The COVID-19 pandemic has necessitated an increase in information collection and sharing among providers, patients, hospitals, vendors and other organizations. In turn, that has heralded an uptick in "malicious cyber campaigns" that attack healthcare facilities, according to U.S. and U.K. law enforcement agencies. 

But security concerns in the industry are nothing new - and the coronavirus crisis will likely exacerbate existing issues.

According to the BakerHostetler Data Security Incident Response Report released last week, phishing was the most common cause of data breaches among incidents that the data privacy and cybersecurity law firm had managed in 2019. Nearly one-quarter of those incidents occurred in the healthcare industry, including biotechnology and pharmaceuticals. 

"This year’s DSIR Report provides an enlightening analysis of the cyber landscape before COVID-19 came into the picture. Threats continue to evolve, and the compromise intelligence our report offers can help organizations with their preparation efforts," said Theodore J. Kobus III, chair of BakerHostetler’s digital assets and data management practice group, in a statement.

After gaining access to a system via phishing, attackers most commonly took over users' Office365 accounts, installed ransomware, installed malware or intruded on the network. 

Report authors predicted that ransomware will continue to be an issue in the years to come. 

"Ransomware surged in 2019, and there is no foreseeable slowdown," they wrote. "All industry segments were impacted. Manufacturing and professional services were particularly hard hit, followed closely by healthcare, education, and government entities. The amount of ransom demanded and actually paid dramatically increased compared to 2018."

Although about three-quarters of the organizations that had been affected by ransomware restored their information from a backup or otherwise managed without paying the ransom, companies still paid an average of $302,539 to threat actor groups in 2019. 

When it comes to post-breach regulatory scrutiny, the report noted, "regulators do not have time or resources to investigate every incident." 

Still, any HIPAA-covered entity breaches that involve 500 or more people will trigger a data request from the HHS Office for Civil Rights. "Regulators are asking harder questions," the report noted, "and their expectations are evolving."

"While these investigations can be burdensome and costly for organizations to respond to, few of them actually result in a penalty to the entity," the report explained. "Of 511 breaches of 500 or more individuals reported in 2019, the OCR assessed penalties in only 11."

An increase in vulnerability

The report authors note that the societal changes effected in response to COVID-19 will likely leave organizations vulnerable to attacks. 

"Cyber criminals are already taking advantage of the situation created by COVID-19, and employees will inadvertently expose sensitive data or facilitate a ransomware attack," said Kobus in a statement. "Organizations are rapidly evolving their working from home guidelines due to the stay-at-home orders around the globe." 

The most recent HIMSS Healthcare and Cross-sector Cybersecurity Report found that cybercriminals, state-backed groups and others are reorganizing to capitalize on the COVID-19 crisis. 

"While phishing remains a significant threat during the COVID-19 pandemic, criminals are also heavily engaged in financial fraud (including in regard to economic stimulus payments), intellectual property theft, distributed denial of service campaigns, and more," wrote HIMSS Director of Privacy and Security Lee Kim in the report.

"Hospitals, government agencies, and others are experiencing distributed denial of service attacks (some successful, and attempts in other cases). In the case of successful attacks, some organizations have had to completely shut down their network according to reports," wrote Kim. 

"Healthcare organizations are thought to have been the target of aggressive cyber-attack due to COVID-19 related treatment of patients, lab testing services, vaccine testing services, and/or biosafety labs," she continued.

Targets have also included supply chains, those seeking to buy medical equipment such as masks or gloves online and virtual private networks. 

People who aren't used to working from home may not recognize attempts to breach security.

"With a good number of workforce members now working from home due to the COVID-19 pandemic, some survey respondents have reported an uptick in security incidents and cybercrime. 

"Additionally, some survey respondents have reported spending more time in IT support roles instead of their usual cybersecurity rules," said Kim. "Finally, while best practices are being adhered to, many respondents admitted that more can be done in that vein."

To keep data safe, experts advise implementing multifactor authentication, training employees on best practices and addressing security requirements across all applicable regulations, among other measures.

"Resources are available for consumers (such as from state attorneys general), for businesses … and from the government to bolster security awareness and help guard against criminal activity during the COVID-19 pandemic," Kim noted.

Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Healthcare IT News is a HIMSS Media publication.