COVID-19 leads to explosion in cyberattacks, data breaches

Dive Brief:

The COVID-19 pandemic has created an upheaval in healthcare cybersecurity, according to a new report from CI Security, as the use of personal devices to conduct work tasks has boomed.
And despite the dramatic growth in telehealth services, "many healthcare organizations are still struggling to implement digital health initiatives in a secure manner," according to the report. Telehealth became vulnerable to attack almost as soon as providers began relying on it to treat patients.
CI Security analyzed breaches publicly reported to HHS, and the results are grim. Breach reports were up 35.6% in the second half of 2020 compared to the first half, while the number of patient records that were breached increased more than 180%, although the bulk of those incidents are tied to business associates rather than providers directly. However, CI Security officials fear that the situation will continue to deteriorate in 2021 unless healthcare organizations take proactive steps.

Dive Insight:

COVID-19 has impacted virtually every facet of healthcare delivery, so perhaps it's not surprising that cybersecurity has suffered during the pandemic. Remote interactions between patients and their providers grew exponentially virtually overnight, leaving little time to ensure all bases were covered regarding security precautions.

The CSI Security report comes on the heels of one from the Watchdog group ECRI earlier this month that flagged third party operating systems and other software incorporated into medical devices, especially components no longer supported by the vendor, as major cybersecurity risks.

ECRI's top 10 medtech hazards list for 2021 also warned that the rapid adoption during the pandemic of telehealth and remote operation of medical devices designed for bedside use both increased the risk of cybersecurity breaches and tampering.

When it comes to malware, the CSI Security report noted that the use of highly effective computer viruses such as the Ryuk ransomware used to attack Universal Health Services was made even more challenging by the fact it is often programmed to hibernate for months at a time, perhaps leading some organizations to let down their guard.

As a result, the number of breach reports leapt from 270 during the first half of last year to 366 in the second half, according to the CI Security report. The number of patient records breached grew at even a faster rate, from 7.6 million in the first half to 21.3 million in the second half.

CI Security officials said the second-half jump was not surprising since "healthcare providers were so consumed by the sudden onset of the pandemic, and so busy asking for exceptions to their standard security plans in order to respond to rapidly changing COVID-related conditions, they didn't report breaches in a timely manner; or that they were breached, but didn't know it yet."

At least two major breaches that occurred during the first half of the year weren't discovered until the second half, according to the report.

Of the breaches that occurred, 97% were the result of deliberate hacking as opposed to misplaced computers or flash drives. One statistic that vindicates providers slightly: 75% of the breaches were tied to business associates of providers or third parties, suggesting that non-providers need to ramp up their security as much if not more than the rest of the healthcare community.

In fact, the recommendations made by the report focused on vigilance regarding business associates. CSI Security recommended vetting vendor contracts to ensure they spell out what happens in case of a breach; making security a priority among business associates; putting a special focus on telehealth services; securing work-at-home environments; and deploying identity and access management software.