Health Data Breaches: 3 Lessons LearnedInsights From Major Healthcare Sector Breaches and Cyberattacks
The healthcare sector has had plenty of significant data breaches so far this year.
What can be learned from organizations' experiences? Here are three key lessons based on my recent conversations with security experts.
Vendor risk management is more important than ever. Many of the largest health data breaches this year have involved third parties. For example, the largest health data breach so far in 2019 was a cyberattack disclosed in the spring by debt collection firm, American Medical Collection Agency, which impacted more than two dozen clients and 20 million-plus individuals. And a ransomware attack revealed last week by IT services firm Virtual Care Provider Inc. impacted more than 110 healthcare entities, including several nursing homes.
With vendors presenting some very serious security vulnerabilities, healthcare entities need to make sure their contracts with third parties precisely spell out security expectations.
For instance, organizations should include in their contracts the right to audit their vendors' ability to detect, defend and recover from attacks, notes Clyde Hewitt, executive adviser at security consulting firm CynergisTek. "Obviously, this is time-critical because it could take months or years to renegotiate a new contract. Contracts should also specify that any cyber insurance limits are adequate to cover all potential losses to all clients, not just one."
There's no guarantee you'll recover all your data after a ransomware attack - even if you're able to restore your systems using backups. For instance, New York-based Brooklyn Hospital Center recently disclosed that while it was able to recover some of its patients' affected data in the wake of a recent ransomware attack, some was unrecoverable.
Difficulties recovering all data can stem from incomplete data backup practices. And certain strains of ransomware reformat data so it can no longer be accessed.
"The Ryuk ransomware has been reported to reformat drives containing backups and shadow copies of virtual servers when it could not successfully encrypt them," Hewitt notes. That means "healthcare providers may need to resort to keeping a paper copy of the most critical needs, for example medications lists, but only rely on them in an emergency."
Keep IT infrastructures, software patching, security policies, workforce training and incident response and business continuity plans up to date. "Healthcare organizations need to conduct a ransomware readiness assessment to determine if safeguards and controls are adequate and if their response procedures address [federal and state] reporting requirements," notes Tom Walsh, president of consulting firm tw-Security.
"Educating staff with a phishing awareness program, deploying anti-malware detection and remediation tools, and regularly patching the organization's systems are all good practices in preventing a successful ransomware attack," says Jon Moore, chief risk officer at security and privacy consulting firm Clearwater. "If an organization is unable to prevent the attack, then it is dependent on its response and recovery capability to mitigate the impact."
Hewitt is even more blunt: "Reliance on shelfware, - for example, old business continuity/disaster recovery plans that have not been updated or tested in years - has the potential to put providers out of business. Tests should be conducted using real-world scenarios, all deficiencies should be documented, and those risks should assigned to business owners to mitigate."
Has your organization learned other critical lessons this year? In invite you to share those in the space below.