Health care cyber events cost an estimated $13 billion and increased by 55% in 2020, according to a new report that found it takes an average of 236 days for health care firms to recover from breaches.
Cloud security firm Bitglass analyzed data from the U.S. Department of Health and Human Services to find that hacking and IT incidents were the top sources of compromise and lost records last year, causing over 67% of all breaches. The number of data breaches jumped to 599 from 386 in 2019, and the average cost per breached record rose to $499—up from $429.
According to the report, hacking and IT incidents have increased significantly since 2018, causing 91.2% of all breached health care records. During the same period, loss/theft and unauthorized disclosure have remained steady as less-frequent occurrences.
“In 2014, lost and stolen devices were the leading causes of security breaches in health care, while hacking and IT incidents were the least common causes,” according to Bitglass. “Today, things have essentially inverted. Each year since 2015, hacking and IT incidents have been exposing more records than any other breach type. These results demonstrate the heightened impact of cybersecurity breaches, the shifting strategies of malicious actors and how health care organizations are grappling with cybersecurity.”
California led the nation in breaches at 49, followed by Texas at 43, New York at 39, and Pennsylvania and Florida at 38. Many of the breaches occurring in 2020 were a byproduct of the Blackbaud ransomware attack.
The Department of Health and Human Services (HHS) Office for Civil Rights maintains a tally of reported health care breaches, with 47 new events occurring since Jan. 1. The 32 events reported in January 2021 were well below the 62 reported in December 2020, according to an analysis conducted by the HIPAA Journal. One of those January breaches occurred at the Florida Healthy Kids Corporation due to unpatched software vulnerabilities at a third-party IT vendor. The breach is estimated to have occurred over a seven-year period, involving names, birthdates, email addresses, telephone numbers, addresses, Social Security numbers, insurance information and significant financial information.
Cybersecurity for hospitals and health care organizations remained a key theme of 2020, as providers struggled to keep pace with both the COVID-19 pandemic and cyber threats.
The HHS numbers do not necessarily capture the full picture of ransomware’s impact on hospitals around the world and, in the last quarter of 2020, the threat only worsened, according to a report from Check Point. The trend is not isolated to the United States—two French hospitals recently fell victim to ransomware.
Since November 2020, Check Point observed a 45% increase in attacks against health care organizations around the world compared to a 22% increase against other sectors. While attacks also include botnets, DDoS and other hacks, ransomware is showing the biggest increase, according to the firm, with the Ryuk ransomware strain particularly prevalent.
The major motivation for threat actors with these attacks is financial. They are looking for large amounts of money, and fast.
“It seems that these attacks have paid off very well for the criminals behind them over the past year, and this success has made them hungry for more,” according to Check Point. “It is also important to note that unlike common ransomware attacks—which are widely distributed via massive spam campaigns and exploit kits—the attacks against hospitals and health care organizations using the Ryuk variant are specifically tailored and targeted.”