|
37% of healthcare organizations did not have a cyberattack contingency plan in place, despite half having experienced a prior attack. This is despite the well-known fact that cyberattacks and data breaches in healthcare are rising.
Our takeaway: no matter the number and severity of warnings, absent a dramatic shift in both political and legal thinking, attacks will escalate exponentially until real life consequences for inaction occur.
After all, it’s easy to play Russian Roulette when you know the gun that you’re pointing at your head isn’t loaded!
Or put in a more direct way. Everyone who fought Mike Tyson 30+ years ago in his prime was fearless until a devastating left hook clocked him on the jaw or body!
About half of healthcare organizations that experienced a ransomware attack said the breach impacted patient data and 34% said they failed to recover the data after the attack, and more than a quarter of ransomware attacks impacted patient care.
Cyberattacks result in costly downtime, and delay critical procedures, yet only 63% of companies report having a cybersecurity response plan in place.
Over 30% of healthcare organizations experienced a cyberattack in the last three years while over the past five years, there has been a 256% increase in large breaches reported to the HHS Office for Civil Rights involving hacking.
WHY?
Healthcare holds a disproportionate amount of sensitive data compared to other industries, the vast majority of which is digital. Yet many healthcare operators have failed to adequately encrypt this data at rest or in transit as we have reported previously, making the industry a lucrative target for hackers.
Experts have articulated that health systems MUST do more to prepare for cyberattacks, like conducting risk analyses. As noted above 37% of healthcare organizations did not have a cyberattack contingency plan in place, despite half of organizations having experienced an attack.
Hackers have learned that they can get patient data by targeting the many third-party technology vendors that work with health systems. That is why healthcare has become a much bigger target in ransomware. Email is the weakest link, and the bad guys figured out that they are better off going in through third party vendors like SolarWinds or Exchange which is why we are seeing more threat actors using vendors to get a foothold in your network.
This is why Change Healthcare, which handles patient records for 1 in 3 Americans was targeted. Andrew Witty, CEO of Change parent company UnitedHealth Group, confirmed the company paid a $22 million ransom to the hackers.
In healthcare, over a third of data breaches come through third-party vendors, more than in any other industry and are one of the biggest risks we see.
Couple this with another fact: 55% of medical practices allowed employees more access to data than necessary.
WHY?
Surely, they must be aware that human error results contribute disproportionately to these targeted and malicious attacks.
Many of the organizations that fall victim to ransomware could have avoided the attack by employing basic hygiene. Often the attacks leverage a vulnerability that could have been mitigated prior to the attack. Patch and vulnerability management practices should be employed across the organization and serve as core components in any cybersecurity program.
The increase in breaches has garnered attention from federal regulators and lawmakers and this year has resulted in the HHS releasing voluntary cybersecurity goals for the sector and is looking to propose enforceable standards.
Yet, despite a bi-partisan Congressional Committee we have seen no meaningful action.
It is obvious that we need regulation and policies BUT we also need a federally mandated ecosystem to assist with and standards for the cleanup and restoration activities after such an event.
We as patients deserve better!
The Biden administration plans to introduce cybersecurity requirements for hospitals. Hospitals that don’t comply could lose up to 100% of their yearly CMS payment increase and face extra penalties of up to 1% of their base payments, according to one proposal.
If HHS truly wants enforcement, we propose making these goals mandatory!
WE will continue to monitor and update you on Congressional activity, the White House proposals, and our legal environment including the varying Circuit Courts differing views on Article 3 standing.
Don’t miss out on these informative topics – check out our podcasts and newsletters now!
Richard Freiberg
Profitability Consultant
Richard Freiberg CPA PC
Phone (980)339-3352
Cell (914)393-0033
www.rmfreibergcpa.com
LinkedIn
to subscribe to Cyber Insights Today
to subscribe to LinkedIn Newsletter Cyber Security
Providing valuable counsel to help boost your company’s bottom line, while navigating competitive forces, industry, and economic risks in today’s challenging environment
|
1 thought on “What does Mike Tyson have to do with healthcare?”
In shadows of the past,
fears unheeded, whispers grow.
Stargazing hopes dimmed by threats,
herbs tend gentle, but hearts must know.
Guardians of care, rise and shine.