The Cybersecurity and Infrastructure Security Agency cautions that cybercrimes targeting healthcare organizations are at an all-time high, and, according to Fierce Healthcare, the aftermath of a breach can have sustained consequences for hospitals and health systems. The recent surge of attacks, explains Fierce Healthcare’s Paul Nadrag, involves ransomware that secretly downloads patient medical records, which hackers then sell to buyers on the dark web.
He explains the perceived value of patient records is exceptionally high because they contain fixed intel and data, including demographic, insurance and contact information. Initially, most hospitals pay for the ransomware encryption, however, they must also launch an expensive investigation into the breach and offer identity theft protection to victims. Furthermore, patients may be eligible to file a class action lawsuit due to the damage and, if the court determines there is a HIPAA violation, the health organization is subject to hefty penalties.
Despite the strain caused by the pandemic, the Fierce Healthcare report urges health systems to be diligent in protecting their networks and consider the following security measures:
- Train staff, especially on recognizing fraudulent emails with embedded links or viruses;
- Identify vulnerabilities in connected medical devices that offer cybercriminals the opportunity to gain access to networks or cloud-based servers; and
- Connect devices to a secure clinical computing hub that makes the technology unidentifiable to hackers.
MLMIC recommends that insured facilities and medical practices maintain robust information technology systems to ensure the safety of protected health information.
Additionally, MLMIC offers a number of resources to help policyholders protect their networks and mitigate risk of a cyberattack:
- Federal Agencies Issue Advisory on Escalation of Ransomware Attacks Against Hospitals, a blog post on the recent spike in ransomware targeting hospitals and other healthcare organizations;
- Telehealth & Cybersecurity Considerations, a blog post with practices to help reduce the risk of privacy breaches or cyberattacks related to the use of telemedicine; and
- Security of Patient Information and Health Information Technology, a risk management tip on maintaining the security of health IT devices and the privacy of patient’s protected health information.