Every month, we compile the most compelling healthcare privacy and security-related news stories. Below, you’ll learn about UVM bringing their EHR back online after a month of downtime procedures, healthcare organizations as sitting ducks for attacks and breaches, cyberattacks using SSL encrypted channels and targeting healthcare, and final HHS rules designed to reduce regulatory barriers and improve care coordination.
The University of Vermont (UVM) Health Network restored access to its EHR after a month of downtime procedures, including manual logging of patient information, medications, treatment, and clinical orders due to a massive ransomware attack across its care network.
UVM was one of several health systems hit with ransomware around the same timeframe, which prompted a joint federal alert on a ransomware wave impacting the sector. Due to the severity of the attack and the COVID-19 response, the governor of Vermont deployed the Army National Guard’s Combined Cyber Response Team to UVM Health to assist with recovery efforts.
Although much work remains in terms of recovery, bringing the EHR back online means staff will be able to electronically record information again, improving operations for the six UVM Health care sites impacted.
A survey of 2,464 security professionals from 705 provider organizations conducted by Black Book Market Research to reveals the following findings:
- 73% percent of health system, hospital and physician organizations are unprepared to respond to data breaches and cyberattacks.
- An estimated 1500 healthcare providers are vulnerable to data breaches of 500 or more records, representing a 300 percent increase over this year.
- 96% percent of IT professionals agreed data attackers are outpacing their medical enterprises, holding providers at a disadvantage in responding to vulnerabilities.
- The healthcare industry is estimated to spend $134 billion on cybersecurity from 2021 to 2026, $18 billion in 2021, increasing 20% each year to nearly $37 billion in 2026.
- 82% of CIOs and CISOs in health systems in Q3 2020 agree that the dollars spent currently have not been allocated prior to their tenure effectively, often only spent after breaches, and without a full gap assessment of capabilities led by senior management outside of IT.
Additionally, results of the survey indicate there is a talent shortage for cybersecurity professionals; COVID-19 has greatly increased the risk of data breaches; cybersecurity consulting and advisory services are in high demand; cybersecurity in healthcare provider organizations remains underfunded; and healthcare consumers are willing to change providers if patient privacy is compromised.
According to a recent ZScaler ThreatLabZ report, the number of cyberattacks using SSL encrypted channels to bypass legacy security controls increased by 260 percent since 2019. And healthcare was the most targeted sector.
SSL/TLS encryption is the industry-standard method for protecting data in transit and is meant to protect traffic from unauthorized access; however, hackers have hijacked the tool to hide cybercriminal activity, thus turning the use of encryption into a weapon.
The research shows the majority of attacks on healthcare stemmed from malicious URLs, which were delivered to victims via email, text messages, pop-ups, and on-page advertisements and led to downloaded malware, ransomware, spyware, compromised accounts, and other threats.
Healthcare as a sector is at an increased risk for cyberattacks due to the number of legacy technologies across the enterprise with known vulnerabilities and/or a lack of adequate security controls.
The Department of Health and Human Services recently published two final rules – federal anti-kickback and Stark Law designed to reduce regulatory barriers and improve care coordination. Both contain safe harbor provisions that will allow health systems and hospitals to donate cybersecurity technologies to provider offices.
HHS Office for the Inspector General finalized the Revisions to the Safe Harbors Under the Anti-Kickback Statute and Civil Monetary Penalty Rules Regarding Beneficiary Inducements, while the Centers for Medicare and Medicaid Services issued the final version of Modernizing and Clarifying the Physician Self-Referral Regulations, commonly called the Stark Law.
The changes were designed to remove the barriers to sharing valuable tools, such as cybersecurity software and services, with providers, which often have limited resources, to help address the growing cybersecurity risks on data systems that could corrupt or prevent access to health records.
“These finalized exceptions provide new flexibility for certain arrangements, such as donations of cybersecurity technology that safeguard the integrity of the healthcare ecosystem, regardless of whether the parties operate in a fee-for-service or value-based payment system,” CMS said.