Article by Mary Butler. This article was originally published on the Journal of AHIMA website on November 21, 2016 and is republished here with permission.
If it seems like news reports about hacking and ransomware attacks against healthcare organizations are on an uptick. The infamous Department of Health and Human Service’s “wall of shame” confirms this trend.
An analysis of recent additions to the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) finds that the rate of attacks in 2016 is already outpacing levels for comparable periods last year. A report by Healthcare Info Security found that between September and October of this year, 23 hacker or IT breaches were added to the wall of shame, compared to just eight last year. The report also showed that “there were 51 hacker/IT incidents posted on the wall of shame, compared with 87 such breaches posted in the same period this year.” The wall of shame only publishes breaches affecting 500 people or more.
Security experts say healthcare organizations are easy targets for hackers because many haven’t invested in technologies required to improve their security systems. The high black market value of healthcare records—and the types of fraud and abuse that can be perpetrated with them—mean that hackers have become more persistent and more successful.
Healthcare security consultant Mac McMillan, CEO of CynergisTek, predicts that hacking attempts on healthcare organizations will accelerate, which can make stopping them a patient safety issue, citing a recent attack on the laboratory systems of one hospital.
“This attack may have only involved theft of information, but it could have involved disabling the system, tampering with the system itself, or corrupting the data which could lead to incorrect lab results and faulty diagnosis or treatment,” McMillan told Healthcare Info Security.
To counter attacks before they happen, Dan Berger, CEO of security consultancy Redspin, told the publication that healthcare organizations should conduct regular risk assessments, including penetration testing and social engineering, and to diligently correct or mitigate any weaknesses found.