Data from the US Department of Health and Human Services’ Office for Civil Rights (OCR) shows that the number of data breaches against healthcare organizations rose in November for the third month in a row.
In November, the OCR reported that 68 data breaches took place, each of which exposed 500 or more personal records. The rise in cyber-attacks against healthcare organizations has increased dramatically over the course of the pandemic, with 40 million people in the US being affected.
Planned Parenthood was recently affected by a hack which breached the personal information of about 400,000 patients. The attack was the result of a ransomware attack, and allowed attackers to steal patients’ names, addresses, contact details and health-related information.
The number of data breaches this year is likely to end up being higher than those reported in 2020—which were already up 42% on 2019. While many came to appreciate healthcare organizations more than ever during a brutal pandemic, cyber-criminals have developed even more sophisticated ransomware, malware, and social engineering tactics to steal patient data.
Why Are Healthcare Organizations Being Targeted?
Healthcare organizations have become a high-value target for cybercriminals looking to gain financially from the theft of people’s personal healthcare data.
Protected health information (PHI) is a valuable commodity for cyber-criminals: it contains personal data which can be used in identity fraud attacks, and it can be sold to other criminal groups at a high cost on the dark web.
For victims, this can lead to catastrophic consequences. Patients can be denied medial insurance, medical bills can be created under someone else’s name, and medical records can even be altered to cover other people’s conditions.
Cyber-criminals also see healthcare organizations as an easy target when compared to private businesses, who often have far more extensive budgets to place into cybersecurity defenses.
Even before the pandemic, many healthcare organizations didn’t have the cybersecurity precautions in place they needed––but during Covid-19, many hospitals and healthcare environments had to move critical non-essential on-site staff into remote roles, throwing on-premises patient data protection systems into chaos.
Cyber-criminals are well aware of the pressures that healthcare workers and healthcare IT teams are under, and data suggests they are determined to turn that to their advantage. BlackBerry’s VP of Product Marketing Nigel Thompson told Expert Insights:
“During COVID, we were seeing criminals actively targeting hospitals with malware because they knew admin staff were working remotely, which I thought was horrific. Even during real wars, we don’t attack hospitals.”
Read our full interview with Nigel Thompson, VP of Product Marketing, BlackBerry
How Zero-Trust Can Help Healthcare Organizations Stay Secure
One of the most important ways in which healthcare organizations can stay secure against data breaches is by implementing a zero-trust security framework.
Zero-trust is a security concept which assumes that data-breaches will take place, and perhaps already have taken place. The core idea behind zero-trust is to enforce continuous authentication for everyone with access to critical systems or patient data, and only allow each user access to what is absolutely essential for them to perform their job role – a principle known as “least-privilege”.
Brad Jarvis, Senior VP and Managing Director at HID, told Expert Insights:
“Zero-trust is about continuously verifying the things or the people, checking who they are and integrating that into a behavioral context.”
Read our full interview with Brad Jarvis, SVP, Identity and Access Management, HID
After the Colonial Pipeline attack of May 2021, US President Joe Biden signed an executive order mandating that all federal agencies implement a “Zero Trust” architecture and urged private organizations to do the same.
Zero-trust is critically important for healthcare providers. The principle of least-privilege makes it much more difficult for cyber-criminals to access data by using social engineering to trick an individual into giving up a password. It also makes it more difficult for malware and ransomware to spread.
Zero-trust can also have a benefit for the end-user, with many zero-trust solutions removing passwords altogether and allowing more secure authentication using biometric technologies, helping to unburden healthcare workers needing to manage their own security credentials.
Continuous verification, enforced by multi-factor authentication, also makes it much more difficult for cyber-criminals to hack accounts, and steal personal patient records. Zero-trust also helps to improve visibility for IT admins, helping them to adapt and respond to suspected data breaches quicker, and more efficiently.
Experts are predicting that cybercrimes against hospitals and the healthcare industry will continue to rise in 2022, with hospital boards pushing for greater action to ensure cyber security improvements are put in place.
A zero-trust security framework backed by strong security tools should be considered as a key part of that strategy. Zero-trust enables healthcare organizations to limit their risk of data breach, make the security process easier for healthcare workers, gain greater visibility into incoming threats and improve responsiveness if a breach was to occur.
Read our in-depth guide to how Zero Trust security works below.