Healthcare data breaches and ransomware
Healthcare data is attractive to cybercriminals because healthcare organizations hold up-to-date financial and personal data and medical records, which can then be used by cybercriminals for social engineering scams and identity theft. Electronic Health Records (EHR) are increasingly being used to facilitate collaboration between doctors and medical labs, and contain patient medical history, diagnoses, and treatments. These are also compromised in healthcare sector data breaches.
LockBit ransomware is the world’s most prolific ransomware cybercriminal group offering ransomware as a service (RaaS). Since it was identified in 2019, the group has been responsible for billions of euros in damages globally. And it has caused network outages and service interruption for multiple hospital systems in the US and in France. An international task force of law-enforcement agencies from 10 countries, called Operation Cronos was able to seize LockBit’s technical infrastructure and its public-facing leak site on the dark web after a months-long operation in February 2024.
Unfortunately, it seems like LockBit was able to relaunch from another site after regrouping. Strains of LockBit are responsible for the two major healthcare ransomware incidents in early 2024.
Amentières hospital ransomware attack
In the early hours of February 11, 2024, printers located in the Armentières hospital began printing out ransomware messages, informing those reading the pages of a cyberattack. Within an hour of discovering the attack, the hospital’s IT team confirmed that all hospital computers had been disconnected from the network and the hospital was already cooperating with French law enforcement.
When the attack happened, there were 130 patients in hospital care. Hospital staff quickly printed out each patient’s medical records so that doctors and nurses could continue providing appropriate care. For two days, the hospital was out of service and could not care for the residents who depend on its services. Even emergency services were unavailable, with the exception of emergency labor and delivery. Ambulances were diverted to other hospitals in the region. In the end, more than 300,000 people had their data compromised.
In the 2023 Cyber Threat Overview Report from ANSSI, the French National Agency for the Security of Information Systems, 10% of reported ransomware attacks in France were in the public health sector. Local and regional authorities were also hit hard by ransomware, which accounted for 9% and 24% of attacks, respectively.
Third-party risk and sensitive health data
Third-party service providers are another channel for cybercriminals to access sensitive data and cause major health system disruptions. Third parties process vast amounts of health data for hospitals, doctors, health insurers, and government programs. If an ICT third party is the target for cybercriminals, it can have devastating consequences. Events such as the phishing attack on the third-party payments services Viamedis and Almerys and the ransomware attack on Change Healthcare underscore the necessity for robust third-party oversight and the need for third parties to implement strict cybersecurity measures.
Critical infrastructure in France and the US was severely impacted by both cyberattacks. In France, more than half of France’s population had personally identifying information compromised because of the Viamedis and Almerys data breaches, which, of course, increases the stores of sensitive information on the dark web that threat actors can access for phishing campaigns. The attacks on Viamedis and Almerys also disrupted the transmission and payment of insurance claims. This led to many people in France being unable to access healthcare services, medicine or health materials, like prescription glasses and prosthetics.
The ransomware attack on Change Healthcare in the US, a subsidiary of UnitedHealth Group, disrupted thousands of doctors, hospitals, pharmacies, administrative and billing processes across the healthcare sector, affecting vital healthcare services. There were more than 100 services disrupted for more than four weeks, and remediation efforts are still underway.
The scale of the data breach is still being assessed. According to news reports, healthcare providers may have lost up to USD 100 million a day from the cyberattack. And there are already class-action lawsuits filed against the company, reflecting the seriousness of the data privacy concerns arising from this incident.
The unfolding situation highlights the critical importance of cybersecurity in the healthcare sector, including third parties, and the cascading effects that such attacks can have on healthcare delivery, emphasizing the urgency for robust security measures and rapid response strategies to protect sensitive health data and maintain healthcare.
Do you know your third-party risks?
Scale your third-party program with SAFE One Third-Party Cyber Risk Management. Schedule a demo
Legislation to protect health data
The World Health Organization published a Global Strategy on Digital Health 2020-2025 that lays out a strategy to protect the growing amount of sensitive health data held by governments, the healthcare sector and private companies.
The WHO recognizes that digital health is an integral part of healthcare and should benefit people in a way that is ethical, safe, secure, reliable, equitable and sustainable.
Data protection in the EU
In the EU, individuals’ health data is protected under the General Data Protection Regulation (GDPR), which went into force in 2018. Each EU Member State then established a national supervisory authority to enforce the GDPR. In France, for example, it is the CNIL. And in Germany it is the BfDI. Since leaving the EU, the UK has adopted a UK GDPR, which kept the text of the EU’s regulation. Fines for severe violations can total EUR 20 million or for an undertaking up to 4% of their total global revenue for the preceding year.
Under the GDPR, there is not a distinction between PHI and PII. All personal data is protected. However, the regulation does distinguish between sensitive data (see Art. 9 of GDPR) and personal data.
Sensitive data includes:
- personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs
- trade-union membership
- genetic data, biometric data processed solely to identify a human being
- health-related data
- data concerning a person’s sex life or sexual orientation
Personal data according to the European Commission is “any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.” Some examples of personal data include:
- a name and surname
- a home address
- an Internet Protocol (IP) address
- the advertising identifier of your phone
- data held by a hospital or doctor
Data protection in the US
In contrast, in the US, there is no federal law protecting PII. There is the federal Health Insurance Portability and Accountability Act (HIPAA), which came into force in 1996, that establishes regulations on the protection and sharing of health data or PHI. The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing the law.
HIPAA protects individually identifiable health information held or transmitted by a covered entity or its business associate, in electronic and paper for or orally.
Health information can relate to:
- an individual's physical or mental health or condition in the past, present or future
- the provision of health care to an individual
- any payments for the provision of health care to the individual
Individually identifiable health information includes details such as an individual’s name, address, email address, birth date and Social Security Number. Penalties for civil violations are issued by the OCR depending on the compliance failure. Organizations and individuals can be fined for unknowingly violating the law as well as reasonable cause and willful neglect. For the most severe violations, the US Department of Justice can bring criminal charges against a party.
Solutions for more secure health data
Cybersecurity agencies across the globe have found it difficult to pinpoint the motivations for many attacks. They could be for financial gain, espionage or destabilization. The healthcare sector processes some of the most sensitive information in society. And it is fundamental that the confidentiality, integrity and availability of sensitive data is protected from the top down.
Focus on Cybersecurity Governance
PHI and PII governance should be a multi-stakeholder consultation process. Cybersecurity cannot be a siloed approach managed only by the IT department. New regulations and directives, like NIS2, emphasize the importance of boards in security decisions and oversight for critical infrastructure.
Create an Incident Response Plan
Defining a strategy with a clear set of guidelines for responding to potential cyber risk scenarios, including data breaches, DDoS attacks, malware outbreaks, insider threats, and other security breaches will minimize service downtime, reduce the financial impact and improve regulatory compliance.
Continuing Education and Cybersecurity Awareness Training
Educating healthcare professionals on cybersecurity best practices is the first line of defense for internal threats. Regular training sessions on topics like phishing techniques, password hygiene and reporting suspicious emails provides healthcare workers with the tools to recognize and act on cybersecurity threats.
The healthcare sector is particularly vulnerable to cyberattacks due to the vast quantities of sensitive data it processes and its dependence on IT and third-party services. The consequences of such attacks can be devastating, disrupting vital healthcare services and compromising the privacy of millions of individuals. Organizations need to implement robust cybersecurity measures and rapid response strategies and training to protect sensitive health data and maintain healthcare service continuity.
Quantitative approach to cybersecurity
Cyber risk quantification is a powerful approach for organizations to gain a better understanding of their cyber risks in business terms. This perspective can help prioritize security decisions and build resilience. Organizations can ensure that their security posture remains robust and responsive to the ever-changing digital landscape.
C-Risk uses advanced analytics and modeling techniques to quantify the potential financial impact of cyber threats on critical assets and critical processes. Discover how our expertise in operationalizing quantitative risk management can be a game-changer for your organization, irrespective of your current level of risk maturity. Partner with us to transform your cyber risk understanding into a strategic asset that guides informed decision-making.
We build scalable solutions to quantify cyber risk in financial terms so organizations can make informed decisions to improve governance and resilience.