Tag: healthcare IT

67% of Healthcare Organizations Hit By Ransomware

The Traverse City, Mich-based Ponemon Institute, an independent research firm, recently released a report entitled “The Impact of Ransomware on Healthcare During COVID-19 and Beyond.” The report is sponsored by the Boston, Mass.-based Censinet.

The report was commissioned by Censinet, a third-party risk management platform for healthcare providers, due to the large rise in patient care organizations, which the report refers to as health delivery organizations (HDOs), contacting the company after ransomware attacks or other cybersecurity incidents, and the attacks’ relationship to the COVID-19 pandemic. Additionally, Censinet noticed that much of the coverage of healthcare cybersecurity issues were not focused on patient care and the company was looking for additional parallels to the increase in third parties that are an essential part of the care process.

Significantly, fully 67 percent of patient care organizations have now been victims of ransomware attacks, with 33 percent having already been hit at least twice.

According to the report, “The Ponemon Institute surveyed 597 HDOs for this report, including integrated delivery networks, regional health systems, community hospitals, and more. The Ponemon Institute conducted the research, analyzed the results, and produced the report. Ponemon is one of the top independent research firms for the healthcare industry. It was 100% independent. Censinet had no role in the research and did not have access to or know any of the participants.”

Further, “The purpose of this research is to understand how COVID-19 has impacted how healthcare delivery organizations protect patient care and patient information from increasing virulent cyberattacks, especially ransomware. Prior to COVID-19, 55 percent of respondents say they were not confident they could mitigate the risks of ransomware. In the age of COVID-19, 61 percent of respondents are not confident or have no confidence.”

Key findings from the report include:

  • When asked about what impacts ransomware had on patient care, 71 percent of respondents reported a longer length of stay and 22 percent reported an increase in mortality rate
  • When asked about the biggest concerns about ransomware resulting from their organization’s third-party risk management program (three responses could be selected), 54 percent said patient safety, 53 percent said care disruption, and 45 percent said ransomware
  • When asked what actions respondents were taking to ease their concerns (more than one response was permitted), 50 percent said outsourcing part or all of the functions to a managed service provider, 46 percent said allocating more budget toward risk management, and 44 percent said they were looking for automated solutions to improve efficiency
  • When asked about the biggest barriers to achieving their organization’s vendor risk management objectives (three responses were allowed), 47 percent said complexity of technologies that support vendor risk management, 44 percent said difficulty hiring personnel with the right skills, and 43 percent said lack of cooperation and collaboration among various departments
  • Sixty percent of those surveyed reported credential theft increased when asked about what type of cyberattacks had increased since COVID-19, 55 percent said compromised/stolen devices, and 43 percent said account takeover (more than one response was permitted)

The report has several recommendations for mitigating ransomware and third-party risks. “Ensure critical steps for identifying and mitigating third-party risks are in place,” the report states. “Sixty percent of organizations represented in this research had a data breach in the past two years, resulting in an average of 28,505 records containing sensitive and confidential information compromised. According to the research, organizations can only partially evaluate the various threats targeting their assets and IT vulnerabilities. They also lack the capability to continuously monitor vendor risks.”

What’s Next for Healthcare Technology Trends

When the pandemic hit in full force last March, healthcare organizations had to pivot overnight. What was once impossible became necessary, and what was once unlikely became an everyday occurrence. While this disruption came with growing pains — health organizations faced supply, staff and support shortages for months on end — the World Economic Forum notes that “the industry’s response has vividly demonstrated its resilience and ability to bring innovations to market quickly.”

In other words, the proverbial cat is out of the bag — and there’s no putting healthcare innovation back once pandemic pressures ease. Here’s a look at four key technology trends healthcare enterprises can expect in 2021 as COVID-19 comes under control.

Learn more about how our solutions can help your practice 

1. Predictive Analytics in Healthcare

Although the first few months of the pandemic came with unparalleled uncertainty, ongoing work into the causes, mechanisms and mortality of the disease have yielded valuable healthcare data. By the beginning of December, researchers from the John Hopkins Bloomberg School of Public Health had developed a COVID-19 mortality risk calculator to estimate the potential of severe outcomes for individuals and inform vaccine rollouts.

According Susan Snedaker, information security officer at Tucson Medical Center and interim CIO for TMC HealthCare, this is just the beginning for predictive analytics.

“There’s a lot of opportunity here,” she says. “Teams have improved their disease tracking and risk management. As information evolved, a lot of people were digging into the data to see if they could predict outcomes for patients or treatment plans that were being created on the fly. They saw the value of quick-moving data.”

She anticipates that after the pandemic passes, the value around predictive analytics in healthcare will remain, but adoption “will be slower and more thoughtful.”

RELATED: Dr. Patrick McGill on what’s next after COVID.

2. IoMT: Connected Medical Devices Support Proactive Health Care

The Internet of Medical Things (IoMT) also gained significant ground during the pandemic, allowing providers to deliver proactive care at a distance. Applications have ranged widely, from connected wearables that report critical patient data to the deployment of “smart beds” in hospital settings to improve patient comfort.

The uptake of connected devices and digital health technologies went better than expected, says Snedaker.

“There was a widespread notion that people would be resistant to digital communication, but what healthcare pros realized was that families and patients liked brief, more frequent updates,” she says.

For TMC, this was reflected in the adoption of a connected device initiative that allowed operating room staff to quickly send patient status updates via group chat to a set of selected family members. These texts were prewritten, brief and one-way; information, not conversation, was the goal.

According to Snedaker, it worked. “We found these brief, frequent updates brought comfort to families, and we found the patient experience was better overall.”

3. Future Telehealth Advances Will Deliver the Best of Both Worlds

Together, many of the shifts that have taken place have moved the needle toward a more patient-focused experience of healthcare delivery.

“The pandemic pointed to the need for patient-centered healthcare,” says Stephanie Willding, CEO of CommunityHealth, the nation’s largest volunteer-based free medical facility. “Before the pandemic, there were many ways the industry wasn’t operating in a patient-centered way.”

One challenge that CommunityHealth had to overcome was pivoting operational approaches on the fly to account for the recall of volunteer providers to their primary care facilities. However, says Willding, the adoption of virtual visits has proved advantageous.

“Our no-show rate has gone from 18 percent to 5 percent,” she says. “This approach is now core to our model of care, with 40 percent of visits by video or phone.”

Although many providers expect the expansion of telehealth to persist even after patients and providers can safely meet in person, they also expect this technology-driven approach to undergo its own evolution. For Willding and CommunityHealth, this means combining low-tech solutions such as standard blood pressure cuffs with video tutorials, allowing patients to self-report key data.

Such solutions will be essential for healthcare organizations serving distributed, disparate populations who may lack access to unlimited smartphone data or high-speed broadband internet.

MORE FROM HEALTHTECH: See how 5G could modernize healthcare.

4. New Cybersecurity Concerns Increase Cloud Adoption in Healthcare

Changes in care delivery models also have implications for associated IT infrastructure, with cybersecurity concerns pushing some organizations to the cloud.

At TMC, a major transition to the cloud is underway, says Snedaker.

“We’re seeing articles about security gaps, and it’s because healthcare has primarily kept data on-premises,” she says. “As we deploy telehealth, infrastructure security becomes more important and more elusive. There’s no edge anymore — infrastructure is very porous.”

To solve for evolving cybersecurity issues in healthcare, Snedaker recommends that organizations shift both their technology and mindset.

“Not all organizations can keep up with the security learning curve,” she notes. “Moving to the cloud is no different than buying brand new technology for your on-premises data center and not knowing how to use it.”

In other words, simply deploying the scope and scale of cloud resources necessary to support tech-driven healthcare initiatives isn’t enough by itself. IT staff must be prepared to address common challenges, such as distributed denial of service attacks and ransomware, along with more targeted threat vectors such as COVID-19 vaccination scams.

For healthcare organizations, the new normal that’s on the horizon will come with an increased focus on technology-driven solutions to help better predict patient outcomes, increase consumer connectivity, embrace evolving telehealth expectations and defend the next generation of medical IT infrastructure.

Willding puts it simply: “It’s time to rethink space and place to deliver improved, patient-centered care.”

Healthcare Industry has Highest Number of Reported Data Breaches in 2021

Data breaches declined by 24% globally in the first 6 months of 2021, although breaches in the United States increased by 1.5% in that period according to the 2021 Mid-Year Data Breach QuickView Report from Risk-Based Security.

Risk Based Security identified 1,767 publicly reported breaches between January 1, 2021 and June 30, 2021. Across those breaches, 18.8 billion records were exposed, which represents a 32% decline from the first 6 months of 2020 when 27.8 billion records were exposed. 85% of the exposed records in the first half of 2021 occurred in just one breach at the Forex trading service FBS Markets.

Learn more about how our security services can help your practice 

The report confirms the healthcare industry continues to be targeted by cyber threat actors, with the industry having reported more data breaches than any other industry sector this year. Healthcare has been the most targeted industry or has been close to the top since at least 2017 and it does not appear that trend will be reversed any time soon. 238 healthcare data breaches were reported in the first 6 months of 2021, with finance & insurance the next most attacked sector with 194 reported incidents, followed by information with 180 data breaches.

The report shows there have been significant shifts in data breach trends in 2021. While data breaches have declined globally and have remained fairly constant in the United States, there has been a marked increase in ransomware attacks. Risk Based Security recorded 352 ransomware attacks in the first 6 months of 2021 and, if that pace continues, the number of attacks will be significantly higher than 2020.

Ransomware attacks are extremely costly in healthcare due to the long period of downtime, and without access to medical records patient safety is put at risk. This is of course known to ransomware gangs. The reliance on access to data and the high cost of downtime increases the probability of the ransom being paid.

In 2020, data breaches started to take longer to be reported and that trend has continued in 2021. This is in part due to the increase in ransomware attacks, which can take longer to investigate, but even taking that into account there were many cases when breach notifications took an unusually long time to be issued and that has started to attract attention from regulators.

“Ransomware attacks continue at an alarming pace, inflicting serious damage on the victim organizations that rely on their services,” said Inga Goddijn, Executive Vice President at Risk Based Security. “The slow pace of reporting brought on by lengthy incident investigations has not improved and attackers continue to find new opportunities to take advantage of changing circumstances.”

The majority of reported breaches (67.97%) were hacking incidents, with only 100 (5.66%) due to viruses, and just 45 email incidents (2.55%). There were 76 web breaches reported (4.30%); however, they resulted in the highest number of records being breached.

Data breaches that exposed access credentials such as email addresses and passwords have remained consistent with other years, with email addresses exposed in 40% of breaches and passwords in 33%. The majority of reported breaches in 2021 were the result of external threat actors (78.66%), with 13.75% caused by insiders. Out of the confirmed insider breaches, the majority were accidental (58.85%), with 18.52% caused by malicious insiders.

Risk Based Security also notes that breach severity is increasing. Large numbers of data breaches have been reported in 2021 that involved sensitive data, which is a particularly worrying trend.

How to Strengthen Your Healthcare Data Security with Software

Thanks to the pandemic, more and more patients have begun to engage with their healthcare digitally. That has a lot of far-ranging implications, from new and heightened expectations placed on younger medical providers to a new set of standards for patients when it comes to convenience and ease of engagement with their healthcare organization.

One other major implication of this new world we’re living in is the critical importance of healthcare data security.

Learn more about how our Managed IT services can help your practice 

According to a recent Software Advice survey of nearly 1,000 U.S. patients, one in five have had their healthcare data exposed in a security breach.

Experiencing a data breach or cyberattack is a massive blow to any healthcare organization, but it is exponentially more difficult to recover from if you’re a smaller, independent practice.

This is why it’s crucial for small practices to have the right data security software in place to protect your patients and your practice against data risks. In this article, we’ll cover specific HIPAA data security requirements, two types of software you should invest in to protect your data (EHRs and cloud security software), as well as specific features that make data security software so valuable.

How to meet HIPAA requirements for healthcare data security

Thanks to HIPAA, a lot of healthcare data security standards have already been established, so for many practices, it comes down to following these guidelines.

According to the HIPAA Security Rule, healthcare entities are expected to conduct internal risk assessments in order to test their data security protocols, as well as implement security programs to protect their sensitive data.

Security programs are comprised of three distinct safeguards:

  • Administrative
  • Physical
  • Technical

It’s easy to get hung up on the last one since there are tons of cybersecurity systems available, but let’s take a closer look at the first two elements before diving into software.

Administrative safeguards to protect patient data

One of the most common causes of healthcare data breaches is unauthorized access or disclosures. In layman’s terms, that means employee error and/or negligence as well as malicious employees.

This is a great reason to install specific administrative protocols that prevent employees from mishandling patient data.

Here’s a quick summary of these administrative best practices:

  • Device management: Keep all computers, tablets, and mobile devices used to access patient data up to date and secure.
  • User-based controls: Limit who can access patient data and implement strict password protocols to hold users accountable for carefully accessing private data.
  • Team training: Conduct regular training and refresher sessions to ensure employees have a firm understanding of the importance of data security as well as best practices.
For a detailed look at administrative practices any healthcare organization can employ to avoid a data breach, check out “Best Practices for Avoiding HIPAA Violations in Healthcare.”

Physical safeguards to protect patient data

HIPAA requirements include physical safeguards to protect patient data.

These are defined as “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”

So this element of a strong data protection plan is two-pronged:

First, you must ensure your data will not be destroyed by natural disasters such as flooding or fire. In 2021, that generally means keeping patient data secured in the cloud rather than on hard physical copies.

Second, you must have physical barriers in place to prevent unauthorized individuals from accessing your patient data. That can be as simple as having a lockable door between the outside world and the devices you use to access and record patient data. It can also mean securing those devices with strong passwords.

Software: the healthcare security heavyweight

Finally, let’s bring out the big guns and discuss the software systems that can help protect you and your patients from data security breaches. We’ll take a look at the two most important types of software to ensure data protection:

EHR security features

Using an EHR with the right security features will go a long way in keeping you and your patients’ data protected. Fortunately, most certified EHRs come with standardized features to achieve this goal. Those feature to look out for are:

ONC-ATCB certification. This means the tool has been tested on three key areas by an Authorized Testing and Certification Body that has been recognized by the Office of the National Coordinator. Those three key areas are functionality, interoperability, and security—that’s right! If an EHR is ONC-ATCB certified, that means it has passed tests confirming it has security measures in place to keep protected health information (PHI) safe.

Audit trails. This feature tracks and documents every action taken with patient information, including who accessed the data, where and when they accessed data, and what changes they made once they accessed it.

Password protection. This includes robust controls such as lockout features that will bar access if the wrong password is entered too many times and two-factor authentication to ensure the right person is using the password to access protected data.

Data encryption. Not only can data encryption make transferring patient data more secure (by only allowing recipients with the right access key to decipher the data), it can also be very helpful in the event that data is stolen as it will make it harder for the thief to actually read your data.

Cloud security software for healthcare providers

If a secure EHR is one side of the data security software coin, cloud security is the other side.

The beauty of a cloud security system that is specifically geared towards the healthcare industry is that it automates so many processes associated with data security. For example, HIPAA requires covered entities (e.g., medical practices) to run regular risk assessments in order to identify any vulnerabilities and address them.

Most HIPAA-compliant cloud security systems are capable of running these assessments automatically. Some other common features of this type of software include:

  • Threat detection and response: Using analytics and other tools, software can identify attacks as they’re happening and also help users respond immediately to protect their data.
  • Malware protection: Software actively searches for malicious software or code, viruses, trojans, worms, etc.
  • File integrity monitoring: Ensures all files are secure and protected against unauthorized access or changes.

For small, independent practices that are delving deeper into the digital healthcare experience, having these robust security tools in place will go a long way to protecting patient data. They’ll also provide peace of mind, which is a valuable commodity in this day and age.

Choosing the right data security software

Some practices already have secure EHRs and cloud security systems in place. Some are working with a good EHR, but haven’t installed a cloud security system. Others are starting completely from scratch.

Regardless of your situation, it’s a good idea to run an assessment on your current software security stack to make sure you’re covered. If you identify any gaps in your EHR security features or cloud security system, it’s wise to get those covered as quickly as possible.

How Technology can Improve Cybersecurity in Healthcare

While we like to think that healthcare organizations always have our best interests at heart, they are treasure troves of private patient data. That information is alluring to hackers and cybercriminals. When not protected, the theft of patent data can be incredibly damaging to the patients and the organization itself. So, it is within the best interest of all healthcare entities to do what they can to keep that data secure.

Luckily, while hackers continue to create new ways of stealing information, the tech industry has been keeping up as well. Due to these advancements, there are now methods that organizations can use to make data security a priority once again. Let’s look at the common threats and how healthcare administrators can defend their systems and protect their patients.

Learn more about how our Cybersecurity services can help your practice 

Why is Healthcare at Risk?

The healthcare industry is at constant risk of a cyberattack, and the reason for this is simple. Every time a new patient comes in for care, they fill out forms and provide a wide breadth of information to the administrator, which often includes anything from birth dates and social security numbers to places of employment and pre-existing conditions. Any of this information can be used for malicious means. Emails and names can be used to send phishing emails. Hackers can use social security numbers to take out fraudulent loans. And any of this information can also be sold on the dark web for other criminals to use for their own unsavory practices.

Another reason that hackers intentionally target medical practices is that they know that many doctors, nurses, and administrative professionals don’t take cybersecurity as seriously as they should. Recent studies show that four out of five physicians have been the victim of cyberattacks and phishing emails, and only 20% of small medical practices have any form of cybersecurity protection at all. This is often because doctors hold the physical health of their patients as the priority and fail to see data breaches and cybercrime as the dangerous threats they can truly become.

All medical establishments need to understand the risks of cybercrime. It is essential not only for the protection of their clients but also to comply with the guidelines required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Along with the act, the HIPAA security rule states that healthcare organizations must put protections in place to ensure that patient data is not stolen or lost due to faulty systems or employee negligence.

As you can see, there are many reasons to protect patient data, and employee training and technology are the answers.

You can make sure your employees will go through the cybersecurity education process smoothly by making it engaging.

Tech to the Rescue

The tech used to diminish potential cybersecurity risks has grown by leaps and bounds over the years. As a start, artificial intelligence (AI) is becoming a major tool for protecting healthcare companies and other industries because when hackers repeatedly attempt the same tactics, AI can catch the pattern and block the intrusion. On the other side of the coin, if a threat goes against the usual pattern, AI can also catch that. While it is a great tool, hospitals first need to put the technology into effect to benefit.

Recently, ransomware has become a larger threat to healthcare systems. This is a tactic used by hackers to access your system and then prevent usage of the machines and data until a sum of money is paid to the criminals. This can be especially dangerous when surgeries and other operations are being conducted, as the inability to help the patient could result in their death. While it won’t solve the entire issue, having operational backup systems could be lifesavers. If all data is backed up on a separate server, it could allow the hospital to access the data from there instead of giving in to the hacker’s demands. After that, the authorities should be contacted.

A common cybersecurity threat that affects many industries is the phishing attack, which often occurs in email. This strategy creates a communication that looks to be legitimate but instead contains a link or attachment, that when clicked or opened, creates a doorway between the victim and the hacker, and from there, they can cause damage to the system. It can be easy for admins and doctors to fall for phishing scams at a busy hospital, so put tech to use via email filtering tools. These programs, such as SpamTitan and Spam Bully, will block unwanted messages while also scanning any attachments for threats. It is simple and easy to install these programs, but their protection cannot be underestimated.

Common Sense Tech Solutions

Even if a healthcare organization installs some of these tech solutions, they are powerless unless they are also protected, keeping them secure with smart passwords and two-factor authentication. To provide the best protection, passwords should include a combination of letters, numbers, and special characters. They should also be changed routinely every couple of months. On top of a good passcode, two-factor authentication will provide an extra layer of security, with an additional randomly generated code that is also entered, which hackers will not be able to identify.

The implementation of basic security software can go a long way to protecting your data. This includes putting a firewall in place and encrypting all new data that is entered into the system. Antivirus software can protect hospital computers against a myriad of cyber threats, from malware to ransomware scams. Keep in mind that antivirus software can only be truly effective if it is updated whenever a new version becomes available as it will detect the newest threats.

To be truly protected, a healthcare organization must secure all of its devices, not just the mainframe computers. That means also protecting mobile devices at all costs. If possible, phones and tablets should not be used outside of the hospital, and if they are, they must also be password protected. A good way to have all-around security is by installing a virtual private network (VPN), which will disguise the location of all devices and encrypt the data within automatically so it cannot be used even if stolen.

The need to protect our healthcare industry against cyberthreats is of utmost importance, and with smart tech and streamlined security practices, it can be accomplished. Give your patients peace of mind when they use your services by implementing these strategies today.

Learn more about how our Cybersecurity services can help your practice 

Full Article

What is Social Engineering and how can you avoid it?

What is social engineering?  In a nutshell, it is a technique to hack humans.  It is the psychological manipulation of human nature used to trick people into divulging sensitive information like usernames, passwords, or other information that can be further leveraged in an organization to gain legitimacy and trust.  Common forms of social engineering are phishing emails, vishing (voice phishing), smishing (phishing via text messages), and fake alert pop-ups on websites that warn you have a virus.

More than likely, you have experienced these sorts of social engineering attacks first-hand.  Why are these types of attacks so successful?  It uses proven psychological manipulation techniques that take advantage of our very nature as human beings living in a community.  In most cases it is easier for a malicious actor to hack a human rather than hack a deeply technical vulnerability on a company network.  Why go through all the trouble of writing an exploit program to hack a firewall when you can just send out a few well-crafted and highly targeted spear phishing emails, or call the company and pretend to be a member of the IT department and get all the information you need to access a network?

Best methods to combat social engineering attacks

Your users are your best line of defense.  Give them the tools they need to recognize and defend against social engineering.  Security Awareness Training is very effective at reducing vulnerability to social engineering methods.  A combination of ongoing phishing testing and educational training modules to keep all users at a heightened awareness level is very important.

Multi-factor authentication.  Because humans are human, there will be occasions where they may accidentally and unknowingly divulge a password in a social engineering attack.  With the 2nd factor of authentication required to access any system, it makes it much more difficult for a hacker to use the password to access any resources.

Written by: Michael Spurr, MSP Manager


Enter code DAShealth to view video.


Enter code DAShealth to view video.


Enter code DAShealth to view video.

Please complete the sign in form below.

[contact-form-7 404 "Not Found"]

Please complete the sign in form below.







    Enter code DAShealth to view video.


    Enter code DAShealth to view video.


    Enter code DAShealth to view video.



    Enter code DAShealth to view video.


    Enter code DAShealth to view video.


    Enter code DAShealth to view video.


    Enter code DAShealth to view video.


    Enter code DAShealth to view video.


    Enter code DAShealth to view video.


    Enter code DAShealth to view video.


    Enter code DAShealth to view video.


    Enter code DAShealth to view video.


    Enter code DAShealth to view video.


    Enter code DAShealth to view video.


    Enter code DAShealth to view video.


    Enter code DAShealth to view video.


    Enter code DAShealth to view video.


    Enter code DAShealth to view video.


    Enter code DAShealth to view video.


    Enter code DAShealth to view video.


    Enter code DAShealth to view video.


    Enter code DAShealth to view video.


    Enter code DAShealth to view video.


    Enter code DAShealth to view video.


    Enter code DAShealth to view video.


    Enter code DAShealth to view video.


    Enter code DAShealth to view video.


    Enter code DAShealth to view video.


    Enter code DAShealth to view video.


    Enter code DAShealth to view video.


    Enter code DAShealth to view video.


    Enter code DAShealth to view video.


    Enter code DAShealth to view video.


    Enter code DAShealth to view video.


    Enter code DAShealth to view video.


    Enter code DAShealth to view video.


    Enter code DAShealth to view video.


    Enter code DAShealth to view video.


    Enter code DAShealth to view video.


    Enter code DAShealth to view video.


    Enter code DAShealth to view video.


    Enter code DAShealth to view video.


    Enter code DAShealth to view video.


    Enter code DAShealth to view video.


    Enter code DAShealth to view video.


    Enter code DAShealth to view video.


    Enter code DAShealth to view video.


    Enter code DAShealth to view video.

    Enter code DAShealth to view video.
    CONTACT YOUR ACCOUNT MANAGER TODAY FOR MORE DETAILS!