Attacks and Vulnerabilities
Malware, Phishing & Ransomware
Medical
News

HHS discloses healthcare data breaches increased significantly in 2021

February 21, 2022
HHS discloses healthcare data breaches increased significantly in 2021

The U.S. Department of Health and Human Services (HHS) received reports of data breaches from 578 healthcare organizations in 2021, impacting over 41.45 million individuals. Additionally, the agency revealed that 38 organizations affecting close to two million individuals were already targeted by data breaches last month, indicating that the cybercriminals intend to continue carrying out cyberattacks against the healthcare sector in 2022.

The HHS revealed in its latest threat brief that some of the organizations affected by data breaches in 2021, include the Florida Pediatric Health Pediatric Organization, Florida Vision Care Provider, Wisconsin Dermatologist, and the Texas Health Network. The agency also revealed that the Indiana General Health Provider, Ohio Pharmacy Network, Georgia Health Network, Nevada University Health Center, New York Anesthesiologist and the New York Medical Management Solutions Provider were targeted by data breaches last year.

There has been an upward trend in the number of data breaches recorded in the healthcare sector. The ​​HIPAA Journal’s 2020 Healthcare Data Breach Report had revealed that the healthcare industry in 2020 had the third-largest number of data breaches on record since 2009, the HHS threat brief said.

HHS said that the top threats carried out against electronic medical records (EMRs) and electronic health records (EHRs) came from phishing attacks, malware and ransomware attacks, encryption blind spots, cloud threats, and employees. In 2020, at least 2,354 U.S. government, healthcare facilities, and schools were impacted by a significant increase in ransomware, it added. 

While EMRs and EHRs are often used interchangeably, the EMR allows the electronic entry, storage, and maintenance of digital medical data, and the EHR contains the patient’s records from doctors and includes demographics, test results, medical history, history of present illness (HPI), and medications. EMRs are part of EHRs and contain patient registration, billing, preventive screenings or checkups, patient appointment and scheduling, tracking patient data over time, and monitoring and improving the overall quality of care.

The threat brief identified that cyberattacks ‘caused significant disruption across the healthcare industry.’ Organizations affected by these attacks included 113 federal, state, and municipal governments and agencies, 1,681 schools, colleges, and universities, 560 healthcare facilities, and the Pennsylvania Health Services Company, which operates 400 hospitals & healthcare facilities, it added.

The HHS said that data encryption protects and secures EMR/EHR data while being transferred between on-site users and external cloud applications. “Blind spots in encrypted traffic could pose a threat to IT healthcare because threat actors or hackers are able to use encrypted blind spots to avoid detection, hide, and execute their targeted attack. Also helps with HIPAA, FISMA, and Sarbanes-Oxley Act of 2002 compliance,” it added.

The HHS also identified that more healthcare organizations are using cloud services to improve patient care, so there is an increasing need to keep private data secure while complying with HIPAA. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that requires the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. 

The HHS said that insider or employee threats are also emerging as one of the top threats against EMRs and EHRs. “It is recommended that your healthcare organization has a cybersecurity strategy and policy that’s not only understood but followed and enforced.” The agency proposed an effective strategy that involves educating all healthcare partners and staff, enhancing administrative controls, monitoring physical and system access, and creating workstation usage policies.

“EMR/EHRs are valuable to cyber attackers because of the Protected Health Information (PHI) it contains and the profit they can make on the dark web or black market,” according to the HHS threat brief.

To deal with the rising number of data breaches in healthcare organizations, HHS has “recommended that healthcare leaders shift their focus by moving beyond a prevention strategy and creating a proactive preparedness plan. This helps understand vulnerabilities in the current network landscape and provides guidance needed for framework that will be effective in identifying and preventing attacks, which is key to protecting EMRs/EHRs, along with access to vital patient data,” it added.

HHS also offered a couple of strategies that healthcare leaders should consider to strengthen their organization’s cybersecurity posture. These actions include evaluating risk before an attack, using virtual private network (VPN) with multifactor authentication (MFA), developing an endpoint hardening strategy, endpoint detection and response (EDR), protecting emails and patient health records, engaging with cyber threat hunters, conducting red team / blue team exercises, and moving beyond prevention.

The HHS data comes at a risky time for the U.S. healthcare sector, as federal security agencies have issued last week a ‘Shields Up’ alert that notifies every organization in the country of potential risk from cyber threats, and nudges organizations to strengthen their cybersecurity posture. The warning comes in the wake of increasing geopolitical tensions brought about by Russia’s potential invasion of Ukraine.

Following the Shields Up alert, the HHS’s Health Sector Cybersecurity Coordination Center (HC3) issued an alert recognizing that “while there are not currently any specific credible threats to the Healthcare and Public Health Sector, we are mindful of the potential for the Russian government to consider escalating its destabilizing actions in ways that may impact others outside of Ukraine.” 

Based on this situation, “CISA has been working closely with its critical infrastructure partners over the past several months to ensure awareness of potential threats—part of a paradigm shift from being reactive to being proactive,” the HC3 added.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings