According to POLITICO analysis, health data breaches increase in 2021 due to the surge in hackers

Experts say the rise in hacking can be attributed to the rapid shift of the healthcare sector to digital, particularly during the Covid-19 pandemic; an increase in remote working, which allows multiple avenues of attack with employees using more personal devices; financially profitable information for cybercriminals in the healthcare sector; and greater Awareness of attacks across the industry, hence more reports.

And that threat is only growing, with President Joe Biden warning Monday of potential Russian cyber attacks against the United States.

Widespread unauthorized access to this data raises significant privacy and security concerns for consumers and industry, costing billions every year, and highlights some of the potential consequences as healthcare modernizes and information flows smoothly. more fluid.

POLITICO analyzed over six years of data reported to the HHS Civil Rights Office through Friday. Organizations covered by HIPAA, including hospitals, insurance and health systems – must report breaches of protected health information affecting 500 or more people to the office, which publishes such incidents publicly on what is known in the industry as the “Wall of Shame.” Attacked entities are required to inform those affected.

“Unfortunately, the industry is pretty easy to pick up and they are hitting it because they get paid,” said Mac McMillan, CEO of cybersecurity firm CynergisTek. “His [not] we will slow down until we get more serious about stopping it, or blocking it, or being more effective. From the point of view of cybercriminals, they are successful, they get paid, why should they stop? “

Healthcare information is highly coveted by hackers, who can sell data on the dark web or use it fraudulently, including to make false Medicare claims and for identity theft. An individual’s health details may be worth more than a credit card, said Cindi Bassford, a partner at Guidehouse that focuses on cybersecurity. And the fraudulent use of that information hurts healthcare organizations’ profits: IBM found that each data breach cost healthcare organizations an average of $ 9.23 million in 2021, more than any industry.

The industry is also particularly vulnerable to ransomware because a potential disruption of care could threaten the lives of patients, leaving many healthcare organizations forced to pay a ransom.

Violations reported to HHS are classified by type, with hacking being by far the most prevalent. Other types of reported breaches include data theft, which could mean theft of a laptop, and unauthorized access, which could mean the accidental sending of information to the wrong people.

Lee Kim, director of privacy and security at the Healthcare Information and Management Systems Society and a member of the DHS cybersecurity training group, said hacking has become easier for cybercriminals. They have been more successful as open source tools allow them to better target vulnerabilities.

And cybercriminals are collaborating with each other, often selling ransomware programs to others, forming a “cottage sector,” said John Riggi, national adviser for cyber security and risk at the American Hospital Association.

Not all of the more than 46 million people affected in 2021 will suffer significant consequences as a result of their information being compromised. Many will not realize or understand what it means, said Carter Groome, CEO of health risk management consultancy First Health Advisory.

Some experts such as Kirk Nahra, a privacy attorney at WilmerHale, argue that few people whose information is compromised are significantly affected. But others say the exposure is remarkable.

“If you believe there is confidential medical information about you circulating out there, it eats you, because you don’t really know the impact,” said Harry Greenspun, partner and chief medical officer at Guidehouse, a consulting firm.

Genomic information could be harmful and potentially used in extortion schemes, Greenspun said. Cybercriminals could potentially use that data to find children that a parent has never recognized or disclosed that a politician may be predisposed to dementia.

The total number of reported violations has also increased as health care organizations have become more aware that they are happening, experts say.

The shift to remote work in recent years and more recently due to the Covid-19 pandemic is another reason, experts say. With remote working comes a lack of on-site IT support, Greenspun said. The need for companies to move quickly to support remote working has prompted many organizations to delay the implementation of security patches, he said.

Additionally, many employees use their personal devices for work, which can make companies more vulnerable.

“You have kids doing Zoom for school, everyone is doing all sorts of things with it,” Greenspun said. “So it’s a much less secure environment and a lot fewer controls. It opens the door to opportunistic people. “

The effort to make health data flow more freely is also a factor, experts say.

For years, the industry has pushed to facilitate better sharing of health information, which has historically been hampered by hidden data between health care organizations. The 21st Century Cures Act, signed into law by former President Barack Obama, required healthcare organizations to share more data to enable better coordination of care.

“As the data starts to move more freely, this is kind of a cost to doing business,” said Aaron Maguregui, senior consultant at Foley & Lardner.