Healthcare ransomware in 2023: Extortion and the double-data shakedown | Viewpoint

In today's healthcare environment, private data is vulnerable to attacks beyond the four walls of the hospital. (Image credit: ©Framestock - stock.adobe.com)

The average cost of a breach is now $7 million. In the first 60 days of 2023, 5.5 million patients had their private health information involved in a cyberattack.

What’s the “moment of regret” for a healthcare system right after it has suffered a cyber breach? All too often, it’s when the victimized executives realize a painful, unavoidable truth: preventing the attack would have been much easier than responding to the breach.

Breach liability reduction defines today’s healthcare cyber landscape. After all, patients’ personal health information presents an ever-juicier target for cyber criminals. Hackers now perform a “double-data shakedown” when they steal electronic PHI – they first extort the health system to regain access to the (now-locked) data, and then they force the system to pay them (again) not to release the data publicly.

This two-tiered extortion scheme underscores the failing ROI of healthcare cybersecurity over the past several years. From 2020 to 2025, healthcare will spend $125 billion to defend against breaches. Despite this aggressive investment, ransomware and other cyber-attacks keep getting worse and more expensive for health systems to endure.

Faced with staggering cyber risks, health systems spend big to deal with related lawsuits, post-incident fallout, and various legal notifications. Cyber-attacks also impose significant operational costs due to the required data restoration forensics, downtime, and increased staffing. This is before organizations even reckon with the brand damage, loss of public trust, and patient leakage that often accompany such attacks, as well as fines and other regulatory costs that ensue.

This requires a systematic approach to cyber defense. Health systems must minimize ePHI data liability so that, if they do get compromised, they can manage the fallout.

Below are some steps worth considering to achieve this systematic approach.

Think beyond the walls

Traditional security and compliance systems are designed to protect the physical asset used in healthcare. This old-school approach is inadequate for identifying where sensitive ePHI is stored – local, network, cloud, email. It also can’t tell which clinicians are accessing the ePHI, or how it’s being used, or what is the security posture of its location. Oftentimes, traditional security systems can’t even tell who the patient is.

Quite simply, these systems are blind to ePHI and its use in care delivery.

In today’s health networks, every patient’s ePHI is spread well beyond the perimeters of a hospital’s four walls. This creates the “dark PHI” problem – the new reality that, outside the EMR, more than 80 percent of healthcare data is unstructured. Basically, ePHI is everywhere – and it’s invisible.

Wherever sensitive ePHI is stored, healthcare organizations now must keep track of it everywhere. Whether it’s on local servers, on their network, in the cloud, or on email, ePHI must be tracked. This means more than simply knowing exactly which clinicians are accessing the ePHI – organizations must also know how ePHI is being used, the security posture of its location, and the identity of the patient.

Only with this information will a healthcare organization have the “ground truth” about its ePHI. This makes it critical to have visibility into where ePHI is, how it is being accessed, where it is moving, and who is the patient.

Reducing ePHI breach liability begins with a complete inventory

To deal with the new data attacks,the change in strategy is towards reducing ePHI breach liability. To achieve this reduction, organizations should start with a complete inventory and liability analysis for ePHI at rest.

To strive for breach liability reduction, organizations should conduct a pre-breach inventory and liability reduction analysis for ePHI stored outside the EMR. This includes junk drawers, file servers, cloud drives – basically, anything you can map a drive to.

This should position you to identify and remove unused or stale ePHI. This step helps you reduce the potential loss from a ransomware attack and reduce ePHI exposure due to phished user credentials. The breach liability reduction analysis will also tell you where ePHI “leakage” into partner/ISV systems and backends occurs, and it will facilitate post-breach forensic analysis, as well as reporting and notifications.

What about ePHI that is in use, in transit or with laptop, in transport? This requires its own real-time analysis and mitigation. The key is to reduce what can be stolenand have a complete archive of all data. With a multi-stage strategy for reducing the liability, organizations have a better security posture without compromising the ability to use that data.

The right solution

Healthcare systems should be very concerned about cyberattacks reaching the most critical asset: ePHI.

The right solution requires monitoring across endpoints and server environments to gain visibility into ePHI. Once ePHI is identified and prioritized across an organization’s highest risk endpoints and servers, the security team can rapidly “lock it down” via remediation and response tools.

Only then will an organization have real-time awareness of its ePHI landscape. This will minimize the attack surface of vulnerable and “shadow” ePHI, providing a systematic approach to defense that minimizes ePHI data liability.

This way, if you do get compromised, you can manage the fallout.

About the author

David Ting is the founder and chief technology officer of Tausight. He’s also the founder of Imprivata.