The number of cyber incidents within the healthcare industry has continued to increase, ranging from isolated incidents to targeted attacks that have grown in their material impacts.
Hospitals and medical practices that fall victim to cyber-attacks can be left figuring out how to operate without their daily information systems. This has led to patientsreceiving incorrect medicine dosages, delayed operations, and diverted healthcare, such as ambulances being rerouted to other facilities, threatening patient lives. Patient data being exposed has also led to class action lawsuits, causing reputational impacts and significant losses in revenue. This year, the first healthcare organization stated that it was going out of business due to a ransomware attack.
In 2022, U.S. healthcare organizations were the most compromised of any industry for the third straight year. HHS OCR reporting of breaches in 2023 reflects approximately 440 breaches impacting 76.5 million individuals compared to 37.5 million affected in all of 2022. That represents a 100% increase in impacted individuals in only 8 months in 2023.
- In July of this year, 2023, Hospital Corporation of America (HCA) suffered a healthcare record-breaking breach impacting 11 million records. HCA Healthcare now faces four class-action lawsuits.
- Another example is Prospect Medical Holdings – a Los Angeles-based company that operates 16 hospitals and 165 outpatient facilities across California, Texas, Pennsylvania, Connecticut and Rhode Island. This year, it took its main computer network offline due to a ransomware attack that was claimed by a ransomware group called Rhysida. Outpatient facilities closed, in some cases, prospect-owned emergency rooms had to close, and ambulances had to be diverted. Law firms are collecting names of impacted individuals for potential class action.
- In September of this year, Nuance Communications announced a data breach that occurred in May due to a cyber-attack from a ransomware gang known as CL0P impacting approximately 1.2 million users at 13 hospitals and medical companies in North Carolina, Pennsylvania and West Virginia. Law firms are currently collecting names of impacted individuals for potential class action.
Current cyber trends reflect a continued and growing challenge to mitigate operational impacts and protect patient data within healthcare organizations. Healthcare organizations and their staff must be prepared for a cyber-attack in order to continue operations during a cyber event. This starts by implementing the required administrative, physical and technical safeguards. It is up to covered entities to look at their daily operations and determine the best options, as cybersecurity is not a one-size-fits-all approach, although many practices are the same across healthcare firms. Incident response planning, continuity of operations plans and disaster recovery plans are critical to avoid material and long-lasting impacts. Organizations should have their cybersecurity program and controls independently reviewed to clearly understand the programs’ maturity and identify any recommended enhancement.
Author: Jason Spezzano, Executive Cybersecurity Advisor |[email protected]
Contact Us
At Withum, we are here to help ensure you have the right cybersecurity programs in place. Contact our Cyber and Information Security Services Team for further information on how our industry experts can help your healthcare entity. today.
