Health care cyberattacks soaring in 2023

This article first appeared on our sister site Medical Economics.

Since the start of 2023, 327 data breaches have been reported to the US Department of Health and Human Services’ Office for Civil Rights. That figure is up more than 104% from 160 breaches as of mid-2022 and shows “no signs of abating,” according to a report from Fortified Health Security.¹

Health care business associates also are at risk, accounting for 14% of all reported breaches and jumping from 22 halfway through 2022, to 82 so far this year.

The cyberattacks involved data of more than 40 million individual patients in 2023, marking a 60% increase year-over-year for the first six months. Last year, a single breach involved 2 million records, but in the first half of 2023, there were five breaches of at least 3 million records each, according to Fortified.

Those include the breach of Fortra’s GoAnywhere secure file transfer software in February, which involved more than 5 million health care records. “The software is used across industries, and many other non-health care companies were among the more than 130 companies allegedly targeted in the attack,” the report said.

Health care business associates also are at risk, accounting for 14% of all reported breaches and jumping from 22 halfway through 2022, to 82 so far this year. That is a 273% increase, the report said.

Government gets involved

Health care cybersecurity has become a hot-button issue in Washington.

“Fortunately, these obstacles have not gone unnoticed or unaddressed,” Fortified CEO Dan L. Dodson said in the report. “The federal government is actively taking initiative on the legislative front to tackle these issues head-on.”

In March, President Joe Biden released his National Cybersecurity Strategy with five pillars:

• Defend critical infrastructure
• Disrupt and dismantle threat actors
• Shape market forces to drive security and resilience
• Invest in a resilient future
• Forge international partnerships to pursue shared goals

The federal PATCH Act, short for Protecting and Transforming Cyber Healthcare, came out in spring and will go into effect Oct. 1. Medical device manufacturers must meet four requirements for cybersecurity before approval by the U.S. Food and Drug Administration.

Sen. Mark R. Warner (D-Virginia) published “Cybersecurity is Patient Safety,” a policy options paper seeking recommendations to address computer vulnerabilities in health care. Fortified noted there were more than 60 responses to his request for information. Given the complexity of the issue and at least 16 federal agencies involved, there could be multiple bills addressing specific aspects of cybersecurity.

In March, the Senate’s Homeland Security and Government Affairs Committee held the hearing, “In Need of a Checkup: Examining the Cybersecurity Risks to the Healthcare Sector.” Fortified Senior Virtual Information Security Officer Kate Pierce was among four experts who testified in that hearing and she wrote this essay for Medical Economics. Senators now are considering the Rural Hospital Cybersecurity Enhancement Act, legislation based on testimony in that hearing.

Action steps

Fortified noted the U.S. Department of Health and Human Services, its 405(d) Program, and the Health Sector Coordinating Council Cybersecurity Working Groups have published three documents on the current state of cybersecurity in hospitals, government programs, and industry best practices. Fortified was a contributor to those records and recommended three steps for health care offices and systems to prepare:

• Read the documents and assess where your organization needs to improve security.
• Plan to prioritize and tackle areas that need attention.
• Keep leadership in the loop about upcoming changes to minimize strains on the organization.

References

1. Fortified Health Security. 2023 Mid-Year Horizon Report: The State of Cybersecurity in Healthcare. Accessed August 17, 2023. https://fortifiedhealthsecurity.com/healthcare-cybersecurity-report-annual-horizon-reports