Tagged cyberinsurance, cybersecurity, Identity, Identity access management, Identity-based zero trust, Mfa, Multi-factor authentication, Zero trust network access, ZTNA
The sheer volume of data that hospitals and other healthcare facilities store makes them a sitting duck for cybercriminals looking to steal confidential patient information. As more and more details about these attacks come to light, the healthcare industry has become increasingly concerned about cybersecurity lawsuits related to stolen personal data, which can cause serious harm to patients’ reputations and financial situations.
Unfortunately, though, these kinds of cyberattacks are far from new.
Hackers have been targeting hospital data for years. This is because doctors’ names and Social Security numbers are lucrative for identity thieves who can then open credit accounts or get medical treatment under doctors’ names. Today, hackers also steal patient information so they can disrupt billing operations, create fraudulent prescriptions for controlled substances, alter laboratory test results or claim insurance payments fraudulently.
They have also been known to use ransomware to freeze a hospital’s computer system until it pays a ransom! In fact, just recently, two patients filed a lawsuit against Hackensack Meridian Health alleging the health system failed to protect their information from a ransomware attack.
Cybersecurity experts say these efforts will only increase as hackers look for an easier way into systems than brute force password cracking, which takes time and resources away from more profitable pursuits.
Hospitals must ensure their cybersecurity is up to date at all times since any failure could lead to serious consequences down the road.
And it’s not just the hospitals…
Cybersecurity healthcare related lawsuits
Over the last decade, several significant cybersecurity-related lawsuits have been brought to light for a variety of healthcare organizations ranging from inpatient to outpatient to private and public clinics. All kinds of doctors’ offices and hospitals should be aware of how vulnerable they are when it comes to data security and be prepared for when things go wrong. Medical professionals must understand what types of liability could come their way in such a situation and know what they can do to protect themselves against potential lawsuits.
Recent attacks include:
- Northern Light Health who are facing a class-action lawsuit for the Blackbaud breach that affected about half the population of Hawaii or 650,000 people This was a global attack targeting the fundraising platforms of over 25,000 organizations.
- Scripps Health suffered a class-action lawsuit for the malware attack that compromised their system’s network. Plaintiffs are alleging that Scripps failed to properly secure and protect patients’ health information and now face a lifetime risk of identity theft.
Cyber-attacks – not just a outside job
Cyberattacks don’t always come from malicious intent from outside of the organization. They can result from mistakes made by employees, contractors, or vendors that put patients’ personal information at risk. Whatever form an attack takes, there is no doubt that its effects will carry serious consequences if not remedied immediately and thoroughly. What is certain is that healthcare organizations must take proper precautions to prevent losses due to digital theft, failure to implement effective security measures, and other causes. Employees need adequate training on how best to conduct business online while still protecting sensitive client information. In short:
To manage cybersecurity risks more effectively,
every member of the healthcare team needs basic knowledge about what constitutes legal compliance.
Although many laws are still being drafted on the subject of cybercrime, these guidelines illustrate some key principles that govern pertinent issues related to data security:
- Be informed: stay up to date on new developments in privacy law, especially when applying federal privacy law to state privacy laws because there are different requirements depending on where your company does business.
- Budget: ensure that any resulting fines or penalties fit into your budget since these costs could greatly reduce profits
- Process: establish clear internal processes so people responsible for information management know precisely which actions warrant attention and which don’t.
- Confidentiality: when filling out forms requiring confidential information, be careful to check ‘no’ whenever applicable.
- Passwords: always store passwords securely since unauthorized access gives third parties access to private medical files.
- Information transfer: avoid sending emails containing confidential patient details whenever possible. An employee caught violating legislation and regulatory laws might face civil or criminal charges for inappropriately disclosing private medical details without permission; if found guilty, he or she could face steep financial penalties as well as jail time—penalties directly connected to actual harm done by negligence in handling health data electronically.
Lets’ talk costs
The average cost of a data breach is around $4 million according to a 2021 report from IBM. In fact, data breaches in healthcare increased by 55.1% between 2019 and 2020. Additionally, during the first six months of 2021, there were 377 breaches reported to the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR). This marks a nearly 40% year-over-year increase between mid-year 2020 and 2021. This finding is particularly significant for healthcare providers, as approximately 20% of all respondents reported having been victims of a data breach.
Lack of Adequate Security and cyber-litigation
In the event of a breach, there can be serious legal consequences if a cyber lawsuit is brought against you. Because of these risks, make sure you consult an experienced lawyer who’s familiar with cyber-litigation. That way, even if lawsuits arise, your lawyer will know how to handle them appropriately to minimize any damages.
Lawsuits and how to avoid them
Many suits currently filed against healthcare organizations involve allegations of lax data security practices, which could be interpreted as a failure to meet obligations under The Health Insurance Portability and Accountability Act (HIPAA) or other laws.
What is a HIPAA Violation?
The Health Insurance Portability and Accountability Act of 1996 is a landmark piece of legislation that was introduced to simplify the administration of healthcare, eliminate wastage, prevent healthcare fraud, and ensure that employees could maintain healthcare coverage when between jobs.
Either way, health systems can’t afford to ignore potential litigation arising from increasingly sophisticated cyberattacks, nor should they wait until after an incident has occurred to begin taking steps toward mitigating risk. The first step? Be prepared.
Multifactor Authentication (MFA) for the Healthcare industry as a means to significantly reduce cyber attacks
According to a study by Ponemon Institute, 67% of healthcare organizations see an increase in financial damage due to cyberattacks from data breaches alone. To prevent them, organizations are increasingly deploying multifactor authentication methods. These include biometrics, mobile apps, and multi-level passwords.
Achieving zero trust for the healthcare system requires improved and continuous user authentication. While MFA and identity providers have improved the authentication process, there are numerous integration and maintenance challenges, including applications that are not naturally compatible with MFA at all, such as non-web and thick/fat applications, etc.
ZoneZero® Identity-based Zero Trust Solution
ZoneZero® changes that with an Identity-based zero trust solution that offers seamless integration to MFA providers (Synchronic MFA, Push messaging, Biometric, instant messaging, REST API) and secure access control, supporting both non-web protocols and legacy infrastructure.
With ZoneZero®, organizations can easily integrate multi-factor authentication, continuous identity verification, and identity awareness into all applications and services, regardless of whether the user is coming from the same or different network.
What does this mean for you as a healthcare provider?
- Secure user access for ANY Internal resource
- Lower operational costs by removing application customization
- Reduced attack surface, blocking unauthenticated users
- Ability to add MFA to any application, continually authenticating users
Want to know more?
Safe-T provides an identity-based zero trust solution that would enable and healthcare organizations to ensure that every request from any user/application to every application invokes an MFA action. For example, once a push notification is sent to the accessing user or IT administrator for an access attempt, ZoneZero® prevents access to the resource, until the MFA responds.
Safe-T has been working with similar organizations to:
- Simplify and accelerate zero-trust strategy
- Reduce external/internal attack surface and prevent lateral movement
- Enforce MFA to legacy infrastructure to achieve compliance
- Secure access to cloud, on-prem, or hybrid environments
- Reduce operational complexities
- Clientless deployment
- Enhance existing technologies
Schedule a personal demo to see how Safe-T’s ZoneZero® can benefit your healthcare organization and simplify your journey to zero-trust.