Cybercriminals are increasingly targeting hospitals and other medical providers. Ascension and its local hospitals are recent victims but far from alone.
From 2018-22, there was a 93% increase in large breaches reported to the HHS Office for Civil Rights (369 to 712), with a 278% increase in large breaches involving ransomware. According to the 2023 Ponemon Healthcare Cybersecurity Report, 88% of organizations surveyed had experienced at least one cyberattack in the past 12 months (the average number of attacks was 40).
Attacks also target small hospitals and practices. The Trego County-Lemke Memorial Hospital in northwest Kansas experienced a ransomware attack last month. Wichita medical practices also have been hacked.
Even if hospitals or practices were not targeted directly, they could be impacted. The hack of Change Healthcare, the nationís largest healthcare payment system, resulted in hospitals and physicians not getting paid for care, causing many to struggle to pay their bills.
What can practices do to help block or respond to a cyberattack? Here are a few recommendations:
- Regular backups. Ensure that all sensitive data is backed up regularly.
- Cybersecurity training. Educate all staff members on the importance of cybersecurity best practices, including recognizing phishing emails.
- Update and patch systems. Keep all software and systems up to date with the latest security patches.
- Multi-factor authentication. Implement MFA to add an extra layer of security. (Change Healthcare blamed its hack on a lack of MFA.)
- Access control. Limit access privileges to sensitive data. Employees should only have access to the information necessary for their job roles.
- Network segmentation. Divide the network into segments to contain potential breaches.Firewall and security software. Utilize firewalls and security software to protect against unauthorized access and monitor for suspicious activity.
- Breach plan. Develop a plan for how to respond and continue to operate if a ransomware attack occurred (paper forms, whom to notify, etc.).
- Cybersecurity insurance. Consider purchasing insurance that covers cybersecurity incidents.
Practices also should do security risk assessments. The Office of the National Coordinator for Health Information Technology and the HHS Office for Civil Rights developed free, downloadable risk-assessment tools for medium and small healthcare providers. Learn more at https://tinyurl.com/32ymt4p9.
The Cybersecurity and Infrastructure Security Agency also offers several free scanning and testing services, including vulnerability scanning, web application scanning, phishing campaign assessments and remote penetration tests. Learn more and enroll at cisa.gov/cyber-hygiene-services.
Another information resource is the HHS 405(d) program, a collaborative effort between the Health Sector Coordinating Council and the federal government to align healthcare industry security practices. Visit its website at https://405d.hhs.gov. The American Medical Association also has a resource page at https://tinyurl.com/yc7mkwk4.
Security experts say preparation and training are key, because it is not a matter of whether a practice will be targeted by hackers but when and how often.