Cybersecurity Attacks Now Commonplace within Healthcare Facilities

Cybersecurity attacks have been growing at a rapid rate within the healthcare sector.

By Mackenna Moralez
November 8, 2022

Houston-based St. Luke’s Health has begun notifying patients regarding a data breach that compromised nearly 17,000 patients’ information.  

The breach occurred at consulting services vendor Adelanto Healthcare Ventures, which notified St. Luke’s on Sept. 1. The company said two of its employee email accounts were compromised by an unknown part on Nov. 5, 2021. According to a release by St. Luke’s Health, the email accounts contained patient information such as names, addresses, dates of birth, social security numbers, dates of service, medical record numbers, Medicaid numbers and limited information about treatment and diagnosis.  

At the time of reporting, there have been no indication of whether the information has been misused. St. Luke’s is conducting an additional investigation into the incident. 

Cybersecurity attacks are becoming all-too common within the healthcare sector. ,Sixty-one percent of respondents had suffered a cyberattack on their cloud infrastructure within the last 12 months, according to a report by Netwrix. The most common type of attack was phishing.  

"The healthcare sector is a lucrative target for attackers because the chances of success are higher,” says Dirk Schrader, vice president of Security Research at Netwrix. “The first two years of the pandemic exhausted the industry. With patient health being the main priority for these organizations, IT security resources are often too stretched and are focused on maintaining only the most necessary functions. Plus, the high value of data gives cyber criminals better opportunities at financial gain: They can either sell stolen sensitive medical information on the dark web or extort a ransom for 'unfreezing' the medical systems used to keep patients alive." 

Ransomware attacks on healthcare organizations have increased by 94 percent year over year, according to a June report by Sophos. In 2021, 66 percent of healthcare organizations experienced a ransomware attack, up 34 percent from 2020. CNBC reports that financial institutions processed roughly $1.2 billion in ransomware payments in 2021.  

The St. Luke’s Health cyberattack is among the many that occurred this year. Last month, the FBI, Cybersecurity and Infrastructure Security Agency (CISA) and department of Health and Human services (HHS) joined together to warn healthcare facilities of the Daixin Team, a cybercrime group that has been targeting the healthcare sector with ransomware and data extortion operations. The Daixin Team reportedly took responsibility for a ransomware attack on a Missouri hospital system in June. The Daixin Team also attacked OakBend Medical Center on Sept. 1, collecting 3.5GB of data, including over 1 million records with patient and employee information. 

Insurance companies have begun requiring stricter criteria for healthcare organizations to secure cyber coverage. Insurers are limiting coverage, increasing premiums and requiring healthcare organizations to show basic cyber hygiene practices in order to obtain a policy.  

The FBI, CISA and HHS urged healthcare organizations to implement the following measures to protect themselves against other malicious activity:  

  • Install updates for operating systems, software, and firmware as soon as they are released. Prioritize patching virtual private network (VPN) servers, remote access software, virtual machine software and known exploited vulnerabilities. Consider leveraging a centralized patch management system to automate and expedite the process.   
  • Implement and enforce multi-layer network segmentation with the most critical communications and data resting on the most secure and reliable layer.   
  • Limit access to data by deploying public key infrastructure and digital certificates to authenticate connections with the network, Internet of Things (IoT) medical devices and the electronic health record system, as well as to ensure data packages are not manipulated while in transit from man-in-the-middle attacks.   
  • Use standard user accounts on internal systems instead of administrative accounts, which allow for overarching administrative system privileges and do not ensure least privilege.   
  • Protect stored data by masking the permanent account number when it is displayed and rendering it unreadable when it is stored through cryptography, for example.   
  • Secure the collection, storage and processing practices for PII and PHI, per regulations such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Implementing HIPAA security measures can prevent the introduction of malware on the system.   
  • Use monitoring tools to observe whether IoT devices are behaving erratically due to a compromise.   
  • Create and regularly review internal policies that regulate the collection, storage, access, and monitoring of PII/PHI. 

Mackenna Moralez is the associate editor of the facilities market.  




See the latest posts on our homepage Share

Topic Area: Information Technology


Recent Posts
Recent Posts

Guidelines Target Active Shooters in Healthcare


Guideline provides a framework to include preparedness, mitigation, response and recovery from an active shooter or hostile event.

12/8/2022

Hudson Regional Hospital Fined After Gun Cache Found


The New Jersey Department of Health found the hospital in violation of several licensing standards.

12/8/2022

Leapfrog Group Announces Top Hospitals and Top Ambulatory Surgery Center Award


Over 100 U.S. hospitals received the Top Hospital Award.

12/8/2022

Patient Safety Group Issues Wheelchair Alert


Hundreds of wheelchair-related injuries have been reported to Food and Drug Administration’s Manufacturer and User Facility Device Experience reporting system.

12/7/2022

Lehigh Valley Health Network Breaks Ground on New Hospital


The hospital is expected to open by the end of 2023.

12/7/2022






FREE
NEWSLETTER

News & Updates • Webcast Alerts • Building Technologies

All fields are required.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.



You Might Like