Here is a list of the top five information security and privacy events of 2020 that happened in the healthcare space, as rated by the Chief Information Security Officer the premier provider of Vendor Privileged Access Management (VPAM) software to the healthcare sector, along with lessons learned to apply in 2021 so that we can grow from other company’s mistakes.
-
The first death from ransomware: This virulent form of malware ran wild in all industries, but particularly in healthcare where lives depend on their systems and networks. Sadly, a patient in a hospital in Duesseldorf became the first attributed death to a ransomware attack. Expect this to happen more as ransomware thieves try to inflict the maximum pain, both cyber- and real-world, to generate more profits from their illicit efforts. Hopefully, we will see the first successful prosecution of “murder by ransomware” in 2021.
-
Nation-state hackers go after pandemic relief efforts: The biggest story in the world was the pandemic of 2020, rivaling the Spanish Flu epidemic of 1919. Its effect on the healthcare industry was significant, as resources were siphoned off to deal with patient overload and staff losses. But, hackers weren’t satisfied to merely take advantage of an industry while it was down, with documented efforts to hack into vaccine research, supply chain and other critical medical resources. Whether it was for profit or to gain national advantage is still unclear but more intellectual property thefts like this can be expected in the medical advances that will come out of these tragic events.
-
California privacy law goes into effect: While we have had privacy legislation in individual states before, the California Consumer Privacy Act (CCPA) was the first in the nation to recognize the ownership rights of consumers of digital media over their collected data, similar to the GDPR law passed by the EU several years ago. Given California’s size and influence over national commerce, as well as it being the home of most big tech companies, other states are likely to follow suit with a national privacy law effort potentially following in 2021.
-
Mass ransomware attack on hospital network: In September of 2020, Universal Health Services (UHS) was hit with a ransomware attack with the Ryuk variant that spread across its affiliated network to over 400 hospitals. It had impacts on many of their operations and highlighted the dangers of large, connected healthcare networks such as theirs. Like the attack on 22 Texas cities in 2019, hackers will continue to try to launch these coordinated “mass” hacks, in order to overwhelm responses and deal the maximum amount of chaos.
-
Third-party vendor attack affects dozens of healthcare organizations: Cloud computer vendor Blackbaud suffered a breach of Personal Health Information (PHI) which affected over two dozen of their healthcare customers. Third-party related breaches like this are on the rise due to the privileged access and rights outside vendors often have. Improved vendor management systems is the best way to protect yourself from vulnerabilities and hacks of your third parties.
There were many more healthcare related breaches and security events in 2020 than listed here, with over 500 healthcare organizations reporting breaches of over 500 patient records and attacks rising 45% year over year and accounting for 79% of reported incidents across all industries. As a result, HIPAA related regulatory fines and civil lawsuits continue to rise exponentially. Hopefully we can learn from these events and improve healthcare cybersecurity in the areas of ransomware protection, compliance with privacy laws, and third-party risk management so that 2021 will have fewer such news to report.