The Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) are warning U.S. hospitals and healthcare providers of an increase and imminent cybercrime threat to them.
Let us go back before we tackle the paragraph above. Since the days of Electronic Health Records (EHR) incentive and Meaningful Use, we have always found an interesting dynamic.
- Healthcare professionals and organizations must share their data with others and create portals for easy access.
- Healthcare professionals and organizations must protect their data from others and ensure that only the required information is shared with the right individuals.
In addition to the above, technology is changing by leaps and bounds with multiple devices having the capability to receive and store patient information. Now with the expansion of the telemedicine field, we are seen more and more use of technology to connect, acquire, and share data with others.
Now, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services are warning of an imminent increase and threat to Healthcare Professionals and Organizations. That warning should be considered redundant as it is obvious that the cyberthreat and the attacks continue to increase. Yet, the number of successful attacks may be interpreted as a sign that additional communication and resources are needed to prevent and slow down this trend.
To enlighten our readers, we picked 10 random cases of Organizations that experienced malware, ransomware, and/or phishing incidents during the first half of 2020.
- University of Florida, UF Health Shands in Gainesville and UF Health Jacksonville all reported email hacking incidents associated with an attack on a business associate that affected thousands of individuals.
- Florida Orthopaedic Institute found that some personal information had been exposed during a ransomware attack on encrypted data stored on its servers.
- University of California San Francisco paid $1.14 million to hackers after a ransomware attack on its medical school’s computer servers.
- Miami-based Cano Health reported a data breach that affected 28,268 individuals.
- A data security incident involving Care New England’s computer system caused the Providence, R.I.-based health system’s website to experience downtime for nearly a week.
- CHI St. Luke’s Health-Memorial Lufkin (Texas) began notifying patients on June 19 that an unauthorized third party gained access to patients’ protected health information in April.
- Netwalker, a ransomware operator that threatens to publish data online if ransoms aren’t paid, hacked Springfield, Pa.-based Crozer-Keystone Health System and is auctioning off its data online.
- Albuquerque, N.M.-based Presbyterian Healthcare notified 183,000 patients that their private information was breached in a second email hack last year.
- The email account of an employee at Oswego (N.Y.) Health was compromised by someone not associated with the health system who sent out emails containing a link to a possibly malicious site.
- MU Health Care in Columbia, Mo., notified patients of a data breach that occurred in September 2019, in which students created email accounts with a third party but used the same username and passwords as their university email accounts. The university email accounts containing patient information may have been compromised when an unauthorized user breached the third party’s system.
Based on the information here presented we consider that the next question is: what can we do to prevent and slow down this trend? This is the easy part as we can refer you to some resources worth checking:
- CISA MS-ISAC Ransomware Guide: provides a ransomware response checklist that can serve as a ransomware-specific addendum to organization cyber incident response plans.
- Fact Sheet: Ransomware and HIPAA: provides information for entities regulated by the HIPAA Rules.
We also recommend visiting CISA’s Ransomware webpage for additional information.