Experts say the increased hacking can be attributed to the health care industry’s rapid move to digital, particularly amid the Covid-19 pandemic; an increase in remote work, which allows more avenues for attacks with employees using more personal devices; the financially lucrative information for cybercriminals in health care; and greater awareness of attacks across the industry, thus more reporting.
And that threat is only growing, with President Joe Biden warning Monday of potential Russian cyberattacks against the U.S.
The widespread unauthorized access of this data raises significant privacy and security concerns for consumers and the industry — costing billions every year — and highlights some of the potential consequences as health care modernizes and information flows more seamlessly.
POLITICO analyzed six-plus years of data reported to HHS’ Office for Civil Rights through Friday. HIPAA-covered organizations — including hospitals, insurers and health care systems — must report breaches of protected health information affecting 500 or more people to the office, which posts those incidents publicly on what is known in the industry as the “Wall of Shame.” Entities that are attacked are required to notify the people affected.
“Unfortunately, the industry is pretty much easy pickings, and they’re hitting it because they’re getting paid,” said Mac McMillan, CEO of cybersecurity company CynergisTek. “It’s [not] gonna slow down until we either get more serious about stopping it, or blocking it, or being more effective at it. From the cybercriminals’ perspective, they’re being successful, they’re getting paid, why would they stop?”
Health care information is highly coveted by hackers, who can sell the data on the dark web or use it fraudulently, including to file false Medicare claims and for identity theft. An individual’s health details can be worth more than a credit card, said Cindi Bassford, a partner at Guidehouse focusing on cybersecurity. And the fraudulent use of that information hurts health organizations’ bottom lines: IBM found that each data breach cost health care organizations an average of $9.23 million in 2021, more than any industry.
The industry is also particularly vulnerable to ransomware because a potential disruption in care could threaten patients’ lives, leaving many health care organizations feeling forced to pay ransoms.
The breaches reported to HHS are categorized by type, with hacking being by far the most prevalent. Other types of breaches reported include data theft — which could mean a stolen laptop — and unauthorized access, which could mean accidentally sending information to the wrong people.
Lee Kim, director of privacy and security at the Healthcare Information and Management Systems Society and a member of DHS’ cybersecurity training panel, said that hacking has become easier for cybercriminals. They’ve been more successful as open source tools allow them to better target vulnerabilities.
And cybercriminals are collaborating with each other, often selling ransomware programs to others, forming a “cottage industry,” said John Riggi, the national adviser for cybersecurity and risk at the American Hospital Association.
Not all of the 46 million-plus individuals impacted in 2021 will suffer significant consequences as a result of their information being compromised. Many won’t realize it or understand what it means, said Carter Groome, CEO of health care risk management consulting firm First Health Advisory.
Some experts like Kirk Nahra, a privacy attorney at WilmerHale, argue that few people whose information is compromised are meaningfully affected. But others say the exposure is considerable.
“If you believe that there’s confidential medical information about you floating out there, that eats at you, because you really don’t know the impact,” said Harry Greenspun, partner and chief medical officer at Guidehouse, an advisory firm.
Genomic information could be damaging and potentially used in extortion schemes, Greenspun said. Cybercriminals could potentially use that data to find children a parent has never acknowledged or disclose that a politician might be predisposed to dementia.
The total number of reported breaches is also up because health care organizations have become more aware they are happening, experts say.
The move to remote work in recent years and most recently because of the Covid-19 pandemic is another reason, experts say. With remote work comes a lack of onsite IT support, Greenspun said. The need for companies to move quickly to stand up remote work has prompted many organizations to delay implementing security patches, he said.
Plus, many employees use their own personal devices for work, which can make businesses more vulnerable.
“You’ve got kids doing Zoom for school, everyone’s doing all sorts of stuff on it,” Greenspun said. “So it’s a much less secure environment and many fewer controls. It opens the door for opportunistic folks.”
The effort to let health care data flow more freely is also a factor, experts say.
For years, the industry has pushed to facilitate better health information sharing, which has been historically stymied with data siloed between health organizations. The 21st Century Cures Act, signed into law by former President Barack Obama, mandated that health care organizations share more data to enable better coordination of care.
“Because data starts to move around more freely, this is sort of the cost of doing business,” said Aaron Maguregui, senior counsel at Foley & Lardner.
