From the June 2016 issue of HealthCare Business News magazine
By Jorge Rey and Roberto Valdez
Since the enactment of the HITECH Act, the health care industry has undergone revolutionary technological changes, strengthening some aspects of the delivery of health care services while presenting new challenges in other areas. With virtually all medical data now stored electronically, health care organizations need to be increasingly vigilant in protecting that information from cyber criminals. Taking a multi-layer approach to IT security can help to minimize risk.
In 2015, 57 data breaches related to hacking/IT incidents were reported on the U.S. Department of Health and Human Services (HHS) Office of Civil Rights Breach Portal, which tracks breaches at health care organizations and their business associates. That is a 68 percent increase over 2014, when 34 such breaches were reported. This year may produce the highest number yet, with 18 hacking/IT incidents already reported in 2016.
Why are health care cybersecurity attacks on the rise? The increase could simply be because health care organizations have been reporting more breaches in compliance with breach notification rules. The health care industry invests less than 6 percent of its technology budget on security, according to the 2016 Analytics Healthcare IT Security and Risk Management Study by the Healthcare Information and Management Systems Society (HIMSS). Financial services organizations project to spend 10 to 12 percent of their IT budget on security in 2016, according to a survey by the SANS Institute.
Regardless of the reason for the increase in breaches, one thing is clear: hackers appear to be taking the health care industry hostage with ransomware. The Institute for Critical Infrastructure Technology (ICIT) has warned that 2016 will be a year plagued by ransomware. As reported in the ICIT Ransomware Report, the health care industry was not a traditional target for ransomware attacks.
However, this has recently changed. Earlier this year, the Hollywood Presbyterian Hospital Medical Center was infected with ransomware called “Locky," and a week after that attack five computers belonging to the Los Angeles County Health Department were infected with a ransomware variant. Ransomware is typically not a sophisticated attack. It can be performed by pretty much anyone with an Internet connection through available-for-hire models, called “Ransomware as a Service” (RaaS).
As with other forms of social engineering attacks, phishing, spear phishing or spam emails are the preferred delivery method of malicious software into a network for a ransomware attack because employees open emails and click on attachments and links as part of their day-to-day activities.
