The number of healthcare cyberattacks impacting the healthcare industry went up by 55.1% between 2019 and 2020. Some of the rise in healthcare cyberattack statistics were due to the COVID-19 pandemic, as healthcare institutions and research facilities were targeted for their research and vulnerabilities stemming from the overburdening of the system.
Recent healthcare cyberattacks have hurt hospitals and research facilities, impacting the services they provide for the public and their various investors and stakeholders. With high-performing healthcare cybersecurity, however, you can take steps to prevent cyberattacks in healthcare.
Why Is Healthcare the Biggest Target for Cyberattacks?
Private Patient Information is Worth a Lot of Money to Attackers
Hospitals have vast storehouses of private patient information that hackers can sell via the dark web. In addition to details regarding patient health conditions, hospitals hold other personal identification information that can be used in a wide range of fraudulent schemes.
Medical Devices Are an Easy Entry Point for Attackers
Medical devices often depend on antiquated hardware and security protections that hackers can easily penetrate. Hospitals often cannot afford to upgrade to the latest and greatest hardware, leaving them vulnerable to attacks.
Staff Need To Access Data Remotely, Opening Up More Opportunities for Attack
Healthcare cyberattacks in 2020 were, in part, due to staff having to access data remotely. This introduced a number of new attack vectors, particularly because home and public networks are used to access healthcare information, and attackers could take advantage of their relatively weak security services.
Workers Do Not Want To Disrupt Convenient Working Practices with the Introduction of New Technology
Doctors, nurses, and other support staff often spend years getting proficient at using the equipment needed to perform their services. If they have to learn new technologies to have an IT environment with a smaller attack surface, it would take an exorbitant amount of time, energy, and investment by the healthcare facility.
Healthcare Staff Are Not Educated in Online Risks
Despite having vast amounts of knowledge regarding how to improve and save lives, many healthcare workers are not up to date with their knowledge of recent online risks. This makes facilities like hospitals easy targets for hackers because every knowledge gap is a security blind spot a malicious actor can exploit.
The Number of Devices Used in Hospitals Makes It Hard To Stay on Top of Security
Hospitals are filled with doctors, nurses, patients, food service staff, and visitors—all of whom have different devices connected to their network. In addition, there are devices that interface with the network that are crucial to the provision of services to patients and staff. Keeping up with what could be thousands of devices can be a difficult challenge.
Use of Outdated Technology
The size of healthcare facilities sometimes forces them to keep outdated technologies in place, particularly because it would take too much time and money to replace them all. In addition, some technologies may have security risks, but they do an excellent job of supporting the work of healthcare practitioners as they care for patients.
The Rising Risk of Cyber Attacks on the Healthcare Industry
Per a recent data breach report by IBM, 83% of all enterprises surveyed have experienced over one breach in 2022. Healthcare was hit hard, with the cost of a breach going up by 42% since 2020. For the 12th year in a row, the healthcare industry had the highest average cost of a data breach. Another survey shockingly found that 18% of healthcare employees are willing to sell confidential information to unauthorized parties for as little as $500 to $1,000.
By September 2022, there had been 368 breaches affecting 25.1 million patients, as per the U.S. Department of Health and Human Services Breach Portal. Out of these, 206 breaches began with the network server being compromised with malware, and 95 began with email phishing and privileged access abuse.
Healthcare firms are frequently the target of ransomware attacks for being heavily dependent on access to data such as patient records for their operations. A CISA advisory warned healthcare and hospital administrators of a newly discovered ransomware variant, Daixin Team, that infected and extorted healthcare and public health providers.
While ransom payment demands are the norm in ransomware attacks, cybercriminals have additional leverage on healthcare victims, as releasing medical information can violate state and federal laws on privacy and security regulations of medical records.
As prominent ransomware attackers get busted and shut down, newer groups may increase their attacks in 2023. Let’s do a bird’s eye view of the most prominent healthcare cyber attacks from 2022.
Ransomware is malware that gets installed on a computer, holding it hostage and asking for the user to pay a ransom to regain control of their machine. When ransomware infects a machine, the user cannot access any of their applications or data, and they lose control over the computer completely. A ransomware attack in a healthcare facility can render essential computational resources inept, risking the lives of patients.
Data breaches can take various forms, one of which is credential-stealing malware that captures the credentials of someone with access to other sensitive data. In this way, the attacker is able to steal and exploit other data they find within the system.
Also, insiders may intentionally or unintentionally disclose patient data. Laptops or other devices that store protected health information (PHI) and personally identifiable information (PII) can be lost or stolen and get into the hands of data thieves.
A distributed denial-of-service (DDoS) attack is a popular tactic involving flooding a web server with fake requests. The server is programmed to respond to these requests, which consumes its resources. As a result, it cannot provide access and functionality to legitimate users. In addition to phishing, DDoS attacks are a popular technique used by hacktivists and cyber criminals to overwhelm a network to the point of inoperability.
Employees encompass a variety of vulnerabilities. Some may click on malicious links unknowingly and introduce malware into the system. Others may give away access codes that end up getting abused by attackers. Using multi-factor authentication (MFA) can cut down on insider threats because this requires multiple credentials before allowing someone access.
Business Email Compromise & Fraud Scams
Business email compromise (BEC) scammers use spoofed email or compromised accounts to trick employees into initiating a money transfer to a fraudulent account. Because the email looks like it comes from a legitimate, trusted source, the scammer is able to get their target to drop their guard. Securing medical devices with new passwords after this kind of attack may be necessary to prevent a breach.
Significant Cyberattacks in Healthcare in 2022
- Shields Health Care Group, Inc., a Massachusetts-based company, was made aware on March 28, 2022, of suspicious activity on its computer network where an unauthorized third party had gained and maintained access from March 7, 2022 through March 21, 2022. Forensic specialists engaged by the company revealed that data (full name, SSN, date of birth, home address, provider information, diagnosis, billing information, insurance number and information, medical record number and other information) was stolen. The hack impacted 2 million people, according to the health department.
- Monongalia Health System, based in West Virginia, announced it was the victim of a phishing attack that saw several employee emails compromised on December 21, 2021. The breach was reported in July 2021 when a vendor reported non-receipt of payment. Attackers had diverted a wire transfer using compromised email accounts. Investigation into the breach confirmed that email accounts were compromised between May 10, 2021, and August 15, 2021, and they contained the sensitive health data of 398,164 patients.
- Broward Health, the southeast Florida-based health system, was hit with a cyberattack in the form of a network breach on October 15, 2021, when an unauthorized intruder gained access to its network and patient data through a third-party medical provider. The breach exposed personal and financial information on 1.35 million patients and staff. Broward Health discovered the attack on October 19, 2021, but notified victims on January 2, 2022. The Department of Justice told the company to hold off announcing to preserve an ongoing law enforcement investigation.
- Texas Tech University Health Sciences Center (TTUHSC) was hit by a breach of information through Eye Care Leaders, Inc. (ECL), a third-party provider of an Electronic Medical Record system used by the center. The security incident affecting ECL’s databases occurred on December 4, 2021, and was detected within 24 hours by ECL. TTUHSC confirmed that 1.3 million patients might have been affected by the breach. Compromised data may have included name, address, phone number, email, gender, driving license number, date of birth, medical record number, health insurance information, SSN and medical information pertaining to ophthalmology services availed at TTUHSC.
- Baptist Medical Center discovered on April 20, 2022, that certain systems within their network were infected with a malicious code from unauthorized activity. Between March 31, 2022 and April 24, 2022, malicious cyber actors could access sensitive information and remove certain data from the network. The cyber incident affected 1.2 million patient medical accounts. Sensitive information such as reasons for medical visits, diagnoses, treatment modalities, and dates of services was stolen in the attack, besides patient names, dates of birth, SSNs and addresses.
- Norwood Clinic, based in Fultondale, Alabama official filing reads that on October 22, 2021, the clinic learned of unauthorized third-party access to specific data on its computer networks. An internal investigation revealed that files accessible by the intruding party contained sensitive patient information, such as names, contact information, dates of birth, SSNs, driver’s license numbers, health insurance policy numbers and other medical information. On March 8, 2022, Norwood Clinic began sending data breach notification letters to 228,103 current and former patients whose personally identifiable information (“PII”) and protected health information (“PHI”) were accessed by an unauthorized third party.
- Partnership HealthPlan of California faced network disruptions in March 2022 and multiple reports alleged that the Hive ransomware group was behind the attack. PHC later confirmed that the group stole a trove of health information after deploying ransomware on March 19, 2022. The attack exposed the sensitive information of 854,913 patients. The incident disrupted receiving or processing of treatment authorization requests. The stolen data included patient names, SSNs, driver’s licenses, Tribal IDs, medical record numbers, diagnoses, treatments, prescriptions, health insurance details and other sensitive information.
- MCG Health, a Seattle-based company, suffered a data breach on March 25, 2022, where an intruder obtained personal information that matched that stored on MCG’s systems. The attack impacted 793,283 individuals. MCG disclosed the incident on June 10, 2022, which led to at least eight organizations confessing they were impacted by the breach that stemmed from MCG Health. Potentially affected information included names, dates of birth, gender, addresses, SSNs, email addresses, phone numbers and medical codes. The company later faced a lawsuit to hold it accountable for failing to secure patients’ personally identifiable information and not informing individuals sooner.
- Yuma Regional Medical Center, based in Arizona, suffered a ransomware attack on its systems on April 25, 2022. An Investigation revealed that an unauthorized individual maintained access to the company’s systems between April 21 and April 25 and removed some files with patient names, SSNs, limited medical information and health insurance information. The attack impacted 700,000 individuals, as per local reports. YRMC’s electronic medical record application wasn’t accessed during the attack. The company was forced to implement downtime procedures
- OneTouchPoint, a mailing and printing service headquartered in Hartland, Wisconsin, suffered a ransomware attack impacting 34 healthcare organizations, compromising personally identifiable information stored in their systems, such as customer names, addresses, birth dates, service descriptions, diagnosis codes, member identification and health assessment information. Attackers had accessed OneTouchPoint’s systems on April 27, 2022, and the company found encrypted files on April 28, 2022. It’s unclear how many individuals were impacted by the ransomware attack.
- Morley Companies, headquartered in Saginaw, Michigan, disclosed on February 1, 2022, information of a data breach after a ransomware attack on August 1, 2021, which allowed malicious actors to steal data before encrypting it. Investigations revealed that the attack exposed the personal information of 521,046 people, including data for the company’s contractors, employees, and clients. Stolen data fields included full name, SSN, DOB, client ID number, medical diagnosis and treatment information, and health insurance information. The company faced a class action lawsuit in federal court for failing to monitor its systems to prevent such an attack.
- Eye Care Leaders, which offers an ophthalmology EMR solution, suffered unauthorized access to its myCare Integrity system in December 2021. The company notified eye care practices on March 1, 2022, which revealed that the third-party breach impacted at least eight known organizations and 342,000 individuals. Attackers accessed its EMR system and deleted system configuration files and databases, putting the sensitive information of 1.5 million patients at risk.
- Adaptive Health Integrations, based in Williston, North Dakota, announced on February 23, 2022, that its systems had been accessed by an unauthorized party on or around October 17, 2021. The company reported the breach impacted over 510,574 individuals from the incident that occurred on a network server containing personal information.
- Christie Clinic, Illinois, confirmed on January 27, 2022, that an employee’s email account was accessed by an unauthorized entity between July 14, 2021, and August 19, 2021. A review of the incident revealed on March 10, 2022, that the emails included protected health information, such as names, addresses, SSNs, medical information, and health insurance information. The incident impacted up to 502,869 individuals.
How Fortinet Can Help
Healthcare organizations continue to be targeted by cybercriminals. Cybersecurity incidents in healthcare create a risk of loss of life, poorer patient outcomes, regulatory risks and legal consequences.
Explore the resources below to know how Fortinet solutions can help proactively deal with healthcare cybersecurity risks.