I found this new information on cyber-attacks and thought that it may interest you.
Some HIPAA breaches don’t happen because providers are being negligent. Providers commonly neglect employee training, or not disclosing information promptly. Some happen because the provider is targeted by a Ransomware attack. New reports by the HIPAA Journal are shedding light on this issue. Thousands of patients are being subjected to security fraud and identity theft. A ransomware attack could affect you or your provider. Continue to find out more.
What is a Ransomware attack?
Unfortunately, Ransomware attacks currently are targeting healthcare organizations. The problem, knowing the extent that healthcare organizations are being affected is difficult. Some ransomware attacks do not get reported and others get paid, so they never reach the public.
Some ransomware gangs only use extortion attacks. Sensitive data is stolen from networks. A ransom is demanded to keep the stolen information private. The decision to encrypt is on an attack-by-attack basis.
How this is Being Dealt With
Emsisoft a cybersecurity firm, tracks ransomware attacks. They also make annual reports about which ransomware is being used in attacks. The 2022 report shows more than 200 large organizations in the United States have been attacked. Organizations such as the government, education, and healthcare verticals are major targets. Education remains consistent over the past 4 years, always being affected by 84 to 89 attacks. The number of attacks affecting the government averages 102 attacks a year.
Getting data on attacks on healthcare organizations is very challenging. It is not necessary to disclose the exact nature of the attacks or release details. Emsisoft did not compile data for healthcare organizations. They did look into hospitals and multi-hospital health systems.
Emsisoft compiled data from public breach notices, reports, and third-party intelligence. In total 194 schools ranging from universities to school counties were attacked. 25 healthcare providers in 2022 were also attacked. The numbers will likely be higher with more accurate data.
The majority of attacks happened before using encryption. 68% of healthcare attacks involved data being stolen.
The True Consequences
The lack of accurate data makes it hard to determine if ransomware attacks are increasing. The one clear thing, healthcare is being targeted. It’s estimated that 290 hospitals in total were affected. That includes the 150 hospitals operated by Common Spirit Health alone. Common Spirit Health suffered 150 attacks affecting 623,774 patients. These attacks can result in the theft of patient data, creating the risk of identity theft and fraud.
The most real consequence though is to patient health. An increase in mortality and worse patient outcomes can be seen after attacks. This is caused by delays in receiving test results, postponed appointments, and canceled surgeries. No deaths can be proven to be caused by data attacks.
One example, a computer system used for calculating medication doses was tampered with. The computer had been taken offline. A 3-year-old patient overdosed on pain medication due to this attack.
Ransomware attacks are very serious and should be handled as such. Besides causing a HIPAA breach, patients are dying or having poorer outcomes. Although suffering from a ransomware attack is not the victim’s fault, steps can be taken to prevent them. Taking said steps is not just the obligation of the practice, it is also their moral responsibility.
Resources:
If you want to make sure your practice is HIPAA compliant visit: HIPAA Diagnostic® – Carosh Compliance Solutions
Sources:
“290 Hospitals Potentially Affected by Ransomware Attacks in 2022.” HIPAA Journal, 3 Jan. 2023, www.hipaajournal.com/healthcare-ransomware-attacks-2022/. Accessed 4 Jan. 2023.
