine safe behavior. If a user deviates from this standard, potentially indicating danger, Avanan identifies the account as compromised and takes corrective action.
In addition, Avanan is able to enforce HIPAA rules in real time because it audits policy violations, compliance exceptions and remediation actions. And with more and more data extending beyond email, Avanan can protect collaboration platforms like SharePoint and OneDrive, scanning every file to both quarantine malware and actively control HIPAA-sensitive data. Avanan’s data security solution allows you to maintain HIPAA and other regulatory compliance, and implement policies to prevent violations before data is leaked.
As the pandemic continues to spread, hackers will continue to find creative ways to attack healthcare organizations. Even with the unique challenges to the industry, protecting your organization doesn't have to be difficult or costly. But it does have to be done. Investing in cybersecurity now can ensure patient security and keep your organization up running—when it's needed most.