Page 31 - Cyber Defense eMagazine March 2024
P. 31
for Civil Rights. That figure is up more than 104% from 160 breaches as of mid-2022 and shows “no signs
of abating,” according to a report from Fortified Health Security.
The breach of Fortra's GoAnywhere secure file transfer software in February 2023 was particularly
severe, affecting over 5 million healthcare records. Additionally, healthcare business associates, who
play a vital role in the healthcare ecosystem, have also become increasingly targeted, with reported
breaches jumping from 22 to 82, a 273% increase compared to the previous year.
HIPAA and GDPR: A Shield Yet Insufficient
To counter these risks, the U.S. healthcare industry adheres to the Health Insurance Portability and
Accountability Act of 1996 (HIPAA), which governs the security of electronically protected health
information (ePHI). HIPAA's key components include the Security Rule, the Privacy Rule, and the Breach
Notification Rule. The European healthcare industry is protected by GDPR which provides safeguards
for personal health data.
Despite these rigorous regulations, the healthcare sector has witnessed an increase in cyberattacks. The
dependence on interconnected systems and IoT devices, alongside the critical nature of healthcare
services, makes these institutions particularly vulnerable. The NIS2 Directive in Europe, which is set to
take effect in October 2024, will mandate that healthcare organizations protect patient data from cyber
threats to help address these issues. This includes implementing cyber risk management measures,
establishing a clear incident-reporting process and securing patient data with proper storage and handling
practices.
The Rising Menace of Ransomware Attacks
Ransomware attacks in particular, where cybercriminals encrypt critical data and systems, have become
increasingly common and devastating in healthcare. In 2022, a survey by the Ponemon Institute revealed
that 45% of healthcare IT professionals reported ransomware attacks impacting patient care. A striking
example of the vulnerability of healthcare systems to cyber threats occurred in 2023, when Prospect
Medical Holdings, a healthcare system operating 16 hospitals and over 165 clinics and outpatient centers
across Connecticut, Pennsylvania, Rhode Island, and Southern California, fell victim to a ransomware
attack. This cyberattack forced the closure of some facilities and left others relying on paper records,
significantly disrupting healthcare services.
Proactive Measures for Enhanced Cybersecurity
Given these challenges, healthcare organizations need to take a proactive and comprehensive approach
to cybersecurity. Despite huge advances in medical technology, limited budgets and a hesitancy to learn
new systems means that not every aspect of the healthcare industry has kept pace. It’s critical for
hospitals using techniques that still release system updates to keep all software equipped with the most
recent version. This measure keeps systems reasonably secure but eventually vendors will stop providing
updates as the software moves into “end-of-life” status.
Cyber Defense eMagazine – March 2024 Edition 31
Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.