Smaller Healthcare Organizations Increasingly Target of Cyber Criminals

If your healthcare organization hasn’t become the target of a data breach, there’s a good chance it will, and even more so if it’s an outpatient facility or specialty clinic. That’s the finding of a recent report issued by Critical Insight, a cybersecurity firm.

Healthcare organizations have long been ripe for cyber attacks. In fact, as we wrote about in May, the U.S. Department of Health and Human Services Office of the Inspector General (HHS OIG) has made it one of its top ten compliance priorities.

While you might think larger health systems would be targeted more often because of the amount of data that can be obtained in a single breach, the report says smaller organizations are becoming more attractive because they have weaker security, making it easier to get the information they desire.

“Attackers look for the easiest target; if that target is a mental health clinic, that is what they will go after,†the report notes.

HHS has divided these incidents into five categories:

• Theft
• Improper disposal
• Loss
• Unauthorized access/disclosure
• Hacking/IT incident

The last of these is the main cause of breaches. In fact, according to HHS data, more than 70 percent of the breaches reported in the first six months of 2021 were considered a hacking/IT incident.

Business associates, such as claims processors, also are prime targets, accounting for 43 percent of all healthcare breaches. In the first six months of the year, business associates accounted for 141 breaches reported to HHS, compared to just 66 in the first half of 2019.

These data breaches can prove to be a treasure trove according to researchers.

“It’s no secret as to why hackers are showing interest. Electronic-protected health information (ePHI) is worth more than a credit card number or social security number. Scammers can monetize in a myriad of ways, from selling it on the dark web, to filing fraudulent insurance claims,†the report notes.

One reason there are so many breaches is that health organizations are running systems that are outdated. However, replacing these systems can be costly and time consuming and many organizations may feel the risk not to update their systems is worth it.

Many attacks in the healthcare arena involve phishing, ransomware, and vulnerable software.

In June, we wrote about a joint cybersecurity advisory from the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Department of Health and Human Services. In it, the agency said it had “credible information of an increased and imminent cyber crime threat to U.S. hospitals and healthcare providers,†and urged providers to take precautions to protect their networks from these threats.

With an increased emphasis on the use of electronic health records, the healthcare industry will continue to be the focus of cyber criminals. Not only will those whose healthcare information is stolen end up paying a price, but those who are targeted by the breach also will end up paying in the form of legal action. Lawsuits, such as the one we wrote about in April against a Pennsylvania addiction treatment center, likely will become more common.

Critical Insight researchers say there are several things that should be done to minimize the risk.

Assess Third-Party Risk – It is critical for healthcare organizations to classify their business associates by risk level according to the type of data they can access and to develop a risk management program. Third-party vendors should be prepared to provide potential clients with risk audit information.

Handling Business Associate Agreements – All such agreements should be reviewed regularly and should include details on what a vendor can and can’t do with ePHI and the duty to report any breaches to the covered entity. Because healthcare organizations may have dozens, or even hundreds of such agreements, reviewing them regularly is a good idea.

Ransomware Prevention and Response – Train healthcare employees to be cautious and to treat email links with suspicion. In addition, there should be 24/7 detection and response. Healthcare organizations should review and periodically test their backup and recovery plans.

Implement Strong Access Controls – By doing this, organizations can reduce the effectiveness of phishing attacks and the ability of attackers to move laterally. This is particularly important for organizations that have remote workers and are using cloud services. Implement multi-factor authentication.

Practice Basic Security Hygiene – Unpatched systems and devices running on old software leave open opportunities for hackers. Careful attention should also be paid to password management, who should have access and who no longer should have access to information, and the use of data encryption where appropriate.

As healthcare continues to rely more on electronic health records, telemedicine and other technology, it is incumbent upon everyone to ensure the safety and security of patient data.

Cyberthieves become more sophisticated every day.

It is imperative that those in the healthcare industry who are entrusted with the personal information of others understand the emerging threats created by cyberthieves. And they must begin to develop or improve data privacy practices, as well as create response plans designed to minimize the risk of a data breach.

The Health Law Offices of Anthony C. Vitale can assist clients with compliance issues. Give us a call at 305-358-4500 or email info@vitalehealthlaw.com.