A major healthcare system recently experienced a ransomware attack that affected patient care, showing once again the importance of hospitals and other healthcare facilities implementing comprehensive cybersecurity plans.

CommonSpirit Health, which has 1,000 care sites that serve 20 million patients, is the second largest nonprofit health system in the nation, including 140 hospitals in 21 states. While it continued serving patients, operations were affected, with patients reporting delayed surgeries and medical procedures and CommonSpirit taking some systems offline, including electronic health records.

CommonSpirit is trying to determine if patient information has been accessed. Ransomware is a type of malicious software designed to block access to a computer system until money is paid. Criminals who perform these attacks are aware many organizations have the capability of restoring system operation without the need to pay the ransom. To increase pressure, they also typically exfiltrate sensitive information and threaten to make it public as additional leverage to induce payment of the ransom.

Latest Cyberattack on Healthcare Systems

This is the latest of many cyberattacks targeting healthcare organizations. According to a report by Moody’s Investors Services, data breaches affecting 500 or more medical records reported to the U.S. Department of Health and Human Services doubled from 2018 to 2021. Just in the first half of 2022, data shows 337 such breaches.

Attacks have been reported throughout the United States and world. In April, the U.S. Department of Health and Human Services issued a warning to businesses, including healthcare systems, that an aggressive ransomware group known as Hive had been linked to as many as three attacks per day. Two months before, when Russia invaded Ukraine, the American Hospital Association urged hospitals and health systems to remain vigilant against cyberattacks because of concern Russia would retaliate for economic sanctions levied by the U.S.

Healthcare systems are especially vulnerable. Moody’s Investors Service has about $22 trillion of global debt rated as “high,” or “very high” cyber-risk exposure, with hospitals among the sectors facing the highest risk of cyberattacks. Moody’s Cyber Heatmap, looks at two factors, exposure and mitigation and scores 71 sectors. Not-for-profit hospitals ranked “very high” for cyber risk because they are highly attractive, data rich targets with average mitigation measures.

Healthcare Systems Have Cybersecurity Concerns

Healthcare providers are highly concerned about cybersecurity. According to a new report from Bain & Company and KLAS Research, regional health systems, free-standing hospitals and mental health providers are especially focused on security and privacy investments, especially in areas such as cybersecurity, Internet of Things security and patient privacy monitoring, the author note.

The Healthcare Information and Management Systems Society 2021 cybersecurity survey found two out of three healthcare IT professionals reporting their organizations had a significant cybersecurity incident in the previous 12 months. Smaller hospitals and systems are also frequent targets, because they have fewer resources to repel cyberattacks.

HIPAA is the security and privacy regulation that obligates covered entities (health care providers, insurers and their business associates) to protect this type of information. CMS has an extensive set of cybersecurity controls drawn from the NIST SP 800-53 standard which, if fully implemented on all systems that store health information or have the potential to access those systems, will significantly reduce the risk of this type of event. When contemplating a HIPAA assessment, consider reviewing not only the policies which seek to implement these controls, but also assess the actual controls and the procedures which support them and ensure that they are running on all required systems.

Harris Beach Cybersecurity Tools

Harris Beach will continue to monitor developments on the current attack and future threats. Our experienced legal team monitoring the industry, regulation and threats, and provides a full range of data privacy and cybersecurity services – from compliance counseling and legal risk assessments to defense in litigation and regulatory investigations, as well as advisement on following the National Institute of Standards and Technology protocols. Harris Beach even offers a rapid response team in the event of a breach.

Harris Beach also offers technical support, including compliance tools that support risk management. Caetor.io, a wholly-owned subsidiary of Harris Beach, is a first-of-its-kind solution: software that integrates the law. Not only does it incorporate industry-standard security frameworks to ensure your policies meet or exceed regulatory requirements, it distills cybersecurity regulations into detailed controls to deliver policies that fit your risk tolerance and compliance requirements. This reduces dependency on legal counsel to provide regulatory mapping and cybersecurity compliance policies.

For more information on how your hospital or healthcare system can protect itself against cyber threats and stay in compliance with regulations, contact Alan M. Winchester at awinchester@harrisbeach.com / (212) 313-5403, or Roy W. Breitenbach at rbreitenbach@harrisbeach.com / (516) 880-8378.

This alert is not a substitute for advice of counsel on specific legal issues.

Harris Beach has offices throughout New York state, including Albany, Buffalo, Ithaca, New York City, Rochester, Saratoga Springs, Syracuse, Uniondale and White Plains, as well as Washington D.C., New Haven, Connecticut and Newark, New Jersey.