Yolanda Sims, JD, MHA
Loss Prevention and Risk Management Advisor
Is your organization creating a culture of cybersecurity? Better yet, is your cyber strategy aligned with your business strategy? Cybersecurity experts in the healthcare industry continue to ring the alarm and encourage healthcare leadership to make cybersecurity a business priority. Why? Because each day, new attacks are reported, and the fallout causes operational disruptions that impact the delivery of quality healthcare, no matter the size of the organization.
Recent Examples of the Fallout from Cyber Breaches
CentraState Healthcare System – New Jersey
On February 10, 2023, CentraState Healthcare System, a New Jersey-based facility, admitted that during a ransomware attack in December 2022, threat actors stole a cache of sensitive patient data. The compromised data includes names, addresses, birthdays, Social Security numbers, health insurance information, medical records, and patient account numbers. In a statement, the facility revealed the data breach involved 617,000 patients – all of whom will receive a notification letter offering credit monitoring services.
Banner Health – Arizona
The U.S. Department of Health and Human Services (HHS) Office of Civil Rights (ORC) settled this month with Banner Health, a large health system located in Phoenix, AZ. The settlement resulted from a 2016 data breach involving hackers’ unauthorized access to the electronic protected health information (ePHI) of more than 2.1 million customers. Banner Health has agreed to pay $1.2 million under the settlement terms.
In addition, Banner Health must comply with a comprehensive corrective action plan that OCR will monitor for two years to ensure compliance with the HIPAA Security Rule.
Banner Health has agreed to take the following steps:
- Conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic patient/system data across the organization;
- Develop and implement a risk management plan to address identified risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI;
- Develop, implement, and distribute policies and procedures for a risk analysis and risk management plan; the regular review of activity within their information systems; an authentication process to provide safeguards to data and records; and security measures to protect ePHI from unauthorized access; and
- Report to HHS within 30 days when workforce members fail to comply with the HIPAA Security Rule.
The entire HHS resolution agreement and corrective action plan can be found here.
Data Shows Cyberattacks are More Prevalent
According to a new JAMA Health Forum study, ransomware attacks against healthcare organizations doubled in the last five years, with the most common victim being health clinics. Public health researchers from the University of Minnesota and the University of Florida measured attacks on healthcare delivery organizations from 2016 to 2021. During the study period, 374 attacks were identified as exposing the personal health information (PHI) of 41,987,751 individuals—more than 10% of the U.S. population.
Some of the key findings from the study:
- From 2016 to 2021, the annual number of ransomware attacks more than doubled from 43 to 91.
- Almost half, or 44.4% of the cohort, disrupted healthcare delivery.
- Common disruptions included 41.7% electronic system downtime, 10.2% cancellations of scheduled care, and 4.3% ambulance diversion.
- Only 20.6% of healthcare organizations reported being able to restore data from backups.
Ultimately, the study results suggest ransomware attacks on healthcare delivery organizations are increasing in frequency and sophistication.
Cybersecurity Readiness is Key
Now is an excellent time to measure your organization’s cybersecurity readiness. As a valued KAMMCO member, you have access to the following Beazley Breach Solutions resources:
- Business continuity planning
- Incident response planning
- I.T. security planning
- Cyber security risk assessments
- Sample policies and procedures
- Cybersecurity awareness and online training
- Data privacy and security toolkit
Together these resources can help you prepare, investigate, respond, and stay one step ahead of trends and developments that may threaten your organization’s ability to provide quality care. Explore Beazley’s Breach Solutions cyber resources today and gain insight into evolving threats like ransomware, malware, and phishing scams.
To access these cybersecurity resources, please navigate to the Cyber Risk Management Resource page on the KAMMCO website. You will find instructions on how to access and register for the Beach Solutions website there. Should you need additional assistance, contact Yolanda Sims, Loss Prevention and Risk Management Advisor, at ysims@kammco.com or 1-800-232-2259.
Sources
Burky, A. (2023, January 9). Researchers crawled search engines and searched the dark web to find out the true extent of healthcare ransomware attacks. Retrieved 16 February 2023, from Fierce Healthcare Web Site: https://www.fiercehealthcare.com/health-tech/new-jama-study-scrapes-dark-web-find-true-frequency-healthcare-ransomware-attacks
U.S. Department of Health & Human Services. (2023, February 2). HHS Office for Civil Rights Settles HIPAA Investigation with Arizona Hospital System Following Cybersecurity Hacking [Press Release]. https://www.hhs.gov/about/news/2023/02/02/hhs-office-for-civil-rights-settles-hipaa-investigation-with-arizona-hospital-system.html
Neprash HT, McGlave CC, Cross DA, et al. Trends in Ransomware Attacks on U.S. Hospitals, Clinics, and Other Health Care Delivery Organizations, 2016-2021. JAMA Health Forum. 2022;3(12):e224873. doi:10.1001/jamahealthforum.2022.4873
Schwartz, N. (2023, February 10). Hackers stole patient data in New Jersey hospital ransomware attack. Retrieved 16 February 2023, from Becker’s Health IT Web Site: https://www.beckershospitalreview.com/cybersecurity/hackers-stole-patient-data-in-new-jersey-hospital-ransomware-attack.html?utm_campaign=bhr&utm_source=website&utm_content=latestarticles
Cisco Healthcare Thought Leadership: Cybersecurity threats are top of mind for healthcare CIOs and CISOs. Cisco. https://www.cisco.com/c/dam/en/us/solutions/industries/healthcare/healthcare-thought-leadership-cybersecurity-threats-are-top-of-mind.pdf
Fox. A. (2023, January 10). Half of ransomware attacks have disrupted healthcare delivery, JAMA report finds. Retrieved 16 February 2023, from Healthcare IT News Web Site: https://www.healthcareitnews.com/news/half-ransomware-attacks-have-disrupted-healthcare-delivery-jama-report-finds