Cyberattacks on health care grow in number even as more leaders, staff gain awareness

© leowolfert - stock.adobe.com

Growing numbers of physicians, other clinicians, and health system leaders are paying more attention to cybersecurity.

Yet more is needed because attacks are increasing in 2023, creating a “New Era in Healthcare Cybersecurity.”

It was the topic of discussion Aug. 16 in a webinar presented by Russell Teague, vice president of advisory services and threat operations for Fortified Health Security. He spoke with Matt Thompson, cyber content manager for the Franklin, Tennessee-based network security firm.

Growing numbers

As of Aug. 15, health-related entities reported 388 incidents – 153 more than the same time in 2022 – involving more than 60 million people, Thompson said. He cited records from the U.S. Department of Health and Human Services’ Office of Civil Rights (HHS-OCR), which tracks breaches of unsecured protected health information involving at least 500 patients.

Russell Teague
_{Fortified Health Security}

Cyberattacks in health care have increased each year in recent memory, but not at that rate, Teague said. Things could get worse to finish 2023 because computer attacks tend to increase in the second half of the, when foreign hackers mistakenly believe many Americans are on holiday.

“Why are we not able to turn the tide?” Teague said. “The core of the question is really tied to raising the bar in cybersecurity. We are seeing significant improvements across major sectors throughout the health care provider ecosystem. But it’s not until we get to a tipping point where there’s been enough investment and we’re not there yet. We still have much work to do.”

Consequences of attacks

Massive data breaches make headlines, but workers in the health care industry don’t always hear about consequences, Thompson said. Teague used the example of this summer’s hack of the MOVEit Transfer program. It can be used independently or be embedded in other applications, making it more challenging because some providers may not know they’re using it, he said.

Computer attacks can slow down operations, with potentially deadly consequences if rural community, rural critical access, and community hospitals cannot deliver local care, Teague said.

Once operations are restored, the data breaches or threats of holding patient data for ransom both can lead to personal lawsuits that turn into class action lawsuits against organizations and executives, Teague said.

Create a culture of security

Meanwhile, health care organizations are pressed for money and expertise for cybersecurity, Thompson said. Education is one of the least costly ways to help workers become the first line of defense against cyberattacks, Teague said.

That creates a “cyber-aware” culture within an organization so workers are less likely to click on malware or malicious phishing emails that open the door to attackers to begin with, he said.

“Focus on the people, focus on the education,” Teague said. “Don’t forget about, you know, obviously, the processes, the policies, the technology that enables other people to do a better job. But clearly your first line of defense is education.”

Physicians and health care leaders should understand cybersecurity is a journey with a multitude of elements, not a sprint or a light switch to turn on or off. But not knowing about it or ignoring it becomes gross negligence when there is a breach, Teague said.

Cybersecurity also is a cost, but when there is an attack, the downtime effects are far greater than the upfront investment to be proactive, he said.

Attack trends

In attack trends, ransomware continues to be a tactic, but it appears hackers are seeming to be quieter and less destructive when they have infiltrated health system networks. It may be that cybersecurity staff are getting better at detecting hacker activities before they encrypt everything and literally shut down an organization, Teague said.

That shows the health care sector is maturing in cybersecurity efforts, he said.

Some additional tips and resources from Teague and Thompson:

• Set up free Google alerts on your own domain name and on HHS-OCR to keep up on cyberattack trends and develop a proactive mindset.
• Gamify cybersecurity training to make it fun. “Anytime that you ask a large population to try to make change, and not make it fun, you get less adoption,” Teague said.
• Obscurity is not a strategy against cyberattacks. “It’s not if, it is when, and you need to be prepared for it,” Teague said.
• Take a lesson from the military and train as you would fight. Run the tabletop exercises to prepare for a data breach. Engage internal workers and outside consultants, such as insurers and legal counsel, to understand how to react when it happens.