Why the healthcare industry is one of the biggest cybercrime targets
A wealth of information including details about your Social Security number, date of birth and health insurance. Reliance on systems connected to the internet. Weak protection. It's easy to see why healthcare providers are such an attractive target for hackers, and they're rising to the challenge.
With that in mind, NPI Search is a free NPI search that explores data from the Department of Health and Human Services and other sources to investigate the scale of medical data breaches over the past decade.
According to a January 2024 report by the HIPAA Journal, in 2023 there were 725 major data breaches in hospitals and other organizations, with 720 record violations violating the previous year. Additionally, more than 133 million records have been damaged, and more than twice the number of cases have been compromised from the previous year. The issue has become so disastrous that in 2023, more than 370,000 records were breached daily.
What makes healthcare so attractive to hackers? Stakes.
If a hospital or other agency is the subject of a ransomware attack, patients may suffer or die if hackers disrupt the operation until they receive a reward or ransom. Think of delay procedures, decoupled ambulances, and electronic monitoring devices that go offline. Wired says that even if the FBI advises that it is still appealing to Hacker's request, it agrees to a request that is appealing to it, even if it is advised by the FBI, as allegedly paid $22 million in the case of This Healthcare.
Not only is the information valuable, it can take time to detect it. As the HIPAA Journal pointed out, healthcare data can be fraudulently used for a long time before it is detected. Credit companies can always monitor unusual spending patterns and close their accounts immediately, but they cannot easily change their healthcare data. It may also be bundled with other information and sold to identity thieves.
Hackers are increasingly targeting health data
HHS calls hacking and ransomware “major cyber threats” to the healthcare sector. They are more frequent and refined as the industry relies heavily on digital technology, including electronic records, telehealth, internet-connected devices, and connections to insurance companies and vendors. Older devices may not be compatible with security measures, but they are too expensive to replace.
In 2023, ransomware attacks on the health sector around the world almost doubled over the previous year, according to the Director of the National Intelligence Director's office. According to HHS, there were 389 casualties in 2023 compared to 214 in 2022. An attack can affect millions of people in one dive.
Among the recent major violations were the Kaiser Foundation Health Plan and its 13.4 million members. An application that Kaiser Permanente described as “online technology” installed on TechCrunch on a website, and has been manifested in searching members transferred to Google, X (formerly Twitter), Microsoft, etc. Social Security numbers, financial information or credit card numbers were not shared, the company told the Los Angeles Times, but the IP addresses that identifies a particular computer were.
In contrast, Concentra Health Services impacted approximately 4 million individuals. The company used a medical transcription company called Perry Johnson & Associates, which was hacked in 2023 and had already infringed around 9 million people. The leaked patient data included name and address, date of birth, Social Security number and other information.
According to the HIPAA Journal, the A&A service, which runs business as SAV-RX, appears to have paid a ransom when it was hit by ransomware. The journal is based on a company's statement rating that data obtained from the system has been destroyed. A&A Services, a Fremont, Nebraska-based pharmacy benefits management company, said the system can run the next day without delaying prescriptions.
Just like with Integris Health's Oklahoma patients, not only the healthcare company, but also the affected patients themselves will come into contact with them. The hackers emailed individuals directly and asked for $50 from each. Otherwise, they threatened to sell their data on the dark web. To prove they actually have data, the hackers included their email address, phone number, date of birth and social security number.
What is being done to increase security?
The challenges facing the healthcare industry are important. Healthcare violations remain the most expensive in all industries, according to the cost of IBM's 2024 data breach report. The average cost of a medical data breach fell from $10.93 million in 2023 to $9.77 million in 2024 last year, which is twice as expensive as the average for all industries.
Industry critics say hospitals and other healthcare providers are often far behind other sectors that increase cybersecurity, even simple steps like putting up patches for known vulnerabilities. Additionally, financially tied organizations may struggle to pay for cybersecurity professionals.
What is being done to help the industry tackle the problem? HHS is seeking funds to test new, balanced requirements with voluntary measures and encourage hospitals to achieve cybersecurity goals. To address cybersecurity, we propose rewriting the Hippa rules, or the portability and accountability laws of health insurance that require patient information protection. Medicaid and Medicare funds could also be linked to enhance cybersecurity, according to the Associated Press.
The Biden administration has launched universal patches and repairs for autonomous defense. In other words, we programmed upgrades and programs to create IT tools that can better prevent hospital cyber attacks. They also announced efforts from the private sector.
Microsoft has agreed to provide small organizations with a discount of up to 75% on security products and grants that provide free cybersecurity training and assessments for eligible rural hospitals. Google also advises rural hospitals and nonprofits, as well as discounts on a range of tools. In the meantime, New York proposed changes to hospital cybersecurity and allocated funds to help pay for improvements.
No matter what, efforts need funding. “Without the additional resources to raise the bar, those healthcare providers and those healthcare payers will continue to make choices to pay for treatment or cybersecurity,” former healthcare authorities Iliana Peters told the New York Times.
Story edited by Carren Jao. Additional edits by Kelly Glass. Paris closes and copies the edits. Selecting photos by Clarese Moller.
This story was created by a data project, created and distributed in a partnership with Stacker.
