Shields Health Care Group, a large New England-based medical service provider specializing in MRI, PET/CT and ambulatory surgical services, recently revealed the details of a significant data breach suffered in late March 2022. The breach compromised sensitive patient information, giving the threat actor(s) access to approximately 2 million patients' personal data stored with Shields. That included items that reveal patients' identity, insurance information, medical history and more.
It was determined that the hacker(s) had access to that data for about two full weeks – from the onset of the attack on March 7 to its conclusion on March 21. The source, location and details on the perpetrator(s) have not yet been determined, and an investigation is ongoing.
How Shields is responding
In an official statement, Shields said, "[We've] taken steps to secure our systems, including rebuilding certain systems." They're working with subject matter experts to learn more about the breach and determine additional steps they need to take to further secure the compromised data.
At this time, it is still unclear whether or not the stolen information has been used for a specific ulterior motive. After initial action, Shields offered clients additional information, resources and tips to further protect their data in wake of the incident.
Health care organizations' cyberattack preparedness by the numbers
The health care industry is in a vulnerable spot. The sensitivity of stored health and financial information — and some health care organizations' tendency to be behind on modern and effective IT risk management strategies — make for an appealing and lucrative target to threat actors.
A study by Becker's Hospital Review shows that, despite the rising number of cyberattacks against health care organizations, 80% of these facilities have not completed a cybersecurity drill with an incident response process; and 73% say they are wholly unprepared to respond altogether.
Strong and effective incident response and cybersecurity risk management processes are great places to start when combating the increasing risk of cyberattacks. This might include things like:
- Increased cybersecurity training to improve employee knowledge on the subject.
- Running regular tabletop-style drills to test and optimize risk management practices.
- Assessing risk often to keep up with changing tactics, entry points and vulnerabilities used by bad actors to gain access.
These responsibilities shouldn't just be left to the organization's IT department, either. While IT does play an integral role in these processes and is often on the frontline of cybersecurity, a more effective approach includes the entirety of an organization's C-suite, including leaders in security, marketing, communications, human resources and others. Involving a wide breadth of departments helps to strengthen teams across the board and get them prepared for these types of events. When they're prepared, they'll know how to respond.
Above all, training seems to be the most important – and one of the most lacking – initiatives. Human error has been, and continues to be, the number one cause of data breaches against health care organizations. Providing employees and leaders with more insight into the different ways hackers can gain access to information could prove beneficial to the organization's overall risk management program. Some examples of common entry points and vulnerabilities include:
- Email phishing scams.
- Virtual private networks (VPNs).
- Remote desktop protocol (RDP).
What's the solution for health care organizations in wake of these recent and more frequent attacks?
With cyberattacks unlikely to diminish in frequency or severity anytime soon – in fact, they're projected to get worse – health care cybersecurity infrastructure needs to adjust accordingly. But aside from increased training and more comprehensive processes, what else can be done?
Health care organizations should consider an increase in spending on cybersecurity initiatives. Compared to other industries, hospitals only allot about 5% of their total IT budgets to cybersecurity, according to Becker's Hospital Review. Considering that 82% of hospitals alone report cyberattacks, it's not nearly enough to develop a proactive and effective solution.
- More education and training;
- More IT spending on cybersecurity; and
- Regular testing and assessment of vulnerabilities and risk management strategies.
These are all key areas that health care organizations should focus on moving forward.
Shields Health Care Group is just one of 43 health care sector data breaches that happened in the month of March 2022. This is below the monthly average of 57.75 data breaches, according to the HIPAA Journal. A downward trend is good news, and we hope it continues on that path!