2020 has been a transformative year for the healthcare industry. COVID-19 underscored how essential and delicate our medical infrastructure can be. We changed our working environments and how we interact with one another.

In order for us to protect our physical health, we instituted remote work forces, implemented telehealth services, thermal scanners, COVID-19 contact-tracing technology, and turned to more digital engagements and reliance on third-party vendors, all while researching for a vaccine. What developed was an increase in risk for our data health.

The attack surface for any medical, research, or healthcare institution has been hard hit with cyber attackers recognizing the value of the information stored and transmitted. Bad actors have also identified vulnerabilities specific to the healthcare industry such as numerous medical devices are connected to unsecured networks; devices can be outdated and behind on expensive upgrades; staff needs access to patient data instantly – and while cyber awareness training could be conducted – in life or death instances, a system may not be logged off properly, exposing records to hackers lying in wait.

RECENT HEALTHCARE DATA BREACHES

Universal Health Services

Breach Submission Date to OCR*:
Sept. 27, 2020

Ransomware

US Care Sites and Hospitals were affected – outages to computer systems, phone services, the internet, and data centers with diverted ambulances, delayed lab results, and system shutdowns.

ORGANIZATIONBREACH

Magnolia Pediatrics

Breach Submission Date to OCR:
Sept. 23, 2020

Ransomware

12,861 patients’ protected health information has potentially been compromised.

Oaklawn Hospital

Breach Submission Date to OCR:
Sept. 25, 2020

Phishing Attack

26,861 patients

OrthoAtlanta, LLC

Breach Submission Date to OCR:
Sept. 17, 2020

Hacked/Cyber Attack

5,600 records; network server breached.

University of Missouri Health Care

Breach Submission Date to OCR:
Sept. 17, 2020

Phishing Attack

Compromised data of approximately 180,000 patients contained in the accounts, including names, dates of birth, medical record or patient account numbers, health insurance information, and or limited clinical or treatment data, such as diagnostics, prescriptions, and procedure information, and some social security numbers.

Piedmont Cancer Institute

Breach Submission Date to OCR:
Sept. 15, 2020

Phishing Attack

Unauthorized access 5,226 patients which includes names, dates of birth, financial account information and credit and debit card information.

Nuvance Health

Breach Submission Date to OCR:
Sept. 15, 2020

Third-party vendor Blackbaud that provides customer management and financial services to Nuvance was breached.

Unauthorized access of potentially 314,829 names, contact information, ages, gender, dates of birth, admission dates, departments of treatment, treating physicians, and health insurance statuses.

The University of Tennessee Medical Center

Breach Submission Date to OCR:
Sept. 14, 2020

Ransomware Attack on third-party vendor Blackbaud, the software provider.

Potentially 235,000 patient names, contact details, and demographic data may have been accessed.

Joslin Diabetes Center

Breach Submission Date to OCR:
Sept. 14, 2020

Third-party vendor for fundraising and donor relations, Blackbaud, experienced a ransomware attack.

May have impacted 71,160 names, dates of birth, treatment dates, treatment locations and physician names.

<br?

 

REASONABLE SECURITY

As much as these institutions try to practice reasonable and appropriate cyber hygiene in their morphing world, it is a monumental effort just keep systems current and operational. Security unfortunately sometimes becomes an afterthought. How to prioritize security investments is the first step to a reasonable security strategy. How do you define reasonable security for your organization?

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule and Meaningful Use require that organizations implement security controls that are “reasonable and appropriate” for their organization. To comply with these guidelines, the regulations instruct each organization to (1) select its security controls based on risk assessments, and (2) oversee the effectiveness of those controls using risk management.

Your risk assessment should provide guidance on how to balance your organization’s mission (what your business does), objectives (your business goals), and obligations (the care you owe to the public or others). Basically, your risk assessment guides you how to define your duty of care and establish your acceptable risk.

In an age of social distancing and increased digital exposure, ensure you take care – duty of care. We can help.

Halock Cybercare Healthcare Risk HIPAA