Cybersecurity breaches in healthcare continued at an alarming rate throughout the year, affecting operations and patient safety, while government agencies and policymakers focused on ways to improve resilience.
Also known as the “Wall of Shame,” the U.S. Department of Health and Human Services Cases Currently Under Investigation details hundreds of breaches reported by healthcare organizations across the United States over the last 24 months. The number of threats – and the cost of those threats – continues to rise.
While healthcare industry organizations work with federal lawmakers on ways for government to help address the relentless cybersecurity attacks on critical healthcare infrastructure, the industry is hyper-focused on issues like how to move the needle on third-party cybersecurity, collaborating to improve cyber preparedness and best practices for initiating cybercrime investigations. Here are Healthcare IT News’ most-read privacy and cybersecurity stories of 2022.
EHR vendor hit with a lawsuit following a data breach. In January, Tennessee-based QRS, which provides EHR and practice management software, was accused of failing to implement recommended threat measures to prevent and detect cyberattacks stemming from an August 2021 data breach of its patient portal. “QRS failed to reasonably secure, monitor, and maintain the protected health information and personally identified information stored on its patient portal,” the plaintiff said.
CommonSpirit still working to restore EHR systems after a ransomware attack was confirmed. The October cyberattack caused a widespread outage at CommonSpirit hospitals and medical facilities across several states. After the 2017 merger of DignityHealth and Catholic Health Initiatives, the system became the second-largest non-profit hospital chain, with more than 350 hospitals nationwide. Lost access to medical records and patient portals, delayed medical procedures, canceled appointments, and other disruptions plagued operations at upward of 140 facilities. After further investigation, CommonSpirit discovered that the breach had also exposed protected data held by Virginia Mason Franciscan Health.
PATCH Act seeks to shore up security for medical devices, and IoT networks. In April, Sens. Tammy Baldwin, D-Wisconsin, and Dr. Bill Cassidy, R-Louisiana, introduced the Protecting and Transforming Cyber Health Care Act to implement a series of new requirements for medical device and network security. While the PATCH Act, which would have amended the Food, Drug, and Cosmetic Act, was not passed this year, the FDA released a draft medical device cybersecurity guidance in April and worked with MITRA to release an incident preparedness and response playbook.
FBI spotlights cybersecurity risks of outdated medical devices. The FBI released recommendations to address a number of cybersecurity vulnerabilities in active medical devices like insulin pumps, intracardiac defibrillators, mobile cardiac telemetry, pacemakers, and intrathecal pain pumps. The agency found an average of 6.2 vulnerabilities per medical device and that 40% of medical devices at the end-of-life stage offer little to no security patches or upgrades.
FBI and CISA warn of Zeppelin ransomware targeting healthcare. In August, the FBI and Homeland Security’s Cybersecurity and Infrastructure Security Agency issued a joint alert that Zeppelin ransomware, a derivative of the Delphi-based Vega malware family, was being used in cyberattacks aimed at healthcare organizations. Cybercriminals have deployed Zeppelin against a wide range of critical infrastructure organizations since 2019, requesting high ransom payments in bitcoin and exfiltrating data, according to CISA. The alert outlined the tactics, techniques and procedures, and incidents of consequence as well as recommendations to help hospitals and health systems mitigate its risks.
Cybersecurity incident disrupts operations at Tenet hospitals. In April, Dallas-based Tenet Healthcare suffered disruptions to some of its more than 550 acute-care operations that included turning ambulances away in Massachusetts and losing access to EHRs in Florida. The company halted operations as a result of the cyber breach and provided few details in its announcement one week later.
Kaiser Permanente employee allegedly breaches EHR. In November, the Kaiser Foundation Health Plan of the Mid-Atlantic States announced that one of its employees inappropriately accessed portions of medical records for patients, exposing patient demographics and medical information, including photos. During discussions about insider threats at the recent HIMSS 2022 Cybersecurity Forum, many healthcare IT professionals expressed their concerns about access management.
Hospitals still don’t have a handle on their IoT devices. The Insecurity of Connected Devices in HealthCare 2022 report from Cynerio and The Ponemon Institute released just after mid-year detailed some alarming trends for healthcare, including widespread and repeated attacks, financial losses measured in the millions, and frequent failures to take basic cybersecurity measures.
FDA releases medical device cybersecurity draft guidance. Replacing guidance issued in 2018, the FDA published draft guidelines in April to help ensure that marketed medical devices are sufficiently resilient to cybersecurity threats. The agency accepted comments on “The Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions” through July.
A direct line between hospital cyberattacks and patient mortality, report shows. Based on a poll of more than 640 IT and security leaders, The Ponemon Institute found that 89% of the surveyed organizations experienced an average of 43 attacks over the past year – averaging almost an attack each week. The September report indicated that of those health systems experiencing the four most common types of cyberattacks, 20% said they have subsequently experienced increased patient mortality rates.