Healthcare Sector Faces Diverse Range of Cyberattacks

Recent data breach reports filed by a law enforcement benefits health plan, a healthcare staffing firm and a rural medical center are the latest examples of the diverse range of healthcare sector entities being targeted by cyberattackers.

Entities recently reporting major health data breaches to state and federal regulators include Law Enforcement Health Benefits Inc., a Philadelphia, Pennsylvania-based health benefits company; Grandison Management Inc./Towne Homecare LLC, a New Jersey-based healthcare staffing firm and provider of home health and nursing home care; and Labette Health, a 99-bed regional medical center in Kansas.

Law Enforcement Health Benefits Inc. reported to the U.S. Department of Health and Human Services a ransomware incident affecting nearly 85,300 individuals. Grandison Management, Inc./Towne Homecare LLC, reported to the state of Maine's attorney general a hacking incident affecting nearly 100,500 individuals, including patients and staff. Labette Health, reported to HHS' Office for Civil Rights a 2021 hacking/IT incident involving a network server and affecting more than 85,600 individuals.

Each of the hacking incidents affected the protected health information of tens of thousands of individuals.

The variety of healthcare sector entities reporting recent major breaches involving hacking incidents highlights common challenges in the sector, some experts say.

Every organization should have in place a critical security practice and controls, but establishing that baseline is typically going to mean that small organizations will need to spend a higher percent of their budget on security than larger ones to establish the baseline safeguards.

Regulatory attorney Rachel Rose says that cybercriminals are targeting all types of entities within the healthcare sector, and the FBI and other government agencies have said that Conti and other ransomware cybercriminals "intend to put as much pressure as possible" on their victims.

Conti has been implicated in a range of ransomware attacks across the healthcare sector, both inside and outside the U.S. That includes an attack last May on Ireland's Health Service Executive, the nation's state-run health services provider, and San Diego, California-based Scripps Health.

"All entities in the healthcare sector need to adhere to the requisite HIPAA Security Rule and National Institute of Standards and Technology regulations in order to have the most up-to-date technical, administrative and physical safeguards in place to prevent the worst harm possible - patient deaths," she says, adding that in the meantime, cyberattacks are going to increase.

"As the Department of Justice has noted, this is an area of enforcement interest for them, as well as HHS OCR," Rose says.