Also referred to as the “Wall of Disgrace,” the U.S. Division of Well being and Human Providers’ Circumstances Presently Below Investigation particulars a whole lot of breaches reported by healthcare organizations throughout america during the last 24 months. The variety of threats, and the price of these threats – proceed to rise.

Whereas healthcare business organizations work with federal lawmakers on methods for presidency to assist deal with the relentless cybersecurity assaults on crucial healthcare infrastructure, the business is hyper-focused on points like the best way to transfer the needle on third-party cybersecurity, collaborating to enhance cyber preparedness and greatest practices for initiating cybercrime investigations. Listed here are Healthcare IT Information’ most-read privateness and cybersecurity tales of 2022.

EHR vendor hit with lawsuit following knowledge breach. In January, Tennessee-based QRS, which gives EHR and follow administration software program, was accused of failing to implement advisable risk measures to forestall and detect cyberattacks stemming from an August 2021 knowledge breach of its affected person portal. “QRS did not moderately safe, monitor and keep the protected well being data and personally recognized data saved on its affected person portal,” the plaintiff mentioned.

CommonSpirit nonetheless working to revive EHR methods after ransomware assault confirmed. The October cyberattack prompted a widespread outage at CommonSpirit hospitals and medical services throughout a number of states. After the 2017 merger of DignityHealth and Catholic Well being Initiatives, the system grew to become the second-largest non-profit hospital chain with greater than 350 hospitals nationwide. Misplaced entry to medical data and affected person portals, delayed medical procedures, canceled appointments and different disruptions plagued operations at upwards of 140 services. After additional investigation, CommonSpirit found that the breach had additionally uncovered protected knowledge held by Virginia Mason Franciscan Well being.

PATCH Act seeks to shore up safety for medical gadgets, IoT networks. In April, Sens. Tammy Baldwin, D-Wisconsin, and Dr. Invoice Cassidy, R-Louisiana launched the Defending and Remodeling Cyber Well being Care Act to implement a collection of latest necessities for medical system and community safety. Whereas the PATCH Act, which might have amended the Meals, Drug and Beauty Act, was not handed this 12 months, the FDA launched draft medical system cybersecurity steerage in April and labored with MITRA to launch an incident preparedness and response playbook.

FBI spotlights cybersecurity dangers of outdated medical gadgets. The Federal Bureau of Investigation launched suggestions to deal with quite a lot of cybersecurity vulnerabilities in lively medical gadgets like insulin pumps, intracardiac defibrillators, cell cardiac telemetry, pacemakers and intrathecal ache pumps. The company discovered a median of 6.2 vulnerabilities per medical system and that 40% of medical gadgets on the end-of-life stage supply little to no safety patches or upgrades. Hospitals 

FBI, CISA warn of Zeppelin ransomware concentrating on healthcare. In August, the FBI and Homeland Safety’s Cybersecurity and Infrastructure Safety Company issued a joint alert that Zeppelin ransomware, a spinoff of the Delphi-based Vega malware household, was being utilized in cyberattacks geared toward healthcare organizations. Cybercriminals have deployed Zeppelin towards a variety of crucial infrastructure organizations since 2019, requesting excessive ransom funds in bitcoin and exfiltrating knowledge, in accordance with CISA. The alert outlined the ways, methods and procedures and incidents of consequence in addition to suggestions to assist hospitals and well being methods mitigate its dangers. 

Cybersecurity incident disrupts operations at Tenet hospitals. In April, Dallas-based Tenet Healthcare Company suffered disruptions to a few of its greater than 550 acute-care operations that included turning ambulances away in Massachusetts and shedding entry to EHRs in Florida. The corporate halted operations on account of the cyber breach and supplied few particulars in its announcement one week later. 

Kaiser Permanente worker allegedly breaches EHR. In November, Kaiser Basis Well being Plan of the Mid-Atlantic States introduced that certainly one of its workers inappropriately accessed parts of medical data for sufferers, exposing affected person demographics and medical data, together with photographs. Throughout discussions about insider threats on the current HIMSS 2022 Cybersecurity Discussion board, many healthcare IT professionals expressed their considerations about entry administration.

Hospitals nonetheless haven’t got a deal with on their IoT gadgets. The Insecurity of Linked Gadgets in HealthCare 2022 report from Cynerio and The Ponemon Institute launched simply after mid-year detailed some alarming tendencies for healthcare, together with widespread and repeated assaults, monetary losses measured within the tens of millions and frequent failures to take fundamental cybersecurity measures.

FDA releases medical system cybersecurity draft steerage. Changing steerage issued in 2018, the FDA printed draft tips in April to assist make sure that marketed medical gadgets are sufficiently resilient to cybersecurity threats. The company accepted feedback on “The Cybersecurity in Medical Gadgets: High quality System Issues and Content material of Premarket Submissions,” via July.

Direct line between hospital cyberattacks and affected person mortality, report exhibits. Based mostly on a ballot of greater than 640 IT and safety leaders, The Ponemon Institute discovered that 89% of the surveyed organizations skilled a median of 43 assaults over the previous 12 months – averaging virtually an assault every week. The September report indicated that of these well being methods experiencing the 4 commonest sorts of cyberattacks, 20% mentioned they’ve subsequently skilled elevated affected person mortality charges.

Andrea Fox is senior editor of Healthcare IT Information.
E mail: afox@himss.org
Healthcare IT Information is a HIMSS publication.