Hacking incidents in healthcare organizations are escalating. New regulatory and compliance requirements are implemented as a result of the Dobbs and Pixel use. Lawsuits filed against healthcare companies are rising because of privacy violations. The data security strategies and compliance programs of HIPAA-covered entities and other healthcare companies are currently under increased scrutiny, and in the next 12 months there will probably be more enforcement actions and legal cases associated with privacy violations.
The lately publicized BakerHostetler Data Security Incident Response Report (DSIR) discusses these problems and gives information regarding the threat landscape to enable companies to know how to prioritize what they do and invest. This 9th-year report looked at 1,160 security incidents handled by BakerHostetler’s Digital Assets and Data Management Practice Group in 2022.
Following a spike in ransomware attacks in 2021, attacks in 2022 declined. However, ransomware activity increased at the end of 2022 and that spike has carried on in 2023. That spike happened together with more ransom demands, paid ransoms, and ransomware recovery times. In 2022, 6 out of the 8 industries tracked have increased average ransom demand and payment. In healthcare, the average ransom demand in 2022 was $3,257,688, and the average payment grew by 78% to $1,562,141. Over all industries, paid ransoms grew by 15% to $600,688.
There is also an increase in network intrusions. About 50% of all data incidents reviewed in the report involved network intrusions. BakerHostetler remarks that companies are becoming better at identifying and controlling these incidents, with dwell time going down from about 66 days (2021) to 39 days (2022). The time used for controlling dropped from 4 days to 3 days, and investigation time dropped from 41 days (2021) to 36 days (2022).
The upsurge in hacking and ransomware attacks has prompted organizations to spend more money in cybersecurity. Although security protection was improved, cybercriminals have discovered how to avoid those defenses and attack systems. Strategies such as social engineering, MFA bombing, EDR-evading malware, and SEO poisoning have proven successful in 2022.
The cost of cyberattacks grew considerably in 2022. The cost of forensic investigation increased by 20% from 2021 aside from the increased costs of business disruption, data assessments, notification, and indemnity claims. Legal costs associated with data breaches also grew considerably since multiple lawsuits are commonly filed following data breaches.
Data breaches involving 10,001 to 500,000 records have had 12-13 lawsuits filed on average. Even for small data breaches involving below 1,000 records have had 4 lawsuits filed on average. As per BakerHostetler, the number of lawsuits doubled since 2021 and it is now common to see legal action taken following a data breach. Lawsuits for violations of state privacy rules increased as 4 more states passed new privacy laws in 2022. There is one more new privacy law to be introduced in 2023.
In 2022, a Markup/STAT report explained the use of pixels (tracking technologies) on hospital web pages. These snippets of code are usually added to websites to monitor the activity of site visitors to enhance websites and services, however, the code additionally sends identifiable visitor data to third parties. The extent of using these tools without the website visitors’ knowledge got the attention of the HHS’ Office for Civil Rights (OCR) and the Federal Trade Commission (FTC), The two agencies issued guidance on using these tools. OCR and the FTC have stated that Pixel-linked violations of HIPAA and the FTC Act are currently an enforcement top priority. The FTC already took action against entities regarding the use of these monitoring tools. Law companies are quick to file suits against healthcare organizations following these privacy breaches. Over 50 lawsuits were filed against healthcare companies because of Pixel-related breaches from June 2022.
Another study involving the use of Pixels by healthcare companies indicates that about 99% of US non-federal acute care hospital websites use pixels and could send out sensitive information. However, only a few healthcare companies have reported Pixel-linked data breaches to OCR to date. HIPAA enforcement actions by OCR may likely increase and many lawsuits will be filed as a result of these breaches over the next months.
HIPAA-regulated entities and non-HIPAA-regulated entities involved in healthcare will additionally likely face enforcement actions for reproductive health information privacy violations since the FTC and OCR have made reproductive health information privacy an enforcement priority. OCR is still active in its HIPAA Right of Access enforcement initiative, and compliance is still a priority.
BakerHostetler has additionally released an alert concerning HIPAA compliance for non-healthcare organizations, emphasizing that HIPAA is applicable to company-sponsored health plans. Data breaches at employer health plans increased in 2022 and will likely be under greater regulatory scrutiny, not only by OCR but by the Department of Labor as well. State attorneys general have also increased investigations into violations involving HIPAA and state laws in 2022.
BakerHostetler likewise saw a big increase in snooping cases in 2022. These cases involve healthcare workers snooping on healthcare files and trying to reroute controlled substances. The increase shows how crucial it is to make and keep track of logs of system activity to identify malicious insider activity immediately. BakerHostetler remarks that having systems for monitoring system activity anomalies is crucial to quickly discover hacking and ransomware cases.
Protecting an organization is a major challenge. With all the risks involved, spending more money doesn’t necessarily mean more efficient security, stated BakerHostetler’s National Digital Risk Advisory and Cybersecurity team co-leader Craig Hoffman. There are many things to consider including what permitted the security incidents to happen and what was done to deal with the issue. Considering that organizations have limited budgets and employees to implement and manage new solutions, sharing objective information about security incidents, from causes to solutions to effects, can help clients to know which undertakings to prioritize.