Computer attacks in health care are booming so far in 2023

© beebright - stock.adobe.com

Hackers may be on track for a banner year in 2023, according to a report from a cybersecurity firm.

“The relentless uptick of cyber threats targeting health care organizations and patients shows no signs of abating,” said “2023 Mid-Year Horizon Report: The State of Cybersecurity in Healthcare,” published in late July by Fortified Health Security.

Since the start of the year, 327 data breaches had been reported to the U.S. Department of Health and Human Services’ Office for Civil Rights. That figure is up more than 104% from 160 breaches as of mid-2022.

The cyberattacks involved data of more than 40 million individual patients in 2023, marking a 60% increase year-over-year for the first six months. Last year, a single breach involved 2 million records, but in the first half of 2023, there were five breaches of at least 3 million records each, according to Fortified.

Those include the breach of Fortra’s GoAnywhere secure file transfer software in February, which involved more than 5 million health care records. “The software is used across industries, and many other non-health care companies were among the more than 130 companies allegedly targeted in the attack,” the report said.

Health care business associates also are at risk, accounting for 14% of all reported breaches and jumping from 22 halfway through 2022, to 82 so far this year. That is a 273% increase, the report said.

Government gets involved

Health care cybersecurity has become a hot-button issue in Washington.

“Fortunately, these obstacles have not gone unnoticed or unaddressed,” Fortified CEO Dan L. Dodson said in the report. “The federal government is actively taking initiative on the legislative front to tackle these issues head-on.”

In March, President Joe Biden released his National Cybersecurity Strategy with five pillars:

• Defend critical infrastructure
• Disrupt and dismantle threat actors
• Shape market forces to drive security and resilience
• Invest in a resilient future
• Forge international partnerships to pursue shared goals

The federal PATCH Act, short for Protecting and Transforming Cyber Healthcare, came out in spring and will go into effect Oct. 1. Medical device manufacturers must meet four requirements for cybersecurity before approval by the U.S. Food and Drug Administration.

Sen. Mark R. Warner (D-Virginia) published “Cybersecurity is Patient Safety,” a policy options paper seeking recommendations to address computer vulnerabilities in health care. Fortified noted there were more than 60 responses to his request for information. Given the complexity of the issue and at least 16 federal agencies involved, there could be multiple bills addressing specific aspects of cybersecurity.

In March, the Senate’s Homeland Security and Government Affairs Committee held the hearing, “In Need of a Checkup: Examining the Cybersecurity Risks to the Healthcare Sector.” Fortified Senior Virtual Information Security Officer Kate Pierce was among four experts who testified in that hearing and she wrote this essay for Medical Economics. Senators now are considering the Rural Hospital Cybersecurity Enhancement Act, legislation based on testimony in that hearing.

Action steps

Fortified noted the U.S. Department of Health and Human Services, its 405(d) Program, and the Health Sector Coordinating Council Cybersecurity Working Groups have published three documents on the current state of cybersecurity in hospitals, government programs, and industry best practices. Fortified was a contributor to those records and recommended three steps for health care offices and systems to prepare:

• Read the documents and assess where your organization needs to improve security.
• Plan to prioritize and tackle areas that need attention.
• Keep leadership in the loop about upcoming changes to minimize strains on the organization.