Cybersecurity Awareness Month (CAM) kicked off its 18th year on October 1st. CAM was launched by the National Cyber Security Alliance and the U.S. Department of Homeland Security in October 2004 to stress the importance of cybersecurity, and keep Americans secure online. This year’s theme was to be cyber smart, and with healthcare data breaches costing an average of $9.23 million in 2021, a 29.5% increase over 2020 according to the IBM Cost of a Data Breach Report 2020, it is more important than ever for healthcare organizations to understand what they can do to mitigate a data breach.
Particularly because healthcare is a bullseye for hackers. In the first seven months of 2021, there were 2,084 ransomware complaints, a 62% increase from the previous year, and more than $16.8 million in losses, a 20% increase over the same time period a year earlier. Some of these attacks took place in private practices, while others took place in hospitals.
There are two options for healthcare organizations when considering a payment and data security strategy – they can “defend the fort” and put up stronger perimeter defenses, or they can “devalue the data” so that if a hacker makes it into the system, they find no clear-text information to leverage or sell.
On December 7th at 12 pm EST, Bluefin and our healthcare partner, ABILITY® Network, will host an educational webinar on a crucial piece of data devaluation – PCI-validated point-to-point encryption (P2PE). Our webinar will overview how PCI P2PE immediately encrypts payment data at the point of entry in healthcare organizations, the PCI scope reduction and cost savings that P2PE provides, and the ease of implementation through Bluefin and ABILITY.
Why Is the Healthcare Industry an Easy Target?
Cybercriminals’ number one motivation to attack healthcare is money. Healthcare providers intake and store valuable payment and patient data that can be sold on the Dark Web, or leveraged for payout in the event of a ransomware attack. Since health organizations don’t want to disrupt care, many will pay the ransom immediately. Another easy way for hackers to make money is to steal patients’ information and create “identity kits,” which can go for as much as $2,000 on the Dark Web.
According to a recent poll, many hospital IT teams do not prioritize cybersecurity investments, and the majority of hospitals are vulnerable to some of the most prevalent threat vectors. Healthcare organizations should be prepared for cyberattacks because it’s not a matter of “if” a hacker will try to breach a healthcare system, it’s a matter of “when.”
2021 Healthcare Data Breaches
University Medical Center, Las Vegas
Number of Records: 1.3 million
University Medical Center (UMC) was attacked by hacker group known as REvil, who is responsible for other high-profile ransomware attacks. REvil accessed a server used to store data in mid-June, and posted images of Nevada driver’s licenses, passports and Social Security cards on the internet. When data is posted online, this is typically used to put pressure on the organization to pay the ransom. In UMC’s statement, the hospital didn’t acknowledge the ransom, but said there is no evidence that any clinical systems were accessed in the attack; however, if patient or employee personal information was put at risk, they would be notified
Brett Callow, a threat analyst with cybersecurity firm Emsisoft said, “At least 32 health care providers around the country have been affected by ransomware this year. At least 285 individual sites have had patient care disrupted. The group claiming the UMC attack has been responsible for a number of other high-profile attacks around the country, including one demanding $42 million.”
Atlanta Allergy & Asthma, Atlanta
Number of Records: 9.8K
The largest allergy group in Metro Atlanta, Atlanta, Allergy, & Asthma (AAA), was hacked in January. On January 5th and 13th, it was discovered that unusual activities were taking place on AAA’s network. Protected Health Information (PHI) had been taken from the system, including birth certificates, Social Security numbers, diagnosis, treatment information and charges, physician lists, banking details, therapy site, dates of treatment, and client health insurance data.
St. Joseph’s/Candler, Savannah
Number of Records: 1.4 million
Between December 18th, 2020 and June 17th, 2021, fraudsters gained access to St. Joseph’s/Candler’s IT network. It was not detected until June 17th. Surgeries and procedures were not cancelled, but the attack did temporarily halt telephone communications and handicap computer systems, making certain files inaccessible. However, fraudsters potentially could have accessed personal information including: name in combination with address, date of birth, Social Security number, driver’s license number, billing account number, and financial information. This also is believed to be a ransomware attack.
How Your Healthcare Organization Can Be Cyber Smart
From the computer network to medical devices, it just takes one blood pressure cuff to be hacked, and there could be a ripple effect. There is a lot you and your IT team can do so you are not the next victim.
- Educate employees on best data security practices, how to use medical devices, and how to spot potential attacks.
- Healthcare organizations need to secure medical devices, mobile devices, and networks. Ensure that connected medical devices have the latest software.
- Password requirements need to be strong and passwords changed every 90 days.
- Email and phishing scams are becoming more elaborate and sophisticated, posing as colleagues and contacts. Employees need to be educated on how to spot phishing and email scams.
Bluefin and Ability Can Help Your Healthcare Organization Be Cyber Smart
In a world rife with data security threats, one of the best ways you can protect your data is by making sure it never traverses your system. Bluefin’s PCI-validated P2PE and tokenization solutions are designed to do just that.
Bluefin and ABILITY partnered to provide an extra level of P2PE security through ABILITY’s SECUREPAY patient payment solution. The partnership enables ABILITY customers to leverage a premium Patient Payment product that utilizes state of the art encryption and security services provided by the Bluefin P2PE solution.
To learn more about how Bluefin and Ability can secure you data, join us on December 7th at 12 pm EST for our webinar, Securing Healthcare Payments with PCI-Validated Point-to-Point Encryption.
About ABILITY® Network
ABILITY® Network, an Inovalon Company, is a leading cloud-based, SaaS information technology company helping providers and payers simplify the administrative and clinical complexities of healthcare through innovative applications and data analytics. The combination of myABILITY and the Inovalon ONE™ Platform creates a vertically integrated cloud-based platform empowering the achievement of real-time value-based care from payers, manufacturers, and diagnostics all the way to the patient’s point of care.