Cybersecurity breach reports low during the pandemic

September 7, 2020
Drew Boxler
Drew Boxler

Editor of Physicain's Practice

A new report from CI Security suggests cybersecurity breaches were lower during healthcare's rapid transition to virtual care throughout the pandemic. In this episode of Perspectives, we look at why this might be and other aspects of their report with CI Security's Healthcare Executive Strategist, Drex DeFord.

Welcome to Perspectives, brought to you by Physician’s Practice.

Every two weeks, we will be exploring key areas of a successful, thriving, independent practice. We’ll hear from experts in the industry regarding best practices for billing and collections, answer your top coding questions, analyze current legal trends, malpractice landmines to avoid, and look at the hottest tech innovations to increase productivity and enhance the patient experience.

Physician’s Practice: No, you have not been fooled. We are already breaking our bi-weekly lineup to bring you this special podcast feature. Physicians Practice recently spoke with Drex DeFord, Healthcare Executive Strategist at CI Security, about their recent report on Cybersecurity breaches in 2020.

Healthcare’s unprecedented shift to telemedicine and other virtual services as communities shut down likely engendered fears of security for practices. One might expect that cybersecurity breaches increased during this time due to the increasingly insecure setups erected in such short notice.

CI Security recorded breaches reported to Health and Human Services between a period between March and May in 2020 – the time of the initial shift to virtual services.

Compared to the second half of 2019, according to CI Security’s report, HHS breach reports from healthcare organizations is down 10.4% in the first half of 2020, and reported breached records is down nearly 83%.

So why might the total number of reported breaches be down during a time of mass transition? Here’s what Drex had to say…

Drex DeFord: Yeah, I think when it comes to online and virtual services is something that's being added, and it's additive to the work that they would normally do. So, you know, it's interesting kind of healthcare organizations that at all levels, but especially in smaller organizations, are really overstressed during the pandemic and they're in the process sort of, at the same time, outgunned by a lot of the cyber criminals, that apartments, the IT departments.

These are great folks. They're working really hard. They're trying really hard. They understand what's needed, but realistically, they're tasked with a lot of other stuff outside of cybersecurity. 

And in many cases, especially smaller places, they're tasked with supply chain or other administrative services so distraction is very much a part of the battle when it comes to cybersecurity services.

And your question about why would the number of reports and the number of breached records go down during the pandemic and during a time when healthcare organizations are making a transition to telehealth services is kind of ultimately the mystery of the report, right?

We've not really seen downward trends in the past, which makes us a little suspicious of the numbers. So, we went through sort of a bunch of different possibilities. One is that healthcare organizations are just doing a much better job of cybersecurity. And we hope that's true. We think that in many cases that that might be part of the answer to this question about why the number of breaches went down, but we think there are some other possible options too, and one of them is that, you know, Health and Human Services in the early stages of the pandemic issued some exceptions to enforcement that they were going to do when it came to breaches.

And we wonder if some organizations sort of misunderstood some of those exceptions and maybe just haven't reported because they thought maybe they have more time or they have some allowance not to do that, which turns out really isn't true. Another one is that healthcare organizations might just during the pandemic, doing all the things are doing have just been too busy to be able to report. And another one is that, you know, early in the pandemic cybercrime gangs said they were going to go easy on health care, and maybe that's been the case.

But you know, we're skeptical about that one, because based on all the reporting that we've seen, it turns out, they're just getting pounded right now. So, we don't we don't think that's it, which leaves us kind of with this other idea that really worries us a little bit—maybe healthcare systems and practices have been breached, and just don't know.

Yet, we know from a lot of studies that have been done that healthcare sometimes takes up to 329 days from the time that they've been breached the time they realize they've been breached. And so that kind of gets us to this conclusion of, we wonder if it's not going to be a really interesting second half of 2020.

Physician’s Practice: Though these lower numbers in the CI Security report are likely due to a lack of reports, Drex says that they expect numbers to surge in the coming months. 

Drex DeFord: Yeah, given the sort of scenario that we've laid out in the report, we think that it's likely that the second half of 2020, in early 2021, will show increases in both the number of reports and the number of records breached and if we're right about that theory in some healthcare organizations, especially smaller hospitals and practice practices who may be breached, but don't know it yet.

Physician’s Practice: Drex says that, although overall reports are lower, provider organizations still lead the way in the data included in their 2020 report.

Drex DeFord: In the report, we actually went back and took all of the data from the Health and Human Services breach portal and took it apart by micro-segments and sort of decided by each of the organizations where it is a hospital or this is a behavioral health organization or a specialty clinic or a dental clinic right on down the line. And what we found that is while hospital systems are accountable for most of the breaches, it doesn't you're not too far behind our specialty clinics and things like home care. So, you know, again, I think this comes back to in many cases, if they're smaller organizations, they work really hard.

Physician’s Practice: And of the data included in CI Security’s 2020 report, Hacking and IT incidents are still the most prevalent cybersecurity breach according to the data available.

Drex DeFord: It's interesting to think to that in the second half of 2019, just two reports, two reported breaches accounted for 22 million records being exposed.

So it doesn't take a bunch of reports to get to a bunch of breach records. It really can happen, just one breach at the right place and the right organization can expose a lot of records. So even in the first half of 2020, and I say only with only 3.8 million records being exposed in the first half of 2020. And that sounds really good compared to 2019’s second half of 30 million records being exposed, right? Sounds like we're doing a really great job but with only 3.8 million records being exposed in the first half of 2020 through hacking and IT incidents, again, we look at that and think we're probably right to be suspicious of that number.

Physician’s Practice: Hackers are commonly anonymous. Unfortunately, there may not be ways to identify who these perpetrators are nor where they are located; however, Drex says that early in the pandemic he and others at CI security saw reports that these individuals were banning together to ease up on healthcare attacks during the stressful time. 

Drex DeFord: Yeah, I think that there are in the in the, you know, the cyber security world there are, I don't know, ‘consortiums’ might be a good way to think about it. I think there's a lot of independent players and then some that sort of try to work together.

Especially I think, you know, these folks, many of them may know of each other or have ways to communicate with each other. And early on in the pandemic, this is where we saw sort of the word coming out that particular groups were saying they were going to they were going to lay off health care. 

I think it was an interesting thing to say right early on. But, it also sort of shows that even when a group of them get together and say, “We're going to lay off on health care”, there’s no sort of centralized control of cybercriminals. They are independent, and they do what they want, when they want, how they want. They don't sort of take command and control from anyone.

And so the reality is, when we talked folks in the field, when we looked at all the reporting that was going on, healthcare was being pounded by some really interesting phishing attempts. Obviously, in the pandemic, there's a lot of really interesting ways to write emails and do those kinds of things that make end users really want to click to find out the latest data about what's happening and their particular zipcode, or any number of other things.

When you saw people leave the central offices and are sent to work from home, we wound up seeing, you know, an increase in attacks where cyber criminals were trying to phish individuals who in the past would have walked down the hallway to talk to the treasurer about a financial transfer, but given that they work from home, they can't really do that. And so if it was a really convincing email, they might just actually take the bait on that and those are the kinds of things that we worry about, as part of all the changes and all the distractions that have been associated with the pandemic.

Physician’s Practice: Our sister publication, Medical Economics, recently spoke with Matt Gyde, CEO of NTT Ltd. Security Devision, about similar issues with cybersecurity in healthcare at the moment. 

Though the conversation concerned larger hospital systems, Medical Economics did also ask about these hacker groups.

Here’s a clip from their conversation where Matt Gyde explains who the hackers groups and individuals are and what they typically are going after.

Matt Gyde: Each group is after something different. So, you know, from a lot of research going on at the moment around trying to find a solution to COVID—how do we immunize against it or is there a piece of medicine that can help solve the problem? So obviously, some groups are going after intellectual property, to see if they can get a step ahead without having to do the work. A lot of the cybercriminals are going after money right now. So if you've got a critical piece of infrastructure within your hospital, maybe it's an X-ray machine, maybe it's an MRI, that they can get ahold of and put some ransomware on it, the facility can't use it any longer, and potentially be in a position where they either scrap the machine or pay a ransom. Then you get down to the individuals who are just trying to test out their skills. What we've seen is a lot of variants in terms of the malware that have been used to attack at the moment. We've got a core group of malware that people are adding additional code onto, and so it's unfortunate.

Physician’s Practice: Ostensibly, the shift to a relatively new form of care for most physicains and patients has resulted in new lessons learnt. When asked what he thinks the biggest cybersecurity lessons of the pandemic have been, Drex had this to say…

Drex DeFord: Um, I think, you know, I go back to this idea about distraction and the amount of distraction that's there for health systems and, and for practices right now. There were there was a lot of things to deal with in the first half of 2020. You talked about telemedicine programs and a lot of organizations without them built telemedicine programs from scratch, and did it very, very quickly. They also sent employees home to work. So many of them had a zero tolerance for work from home and overnight. They sent hundreds and thousands of employees to work from home.

In health systems in hospitals, they brought back previously retired employees or temp nurses or others to work in the system. So those new people had to be provisioned really quickly to be able to get them on board and get them up and running really quickly. They stood up drive through testing services or other new locations that hadn't existed before. And again, they had to do it really quickly.

They had new requirements to share data for public health, they added new equipment in the lab and in the ICU and for entry screening at the front door. And they connected new suppliers for supply chain for p2p, other issues, and challenges that they were having at the time and they did all of that very, very quickly. And that means that we think many organizations made exceptions, even if they had really good cybersecurity programs.

They made exceptions and those exceptions are the kinds of things if they're not tracked closely and resolved quickly. Cybercriminals love that because those exceptions often mean that an organization's created a crack in their security program that can be taken advantage of by bad guys. 

That that's probably the one you know, we worry about the most.

Having said that, I think it's really important that organizations put together good monitoring for their network. Most healthcare organizations have done a decent job and building sort of a castle wall around their organizations with firewalls and other tools, hardware and software tools that are meant to keep the bad guys out. But today we kind of see again back to phishing, we see that the frontline cyber warrior and all of this is a person in the supply chain.

Or, you know, the person at the front desk, they get the email, they fall for it, they click the bad link, or they're out surfing the web and they go to a bad website and suddenly all those defenses that healthcare organizations have put up or are defeated. The bad guys come right through and get access to the network. So, you know, if I'm looking at what do we do next, or where, where should organizations be looking, you know, put your Cyber Security Operations Center into overdrive.

If you're if you're not monitoring your network internally, if you're not sort of in the model of, ‘We're bound to be breached’, it's just a matter of when not if. And so if you're monitoring your network, you're probably in a much better position to be able to catch these problems and fix them quickly and return to normal operations. Then if you're not and if you can't build a sock or Security Operations Center, if you can't have that kind of monitoring in place.

Your best bet is really to partner with an organization that can do that kind of work for you. And that’s a really, really important thing to do. Also, just practice good cyber hygiene. Make sure you're continuing to have these conversations with your organization and your employees about phishing emails and how they work and you know not to click and do all the all the all the things that organizations do to keep themselves safe and secure from a cybersecurity perspective.

Outro

Thank you for listening in to this special episode of Perspectives from Physician’s Practice, featuring Drex DeFord from CI Security.

And a big thanks to Medical Economics for letting us borrow a clip from their conversation with Matt Gyde. If you would like to hear more from that particular conversation, clips from their video interview are available on their site, medicaleconomics.com

We hope you subscribe where you listen to podcasts, rate us, and let us know what topics you would like to hear more about.

For more practice management insights from the top experts in the field, be sure to visit us at physciainspractice.com and sign up for our newsletter.

We will resume our regular publication schedule next week, where we will be discussing the biggest practice administrative burdens practices are facing today and then key determinants of success for new practices.