Ransomware, phishing attacks top new HHS list of cyberthreats in healthcare

Can your cybersecurity survive a multi-cloud future?
The healthcare sector is under "constant cyberattack," HHS said. (iStockPhoto)

Email phishing attacks, ransomware attacks and attacks against connected medical devices are among the greatest cyberthreats that health systems need to protect against, according to new cybersecurity guidance for health systems from the Department of Health and Human Services.

Released last week, the Health Industry Cybersecurity Practices were released to help the industry identify ways to reduce its risk from cyberthreats. The result of a two-year effort between HHS and private entities, the guidance fulfills a mandate of the Cybersecurity Act of 2015.

(HHS)

“Cybersecurity is everyone’s responsibility. It is the responsibility of every organization working in healthcare and public health," said Janet Vogel, HHS acting chief information security officer, in a release. "In all of our efforts, we must recognize and leverage the value of partnerships among government and industry stakeholders to tackle the shared problems collaboratively." 

Free Daily Newsletter

Like this story? Subscribe to FierceHealthcare!

The healthcare sector remains in flux as policy, regulation, technology and trends shape the market. FierceHealthcare subscribers rely on our suite of newsletters as their must-read source for the latest news, analysis and data impacting their world. Sign up today to get healthcare news and updates delivered to your inbox and read on the go.

It's a far-reaching problem impacting organizations across healthcare from health systems to insurers on multiple fronts.

A study published in JAMA in November found that hackers took 133.8 million patient records between 2009 and 2017. Most recently, Atrium Health reported that a database of more than 2.6 million billing records of patients at Atrium Health—formerly Carolinas HealthCare System—was compromised by hackers. 

But lawmakers have been expanding their focus to other threats in recent months. In November, a congressional committee asked HHS to begin drawing up plans to provide more transparency about cybersecurity risks within medical devices.

"The breadth and complexity of these threats complicate mitigation. This is not simply an IT problem. When threats and vulnerabilities are identified and assessed for potential impact, the most effective combination of safeguards and cybersecurity practices must be determined based on the organization's particular needs, exposures, resources, and capabilities," the report said (PDF).

RELATED: Theft and disclosures account for most healthcare data breaches. But hackers took 3 times as many records

It's a costly problem. The U.S. healthcare system lost $6.2 billion to data breaches in 2016, with 4 in 5 physicians experiencing some form of cybersecurity attack, the report said.

In order to mitigate future breaches, HHS provided a list of 10 areas for stakeholders to focus on to limit their vulnerabilities, including:

  1. Email protection systems
  2. Endpoint protection systems
  3. Access management
  4. Data protection and loss prevention
  5. Asset management
  6. Network management
  7. Vulnerability management
  8. Incident response
  9. Medical device security
  10. Cybersecurity policies

HHS acknowledged that the exact shape of these practices will vary depending on the type of entity employing them. It, therefore, provided guidance on several "sub-practices" for different-sized organizations in the technical volumes accompanying the report.

Suggested Articles

To build scale and drive greater savings, providers in some regions are banding together in statewide Medicare accountable care organizations. 

CMS issued updated Medicaid guidance on regulations for state-run home and community-based services.

Regulators warn that suggestions to address surprise bills, such as rate setting and payment caps, come with significant downsides for states.