Within September alone, 30 healthcare organizations, including hospitals, private practices and insurers, reported data breaches to HHS' Office for Civil Rights. As of Oct. 4, seven healthcare providers had reported data breaches for the month.
Some of these data breaches are caused by phishing attacks or lost medical folders. Others are the result of ransomware attacks, encrypting hospital and health system data. Ransomware attacks have caused some hospitals to cease operations completely, including Simi Valley, Calif.-based Wood Ranch Medical.
Wood Ranch Medical and other medical centers that have been forced to close after ransomware attacks do so because they do not have the money to rebuild its encrypted systems or hire digital forensic experts. The FBI recommends organizations do not pay hackers the ransom to gain decryption keys, as it might motivate the hacker to continue its cybercrimes.
Additionally, smaller hospitals and health systems are targets for cybercriminals because they lack sophisticated security tools and many don’t have cybersecurity specialists.
So, why are hospitals the new targets for cybercrimes? One reason is because of the amount of data they store. Also, cybercriminals are executing attacks against hospitals and health system successfully.
"The recent rise in cybersecurity attacks against healthcare is because the attacks have been effective, so the velocity of attacks is increasing," said Howard Haile, chief information security officer at Denver-based SCL Health. "Ransomware attacks are financially motivated, so if an attacker can disrupt the operations of a clinic or hospital then the victim is more likely to pay, which is the goal of the attacker."
If a hospital or health system is hit by a ransomware, it can be more crippling than other businesses. Because hospitals and providers cannot survive without recovering patient files, ransomware attacks can often cause more severe consequences.
There are ways for hospitals and health systems to prevent employees from falling for phishing attacks and other scams. Mr. Haile recommends training employees how to spot spoofing emails and running exercises to test the effectiveness of the training.
"Companies should provide an easy way for employees to report possible phishing attacks, coupled with defined incident response procedures to rapidly respond to the phishing attack as they occur," he said.