Ransomware, phishing attacks top new HHS list of cyberthreats in healthcare

Can your cybersecurity survive a multi-cloud future?
The healthcare sector is under "constant cyberattack," HHS said. (iStockPhoto)

Email phishing attacks, ransomware attacks and attacks against connected medical devices are among the greatest cyberthreats that health systems need to protect against, according to new cybersecurity guidance for health systems from the Department of Health and Human Services.

Released last week, the Health Industry Cybersecurity Practices were released to help the industry identify ways to reduce its risk from cyberthreats. The result of a two-year effort between HHS and private entities, the guidance fulfills a mandate of the Cybersecurity Act of 2015.


“Cybersecurity is everyone’s responsibility. It is the responsibility of every organization working in healthcare and public health," said Janet Vogel, HHS acting chief information security officer, in a release. "In all of our efforts, we must recognize and leverage the value of partnerships among government and industry stakeholders to tackle the shared problems collaboratively." 


2019 Drug Pricing and Reimbursement Stakeholder Summit

Given federal and state pricing requirements arising, press releases from industry leading pharma companies, and the new Drug Transparency Act, it is important to stay ahead of news headlines and anticipated requirements in order to hit company profit targets, maintain value to patients and promote strong, multi-beneficial relationships with manufacturers, providers, payers, and all other stakeholders within the pricing landscape. This conference will provide a platform to encourage a dialogue among such stakeholders in the pricing and reimbursement space so that they can receive a current state of the union regarding regulatory changes while providing actionable insights in anticipation of the future.

It's a far-reaching problem impacting organizations across healthcare from health systems to insurers on multiple fronts.

A study published in JAMA in November found that hackers took 133.8 million patient records between 2009 and 2017. Most recently, Atrium Health reported that a database of more than 2.6 million billing records of patients at Atrium Health—formerly Carolinas HealthCare System—was compromised by hackers. 

But lawmakers have been expanding their focus to other threats in recent months. In November, a congressional committee asked HHS to begin drawing up plans to provide more transparency about cybersecurity risks within medical devices.

"The breadth and complexity of these threats complicate mitigation. This is not simply an IT problem. When threats and vulnerabilities are identified and assessed for potential impact, the most effective combination of safeguards and cybersecurity practices must be determined based on the organization's particular needs, exposures, resources, and capabilities," the report said (PDF).

RELATED: Theft and disclosures account for most healthcare data breaches. But hackers took 3 times as many records

It's a costly problem. The U.S. healthcare system lost $6.2 billion to data breaches in 2016, with 4 in 5 physicians experiencing some form of cybersecurity attack, the report said.

In order to mitigate future breaches, HHS provided a list of 10 areas for stakeholders to focus on to limit their vulnerabilities, including:

  1. Email protection systems
  2. Endpoint protection systems
  3. Access management
  4. Data protection and loss prevention
  5. Asset management
  6. Network management
  7. Vulnerability management
  8. Incident response
  9. Medical device security
  10. Cybersecurity policies

HHS acknowledged that the exact shape of these practices will vary depending on the type of entity employing them. It, therefore, provided guidance on several "sub-practices" for different-sized organizations in the technical volumes accompanying the report.

Suggested Articles

Health insurers’ financial performance is on a continuing upward trend, but political and legal risks could pose a threat to that growth.

Senate lawmakers released a draft package of legislation Thursday aimed at curbing health care costs they said they believe they can pass on a bipartisan basis…

Attorneys general seeking to defend the ACA argue that their opponents—including the DOJ—have poor legal standing to challenge the law.