Between consolidations, staffing challenges, corporate and regulatory mandates outpacing hospital resources, and evolving threats, the healthcare industry is experiencing a “perfect storm” that threat actors are quick to exploit. In the first half of 2024, 387 data breaches were reported to the U.S. Department of Health and Human Services (HHS), and cyber criminals don’t show any signs of slowing down.
In the immediate aftermath of a breach, healthcare organizations are often forced to go into “divert” mode, unable to admit new patients or accept payments, massively impacting their ability to generate revenue. Unfortunately, the ramifications don’t stop there. The industry is also seeing a massive surge in data breach class action lawsuits and skyrocketing liability insurance premiums, further tying up the hospital’s resources for months or even years to come.
These circumstances are a call to action for healthcare providers, urging them to re-evaluate their approach to cybersecurity. The question isn’t whether you’re willing to invest in robust protection but, rather, can you afford not to?
Here’s what we can learn from some of the largest breaches of the last year, and how you can avoid making the same mistakes.
3 Major Healthcare Breaches from the Last Year
Ascension Breach
Overview:
In May of 2024, Ascension became aware of a ransomware attack — where hackers encrypt a victim’s files and demand a ransom payment in exchange for the decryption key. Hackers gained access to their systems after an employee inadvertently downloaded a malicious file, compromising seven of their 25,000 servers.
Impact:
While we don’t yet know how many individual patients were impacted, the breach interrupted daily operations at 142 hospitals and pharmacies in more than 18 states. For weeks, many of these organizations were unable to access electronic health records or fill prescriptions, leading to disruptions in patient care and administrative processes. In some cases, they were also forced to divert patients to other hospitals, significantly impacting revenue. Additionally, class action lawsuits have already been filed against Ascension, alleging the organization failed to implement reasonable and appropriate safeguards to protect patient data.
Lesson:
Since 2019, the healthcare industry has seen a 264% increase in large data breaches caused by ransomware attacks. The Ascension breach highlights an industry-wide need to re-evaluate cybersecurity strategies and ensure robust incident response plans.
Kaiser Foundation Health Plan Breach
Overview:
In April 2024, Kaiser Foundation Health Plan, Inc. reported a data breach caused by its use of pixels, a common tracking technology used to monitor how patients interact with websites and applications. However, it was later discovered that these pixels were also transmitting HIPAA-protected data to external advertisers.
Impact:
At this time, there’s no evidence that this data has been misused, but Kaiser went on to notify 13.4 million individuals of the breach. While no highly sensitive information was transmitted, names, IP addresses, search terms, and other information that is protected under HIPAA was exposed. As a result, Kaiser is facing a class action lawsuit in California with six claims of negligence and data privacy violations.
Lesson:
The Kaiser breach emphasizes the importance of end-to-end visibility and monitoring of an organization’s cyber ecosystem, ensuring a deep understanding of how tools or software interact with sensitive data. Without this visibility, it’s impossible to ensure patient privacy.
Welltok Breach
Overview:
Welltok, a healthcare software provider, experienced a third-party data breach in May 2023 due to the exploitation of a zero-day vulnerability in a third-party vendor called MOVEit. This MOVEit breach impacted more than 2,600 organizations downstream, including Welltok.
Impact:
The Welltok data breach affected nearly 15 million people, exposing names, dates of birth, addresses, health information, Social Security numbers, Medicare/Medicaid IDs, and health insurance information. In addition to severe reputational damage, lawsuits have been filed against Welltok, alleging negligence and failure to protect sensitive data.
Lesson:
This incident emphasizes the potential impact of third-party risk. Healthcare organizations must implement a comprehensive vendor risk management program, including regular audits and assessments of data-handling practices, to ensure the security posture of their own ecosystem.
6 Practical Steps to Enhance Your Security Posture
Establishing a stronger cybersecurity posture can seem daunting in such a high-stakes environment, but there are practical steps healthcare organizations can take to shore up their defenses.
- Ensure all systems are up to date.
Staying on top of updates and patches is the number one way to secure your cyber ecosystem against cybercriminals seeking to exploit known vulnerabilities in outdated software. By staying on top of updates, you effectively close those loopholes and make it significantly harder for attackers to gain a foothold. - Educate all staff on cybersecurity best practices.
Phishing is another common cause of data breaches in healthcare. In this type of attack, threat actors attempt to steal the login credentials of an authorized user before using them to access your systems. By training employees to recognize and avoid phishing scams, hospitals can significantly reduce the risk of a breach. - Maintain a thorough inventory of all authorized devices.
Unmanaged or forgotten devices are easy targets for attackers, so maintaining a comprehensive inventory of all devices connected to your network is vital. This allows you to track and monitor each device, ensuring proper security configurations and updates on all authorized devices. It also makes it easier to pinpoint when an unauthorized device is attempting to connect to the network. - Prioritize third-party risk management.
Third-party vendors, such as those providing medical equipment or IT services, can introduce vulnerabilities into your network. It’s crucial to assess the cybersecurity protocols of each vendor and ensure they adhere to strict security standards. Regular audits and assessments can help identify potential risks, so they can be addressed before they become a problem. - Establish strict user access management policies.
Granting data access solely based on convenience or repeated requests can be tempting, but it creates unnecessary risk. Implementing multi-factor authentication (MFA) and the principle of least privilege — only granting users the access they need to perform their specific tasks — minimizes the potential misuse of privileged credentials. - Implement continuous security monitoring.
Cybersecurity is an ongoing process, not a one-time fix. Deploying a continuous monitoring solution enables real-time detection of suspicious activity and potential breaches. This allows you to respond quickly and effectively to threats, minimizing their overall impact.
Partner with the Experts
With limited resources and a complex threat landscape, healthcare security teams often end up cobbling together a series of individual security solutions. As a result, they often serve more as vendor managers than drivers of strategic improvements.
Instead, you can partner with a managed IT services provider to level up your security operations. These dedicated experts assess your individual security needs, implement and configure solutions to meet those requirements, and manage them on an ongoing basis — achieving a stronger security posture and freeing up internal resources to focus on serving your patients’ needs.
As a three-time CRN 500 Security Provider, ISG Technology’s managed IT services can lighten your cybersecurity burden, including everything from employee training to assessing third-party risk. We offer a no-cost consultation to highlight your security strengths and opportunities for improvement, as well as brokering connections with the right solutions to cover any gaps.
To learn more about how a partnership with ISG can strengthen your defenses and shift risk, speak with an ISG HealthTech expert.