At Least 141 Were Hospitals Directly Affected by Ransomware Attacks in 2023

Posted by Steve Alder

Last year was a particularly bad year for ransomware attacks. According to an analysis by the cybersecurity firm Emsisoft, 46 hospital systems suffered ransomware attacks in 2023, up from 25 in 2022 and 27 in 2021. Across those 46 attacks, at least 141 hospitals were directly affected and experienced disruption due to the lack of access to IT systems and patient data.

It is difficult to accurately report on ransomware attacks in the healthcare sector, as many victims fail to disclose whether ransomware was used. Breach notification letters to the affected individuals and state Attorneys General often describe ransomware attacks as cyberattacks, unauthorized access, hacking incidents, security incidents, or encryption events, and as such, the number of attacks experienced in the sector is likely to be significantly understated. Emsisoft’s State of Ransomware in the U.S.: Report and Statistics 2023 reveals 2,207 U.S. hospitals, schools, and governments were directly impacted by ransomware in 2023 and many others were indirectly impacted via attacks on their supply chains.

Without access to patient records and essential IT systems, hospitals are often forced to put their emergency departments on redirect, with ambulances sent to neighboring healthcare facilities. Other hospitals in the region are placed under an increased strain due to the sharp increase in the number of patients, and the resource constraints caused by the increase in patients has a negative impact on time-sensitive conditions such as acute stroke.

The outages caused by these attacks mean scheduled appointments often need to be canceled and rescheduled and bottlenecks occur with lab testing and radiology, resulting in delays to diagnosis and treatment, longer patient stays, a slowing of patient throughput, and the disruption inevitably results in poorer patient outcomes. While there have been no reported deaths in the United States as a direct result of ransomware attacks, studies have shown that following a ransomware attack, there is an increase in medical complications and mortality rates. One study, conducted by McGlave, Neprash, and Nikpay of the University of Minnesota School of Public Health, found that in-hospital mortality for patients already admitted at the time of a ransomware attack increased. The attacks also caused a 17%-25% reduction in hospital volume during the initial attack week, and they estimated that between 2016 and 2021, ransomware attacks killed between 42 and 67 Medicare patients.

These attacks naturally have a significant financial impact. According to the Verizon Cost of a Data Breach Report, the average cost of a healthcare data breach increased to its highest ever level in 2023, costing an average of $11 million, a 53% increase since 2020. Emsisoft said 32 of the 46 attacks on health systems resulted in sensitive data, including protected health information, being stolen.

The average ransom payment in 2028 was $5,000, but by 2023 the average payment increased by 29,900% to around $1.5 million. The increased profits from ransomware attacks allow ransomware groups to scale their operations, pay initial access brokers, and purchase zero-days, which means even more attacks can be conducted. Fewer victims are now paying ransoms which means ransom demands need to increase to make up for the shortfall. Some ransomware groups have also started engaging in more aggressive tactics, such as contacting patients and demanding payment. Some attacks on plastic surgery centers have resulted in intimate images being publicly posted and patients being told they needed to pay to have those images removed from the Internet. One group contacted individual patients and threatened them with the release of their sensitive data and demanded $50 per patient to delete their data.

Many ransomware groups operate out of countries that turn a blind eye to the attacks, and some nation states are thought to use ransomware groups as proxies. While international law enforcement operations have successfully disrupted some ransomware groups, the individuals involved are rarely brought to justice. With so much money involved and a low risk of being caught, attacks are unlikely to reduce and may even continue to increase. The solution suggested by Emsisoft and many other experts is simple. Since ransomware attacks are conducted by financially motivated threat actors, making attacks unprofitable is the easiest way of tackling the problem. Governments should therefore ban ransom payments and cut off this very lucrative income stream.

“Current counter-ransomware strategies amount to little more than building speed bumps and whacking moles. The reality is that we’re not going to defend our way out of this situation, and we’re not going to police our way out of it either. For as long as ransomware payments remain lawful, cybercriminals will do whatever it takes to collect them,” said Emsisoft Threat Analyst, Brett Callow. “The only solution is to financially disincentivize attacks by completely prohibiting the payment of demands. At this point, a ban is the only approach that is likely to work.”

The post At Least 141 Were Hospitals Directly Affected by Ransomware Attacks in 2023 appeared first on HIPAA Journal.

Examples of HIPAA Violations by Employers

Posted by Steve Alder

Examples of HIPAA violations by employers are easy to find because almost every avoidable HIPAA violation is indirectly attributable to an employer’s failure to implement adequate privacy and security measures, failure to effectively train members of the workforce, or failure to monitor HIPAA compliance. Over the next few years, these failures may become expensive for employers in – or providing a service to – the healthcare industry.

Employers in their role as a covered entity or business associate have the ultimate responsibility for HIPAA compliance. They are responsible for complying with all applicable federal and state regulations, for developing workplace policies and procedures, and for ensuring the policies and procedures are complied with. While these responsibilities may sometimes be delegated to a third party, employers are usually responsible for selecting the third party.

When avoidable HIPAA violations occur, they represent a compliance failure by an employer. Although the violations most often manifest as a data breach, unauthorized access to PHI, or an impermissible disclosure, the root cause is more likely to be the failure to conduct an accurate and thorough risk analysis, identify reasonably anticipated threats and vulnerabilities, and implement adequate measures to prevent violations attributable to the threats and vulnerabilities.

Avoidable vs. Unavoidable HIPAA Violations

To best explain why avoidable HIPAA violations are examples of HIPAA violations by employers, it is important to distinguish between avoidable and unavoidable HIPAA violations.

Avoidable HIPAA violations are those in which reasonably anticipated threats exist, but they are not identified in a risk assessment or inadequate measures are implemented to prevent them. Examples of HIPAA violations by employers in this category include data breaches attributable to “Hacking/IT Incidents” where the risk of remote, unauthorized access has been identified, but the employer has failed to implement a robust password policy supported by two-factor-authentication.

Unavoidable HIPAA violations occur when an employer has conducted an accurate and thorough risk analysis, and implemented measures to prevent HIPAA violations, but violations still occur. Examples of unavoidable HIPAA violations include when a healthcare professional accidently discloses more than the minimum necessary PHI, or when a member of the IT team misuses their login privileges to steal a database of medical records and sell it on the Internet

How Many Avoidable HIPAA Violations Occur Each Year?

It is impossible to determine how many avoidable HIPAA violations occur each year because most violations are reported internally – either by a member of the workforce to their supervisor or by a member of the public to the organization’s Privacy Officer. Relatively few HIPAA violations that do not involve data breaches are reported to – or escalated to – HHS’ Office of Civil Rights (around 5,000 per year), and these mostly relate to impermissible disclosures or the denial of patients’ HIPAA rights.

All data breaches have to be notified to HHS’ Office for Civil Rights. The majority of data breaches qualify as examples of HIPAA violations by employers because 75% of breaches affecting 500 or more individuals are attributable to Hacking/IT Incidents (per 2021 report) – of which 80% are attributable to brute force attacks on weak passwords and employee susceptibility to phishing. Both causes can be avoided by implementing a robust password policy supported by two-factor-authentication.

Specific Examples of HIPAA Violations by Employers

In 2021 – the most recent year for which data is currently available – HHS’ Office for Civil Rights (OCR) received more than 64,000 notifications of data breaches. However, it is only possible to view the details of around 600 of these data breaches because OCR is only required to publish details of data breaches affecting 500 or more individuals. These specific examples of HIPAA violations by employers can be found in the Archive section of the HHS Breach Report and include:

  • In December 2021, the Barlow Respiratory Hospital in Los Angeles notified OCR of a ransomware attack affecting more than 10,000 individuals. OCR responded by providing “technical assistance regarding the HIPAA Rules” – implying the employer had not complied with all applicable regulations.
  • In November 2021, the Howard University College of Dentistry in DC notified OCR of a ransomware attack affecting more than 80,000 individuals. The breach report reads “the CE implemented additional administrative, physical, and technical safeguards to better protect PHI” – implying adequate measures did not exist beforehand.
  • In October 2021, an employee of the Community Eye Center of North Carolina was the victim of an email phishing attack that compromised the PHI of 149,804 individuals. In response to the breach, “staff were retrained on email security” – something that should have been part of an ongoing security awareness training program.
  • In September 2021, an employee of the Kentucky-based health plan – Humana Inc. – emailed the PHI of 948 individuals to the wrong recipients. This type of data breaches occurs frequently and is a reasonably anticipated threat that can be avoided with properly configured Data Loss Prevention for email.

Somewhat surprisingly, in 2021 only two data breaches resulted in a financial penalty. A further twelve financial penalties were issued for Right of Access failures. While not all of the remaining ~70,000 complaints and notifications were examples of HIPAA violations by employers, the impression is that OCR does not have adequate resources to effectively enforce HIPAA compliance. However, that might soon be about to change – making non-compliance expensive for employers.

Potential Changes to HIPAA Enforcement in 2024

There are two potential changes to HIPAA enforcement in 2024. The first relates to the “settlement sharing” requirement of the HITECH Act which is yet to be actioned due to the challenges of defining harm and settling on a fair method of settlement sharing. OCR issued a Request for Information in 2022 to move forward with this requirement; and, if the challenges are addressed, OCR could come under pressure from victims of data breaches to issue more financial penalties for HIPAA violations.

More recently, in December 2023, OCR published a Healthcare Sector Cybersecurity Strategy which includes proposals to develop new Security Rule standards to combat cybercrime. Not only will noncompliance with the new Security Rule standards be proactively sanctioned by OCR, but noncompliance could also result in expulsion from CMS’ Medicare program – potentially a more expensive financial penalty for employers in – or providing a service to – the healthcare industry.

Covered entities and business associates concerned that the examples of HIPAA violations by employers mentioned in this article might in future be punishable by financial penalties – or might affect their future eligibility for participation in Medicare – are advised to seek professional HIPAA compliance advice.

The post Examples of HIPAA Violations by Employers appeared first on HIPAA Journal.