Data Breaches on the Rise

By Gregory Freeman

Data breaches continue to increase in number, and healthcare organizations still are a top target. The attacks are becoming more sophisticated as they focus on healthcare employees’ private devices used away from work.

Breach data tend to lag, so it can be hard to know which way the trend is going in real time, says Elizabeth F. Hodge, JD, partner with the Akerman law firm in West Palm Beach, FL.

“On the OCR (Office for Civil Rights) website for the reports of large breaches, there often is a lag between when an incident occurs and then when it is reported to OCR and appears on the OCR website, so it can be difficult to understand in real-time what is happening,” she says. “But I think based on, at least through the end of July, there were actually a few more breaches reported this year than compared to the same time last year. It is about a 2% year-over-year increase through the end of July.”

Hacking continues to be a main cause of breaches, Hodge says.

“There are still a number of ransomware incidents occurring. It’s also notable that OCR is continuing its ransomware and risk analysis initiatives that were started under the prior administration,” she says. “I think the fact that the current administration is continuing the risk analysis initiative shows that they are seeing a large number of cyberattacks or ransomware-type incidents, as opposed to incidents involving paper files or employee snooping. Certainly, those types of HIPAA breaches still occur, but the hacking and IT (information technology)-related incidents seem to predominate now.”

To counter the trend, Hodge says healthcare organizations should first make sure they are covering the basics in data security. Conduct a complete, thorough, and accurate risk analysis of the environment, she advises.

“OCR staff and OCR leadership continues to make having a complete risk analysis a priority of the agency. OCR believes that having that complete and accurate and thorough risk analysis can really help organizations lessen the risk to their organization, and it can remediate vulnerabilities they have before they are the victim of an incident,” Hodge says. “Complying with the Security Rule, having your incident response plan in place, a business continuity plan can help you recover more quickly when you do have an incident.”

Also make sure your incident response plan is current, she advises. Test that incident response plan, have tabletop exercises with all the key stakeholders participating so that when you identify where you might need to shore up the plan, you can do that in a safe environment when you are not under extreme pressure. That also allows you to adapt the plan as your organization changes over time, she says.

“I think it’s important to continue to train the organization’s workforce. We’re seeing that phishing emails are becoming even more sophisticated, especially with bad actors now using AI (artificial intelligence) more and more,” she says. “Bad actors also are engaged in social engineering with text messages and video, so they are upping their game.”

Preventing data breaches is not easy or inexpensive, typically requiring substantial financial investments and human resources, Hodge says. Bad actors have recognized the weaknesses in some healthcare organizations and are exploiting them, she says.

“Unfortunately, we’re seeing that some of the bad actors are targeting organizations that maybe are not as well-resourced and maybe not as able to keep up. For example, we’re seeing smaller rural hospitals being targeted,” Hodge says. “We’re seeing specialty physician practices being targeted, and they generally do not have the same resources as, say, a large academic medical center or a large, multi-state hospital chain or a health insurer.”

Data security is a struggle for smaller organizations, Hodge says.

“While, in the past, they may not have been targeted by bad actors, now they are being targeted,” she says. “That’s an area where those smaller organizations really could use some assistance to improve their cybersecurity posture.”

The steady rate of data breaches, with slight increases lately, can have the effect of actually making employees complacent about the issue, says William P. Dillon, JD, shareholder with the Gunster law firm in Tallahassee, FL.

“It seems like you’re almost getting alert fatigue, because it’s like a breach every other week,” Dillon says. “Nobody really gets that riled up about it or are worried anymore, because it just seems to be happening with a high frequency.”

That complacency comes when the bad actors are gaining sophistication and making it more difficult to prevent their attacks or respond when it happens.

“This isn’t generally some kid in their basement [who] is doing this. They’re really sophisticated individuals and groups of individuals [who] work this like their job. This is their business, no differently than a healthcare provider providing healthcare services to patients,” Dillon says. “Their job is to try to penetrate businesses — and particularly in the healthcare industry because the data (are) so valuable.”

A lot of the threat actors are from overseas, often Eastern Europe, Russia, North Korea, or China, he says.

“To the extent they’re able to find anything out that they are overseas, and of course, that makes it difficult for law enforcement to ultimately catch them,” Dillon says. “So, even if we can identify where it’s coming from, it’s kind of hard to actually get the bad guys because they’re not here. They’re halfway around the world.”

Many healthcare organizations, particularly the larger ones, are taking the threat of data breaches more seriously than they have in the past, Dillon says. They’re investing money in infrastructure and training.

“The one thing that I think is still a constant problem is that entities need to make sure that they’re really working on their internal security awareness. Their employees and their contractors are oftentimes the weak link allowing bad guys to penetrate the system, whether it’s through a phishing attack or spear phishing or some sort of a sophisticated social engineering attack,” he says. “It still seems that a large number of these breaches are occurring because of a human mistake. Somebody lets their guard down, and they grant access to the system inadvertently, or they download something they shouldn’t have.”

Larger organizations are becoming better at providing security awareness training to their employees, Dillon says. Employees now are more wary about phishing, and many are hyper vigilant about responding to unknown emails or opening documents, he says.

“You get leery about even clicking on an attachment. If I don’t know who that’s from, I’m just deleting and getting rid of that,” Dillon says. “I still think that human vigilance is needed first, and I think the only way to do that is to just keep driving it home with training and making sure that individuals within your entity understand.”

Healthcare is one of the top three most attacked industries, both by people looking for money and foreign actors looking to destabilize the country, says Ron Zayas, CEO of Ironwall by Incogni, an internet privacy company in Mission Viejo, CA.

“What we’re seeing is that more and more of those attacks are coming at the individuals [who] work for healthcare organizations, not just necessarily coming at the hospital servers, CRM (customer relationship management) systems, and patient systems that they have. If I know that an organization has 1,000 employees, and I know who works for them, and I know a lot of things about those employees, I can send phishing emails to them and I’m going to get, on average, about 5% of those people to click on those malicious links.”

That gives the bad actor 50 people with compromised devices that can provide a pathway into the healthcare system, he says.

“There is also a physical component to all of this. There are people who are getting very dissatisfied with cuts in healthcare, and when they believe they’re not getting the healthcare that they should, they’re acting on it,” Zayas says. “They’re taking it home to somebody. When they believe a doctor or nurse or anybody else in the hierarchy isn’t doing well, they’re taking that information to their home. These are all threats that are really converging on healthcare today.”

One serious threat occurs when employees check email from personal phones or do something else that interacts with the network from a personal device at home, Zayas says. Bad actors know that employees do not have the same level of protection on their personal devices at home and that employees are not as vigilant on their own time. “The level of protection I have at work with a VPN (virtual private network) and everything else is significantly greater than what I have at home. So, if you’re going to attack me because you feel that, as CEO or as a major employee of a company that you want to go after, in this case, a healthcare provider, why not just attack them at home? It’s easy to identify who they are. It’s easy to hit the soft underbelly,” he says. “Send them a phishing email, send them something that’s so personalized because of all the information you have on them, give them a malicious link. You’re going to compromise their phone. You’re going to compromise all their devices at home, you’re going to be able to get into their email, and then you use that as a stepping stone to get into the organization. (It’s a) slightly longer game, but it’s a lot easier to get in, and it’s a lot easier not to be detected until it’s too late.”

Zayas recalls working with one company that was confident its employees were well-trained in cybersecurity and would not fall for phishing attempts even on their personal devices at home. An experiment proved that was not the case.

“We did a test and sent 500 of these attempts out at random, just using information that we had on the people in this company. We came back with about a 5% click-through rate, and when we were presenting this back to the C-suite, the CEO of that company said, ‘Oh, my god, I clicked on that email,’” he says. “You’re at home. You’re not thinking of what you’re doing, and you can’t be vigilant 24 hours a day. That’s what scammers are going after.”

Often, the bad actor can tell what company you work with, that he can pull easily 30 or 40 pieces of personal information on who your family is, who you are, what your habits are, what your politics are, Zayas says. He can then put them into an email that looks so convincing that you think it is coming from somebody you know.

“You’re not going to be hyper-vigilant, and you’re going to click on that, and that’s why they’re getting better response rates than great marketing emails do,” he says. “When that happens, most of the time you’re compromised. You never even know you are.”

Zayas and his colleagues regularly search the dark web to see what kind of data are being compromised from their clients. He says the data from healthcare organizations are always in demand.

“It’s astounding the amount of information and the amount of reports that we run, especially on healthcare organizations. We’re able to come back to them and show them two, three, four, maybe 100 people in their organization [who] have devices that are compromised, that are running malware and the data (are) being sold on the dark web,” he says. “They say not only we’ve captured somebody’s information, but specifically we have captured information from people who work at X healthcare organization. Does anybody want to buy this?”

There are a few data security strategies that are straightforward and others you can do if you have the budget, he says. No. 1 is understanding what they are using to come after you and training your people to understand phishing emails, he says.

“When the phishing email comes in and says somebody has $50 million for you, it’s written in broken English, you know, it sounds like Yoda put it together, we got that. The training is there. Most people know what to do on that,” he says. “What you want to do first is educate people about the different type of emails, and phishing emails, especially text messages that are coming in and what they’re going to look like. It’s kind of like the old Godfather adage of how the person who sets the meeting is going to be somebody you trust, and that’s going to be the person [who is] going to go after you. They’re using the same thing here.”

Bad actors rely on that familiarity and trust to make people let their guard down, he says.

“If I think the email is coming from my sister-in-law, I’m not going to go through all the vigilance that I normally would, especially if it sounds like her, and if she’s talking to me the way I’m used to her talking,” he says. “No. 1 is training to be vigilant of what the new generation of phishing emails look like, and they don’t look like your father’s emails.”

To counter that threat in the off-duty hours, some healthcare organizations offer cybersecurity services as an employee benefit, extending some of the protection available in the workplace, Zayas says.

“These are such popular things because they cut down scammers, they cut down identity theft, they cut down robocalls. People want this. So, even if your organization can’t pay for it, give them an option to provide it for them at no cost to the organization, a reduced cost for the employee,” he says. “You’ll see 25% to 30% of your employees signing up on this program because they see the value in it, too.”

Texts can be especially effective in getting past an employee’s skepticism, Zayas says. A text feels more personal, and people tend to respond an average of three times faster than to an email, he says.

“There’s just a lot more urgency there, and the faster we make somebody think, the less likely they are to think it through. And there’re less clues on a mobile phone than there is on an email, less for us to look at and have the time to think about it,” he says. “When text messages come in, they’re not going to be broken English. Generative AI has really changed the scope here so that it’s only the real lazy scammers who are sending out broken English and things that just don’t make sense.”

Generative AI also is good at being able to not just create good information with lots of data points, but also to respond to in almost real time, Zayas says.

“I don’t think most people understand that, in less than five minutes, if I have either your phone or if I have a general idea of where you live, I can look up and find immediately your address, your family, tie that to your social media, tie that to any clubs, tie that to applications you might have, and be able to put all those pieces of information together in one moment,” he says. “If I look up the average person’s profile on a data broker, they’re going to have 2,000 or 3,000 pieces of information on there. And it’s not just that they’re collecting information. They’re making inferences. If you order pizzas, your information is being sold. If you order DoorDash, your information is being sold.”

It is not just that they know where you live and what you order, Zayas says. The issue is what they infer from when you are ordering and what you are ordering and how often you order, he says.

“They figure out that you are a single mom [who] works late, especially on Fridays, that you have the kids with you every day but Wednesday and Saturday. All those pieces of information, when you put them together and you give that to a scammer, they’re able to create and craft those text messages and those phishing emails that are going to get through at a 5% response rate,” Zayas says. “That is incredible, and the reason for it is because of how targeted they are. However smart and clever you think you are, your best defense is not to get that email or text.”

Greg Freeman has worked with Clinican.com and its predecessor companies since 1989, moving from assistant staff writer to executive editor before becoming a freelance writer. He has been the editor of Healthcare Risk Management since 1992 and provides research and content for other Clinician.com products. In addition to his work with Clinician.com, Greg provides other freelance writing services and is the author of seven narrative nonfiction books on wartime experiences and other historical events.

Sources

• William P. Dillon, JD, Shareholder, Gunster, Tallahassee, FL. Telephone: (850) 521-1708. Email: [email protected].
• Elizabeth F. Hodge, JD, Partner, Akerman, West Palm Beach, FL. Telephone: (561) 273-5503. Email: [email protected].
• Ron Zayas, CEO, Ironwall by Incogni, Mission Viejo, CA. Telephone: (844) 476-6360. Email: [email protected].