Are Health Care Records Still a Target for Computer Hackers? Absolutely, Feds Say

Alexander Supertramp_shutterstock

For health care cybersecurity, the rest of 2023 likely will bring more of the same: phishing, ransomware, and online attacks, according to government analysts.

The Health Sector Cybersecurity Coordination Center (HC3) is the online protection wing of the US Department of Health and Human Services. The title of its latest threat brief states the situation plainly: “Electronic Medical Records Still a Top Target for Cyber Threat Actors.”

Patient and worker names, dates, telephone numbers, Social Security numbers, email addresses, medical record and bank account numbers, online data, device identifiers, photos, and more all can be sold for profit, held hostage through digital encryption, or used in fraud.

“It is imperative that organizations in the health care and public health sector gain an awareness of potential risks and implement the right threat intelligence tools to quickly identify, mitigate, and prevent cyber attacks,” the threat brief said.

The 68-page document summarizes the benefits of using electronic medical records (EMR) and electronic health records (EHR). It also explains why vulnerabilities are harmful to patient privacy and providers’ pocketbooks: The average cost of a health care data breach hit $10.1 million in 2022, according to IBM’s “Cost of a Data Breach Report 2022.” Costs can include money paid to hackers, needed computer network repairs, and government-imposed penalties for violating patient privacy laws.

Examples include eight cyber attacks that happened Feb. 28 to March 20 at health systems in California, Indiana, Michigan, New York, Virginia, and Georgia. HC3 cited data from Becker’s Hospital Review.

In the law

The Strengthening American Cybersecurity Act of 2022, approved a year ago, gave businesses in critical infrastructure sectors up to 18 months to address certain policies.

• Zero Trust: Instead of trusting all devices and traffic in a trusted network, apply security controls to ensure employees have appropriate access to resources they need and continuously assess access.
• Apply the Principle of Least Privilege, granting end users the minimum levels of access, and review access regularly.
• Improve mobile device security standards and management so IT department can monitor, manage, and secure employees’ mobile devices.
• Identify and strengthen protections for systems that are likely targets for ransomware.

Meet the hackers

Examples of hacking groups include LockBit 3.0; BlackCat, also known as AlphaV; Royal; BianLian; and Black Basta, according to HC3.

The agency also published an analyst note about KillNet, a pro-Russia hacktivist group that has targeted the U.S. health and public health sectors since December 2022. KillNet has used the cyberattack method known as distributed denial of service (DDoS), which can cause service outages lasting hours or days and disrupt routine and critical daily operations. DDoS attacks also can be a distraction to cover hackers’ work elsewhere in computer networks, according to HC3.

On Jan. 28, KillNet and its affiliates launched more than 90 DDoS attacks on health care systems, hospitals, and medical centers in all states but North Dakota and Alaska, apparently in retaliation for American support for Ukraine, according to HC3.

While there is no single action to block cyber threats, HC3 recommended sources to build a defense. A good start is the Ransomware Guide published by the U.S. Cybersecurity & Infrastructure Security Agency.

[This article was originally published by our sister publication, Medical Economics.]