Getty Images/iStockphoto
COVID-19, Ransomware, Breaches Led 2020 Health IT Security Trends
The COVID-19 outbreak reshaped HHS HIPAA sanctions and enforcement discretion in 2020, which topped health IT security trends, alongside ransomware and data breaches.
In terms of healthcare cybersecurity and overall data breaches, data from 2021 will likely show a year of massive cybercriminal activity and a spike in reported events during the second half of the year. Overall, the leading healthcare cybersecurity trends were dominated by the changing landscape brought on by the COVID-19 pandemic.
Indeed, reports during the first half of the year showed that reported ransomware incidents significantly declined from the huge wave of attacks that ended 2019.
However, security researchers and even federal agencies stressed that malicious activities were maintained despite fewer reports and that providers and other organizations needed to remain on guard against the likely resurgence of attacks in the second half of 2020.
Almost like clockwork, hackers, particularly nation-state actors, began preying on the healthcare sector in record droves by the Fall. Further, data exfiltration was found to occur in about half of all ransomware attacks.
Given the dominance of COVID-19, ransomware, and massive breaches, such as those at Blackbaud, HealthITSecurity.com examined the leading cybersecurity trends in healthcare last year and its potential impact on 2021 security decision making.
COVID-19 and HHS HIPAA Enforcement Discretions
By the end of March and the declaration of the national emergency brought on by COVID-19, threat actors were leveraging the pandemic in a host of fraudulent schemes and phishing attacks.
Using lures based on ongoing coronavirus trends, hackers peppered all sectors and the newly remote workforce with massive campaigns that preyed on those fears.
As the use of videoconferencing platforms rapidly expanded to support remote workers, healthcare, telehealth, and the education sector, threat actors quickly pivoted to target the platforms.
In one of the biggest examples, Zoom saw a near 400 percent increase in use during the first half of the year, and its domains were targeted by hackers, in response.
The platform also faced a host of scrutiny for some of its security policies and measures, leading to several investigations, the launch of a security board to enhance its cybersecurity, and even a settlement with New York to resolve some of those privacy and security-related issues.
Part of the increased Zoom use was driven by the Office for Civil Rights lifting certain HIPAA penalties around telehealth use. Those actions allowed for a wider use of platforms not previously deemed HIPAA-compliant, as a method to expand telehealth to keep patients safe during the outbreak.
Those measures drove the expansion of telehealth use, while the Department of Health and Human Services also issued a limited waiver of HIPAA sanctions due to the pandemic. The impact of these efforts have yet to be fully calculated, but some healthcare stakeholders have expressed support for making some of these measures more permanent.
Lastly, the need for improved contact tracing spurred the need for apps. However, the partnership between Google and Apple that would build the background support for the tech spurred a massive debate on the privacy and security of the platforms.
Industry stakeholders outlined the potential harms, while studies found the majority of contact tracing apps lacked adequate security. Unfortunately, contract tracing apps have yet to receive the needed widespread adoption to be effective enough to contain the spread of the disease.
Healthcare Data Breaches
As so often is the case, the leading healthcare data breaches were a prime concern for the healthcare industry in 2020. Those trends included the biggest breaches from the previous year, as well as the ongoing security incidents impacting the sector.
The largest breach of the year was caused by a ransomware attack at Blackbaud, which has affected more than two dozen providers and millions of patients. A complete total of victims has yet to be calculated, as HHS continued to input the affected providers into its breach reporting tool by the end of the year.
It was first believed that the incident only affected relatively minimal information. However, a later filing with the Securities and Exchange Commission revealed the attack impacted a far greater amount of sensitive data, including Social Security numbers. The SEC filing prompted at least 10 different lawsuits.
First reported in May, the data breach on Magellan Health also gained strong attention. Hackers gained access to the provider’s network for five days through a social engineering phishing attack that impersonated a client of the provider.
What’s worse, before the ransomware was deployed, the hackers first exfiltrated data from a single corporate server. By July, the breach victim tally had reached 365,000 patients from a host of Magellan clients that included Merit Health Plan, UF Health, and the University of Florida Health.
The Magellan breach was also one of the largest reported in the healthcare sector in 2020.
Ransomware
In a similar fashion to 2019 numbers, reported ransomware incidents began to decline in the second and third quarters of 2020. But by September, a wave of ransomware attacks highly targeted the healthcare sector, often led by nation-state actors and double extortion hacking groups.
Many of the ransomware breach victims were driven into EHR downtime procedures, some for well over a month. The incident at the University of Vermont Health Network spurred the Governor to send the Army National Guard to help in the recovery efforts, and the incident will reportedly cost the provider millions to fully recover.
One of the largest ransomware incidents was first brought to light by a Reddit thread initiated by employees of Universal Health Services. All 400 UHS sites were impacted by the attack, and it took the health system more than three weeks to bring all systems back online.
As the healthcare sector moves into the new year, COVID-19 will continue to dominate the threat landscape and overall hacking risks. While a host of security leaders have stressed that ransomware will only get worse in 2021. And as such, it’s imperative that providers move quickly to shore up vulnerabilities and improve overall cyber posture.