Happy New Year and Happy Friday!
The numbers are in from 2024, and it’s not pretty—especially if you work in healthcare. Remember when hackers claimed they’d spare healthcare systems during the pandemic? Turns out, those promises were about as reliable as a New Year’s resolution. In 2024, the gloves came off and healthcare providers were left reeling.
Case in point: Ascension Health. In May, over 5.6 million patients had their personal and health data stolen. Hospitals resorted to pen and paper for tracking medications and procedures and ambulances were rerouted to other facilities. It was chaos—and that’s just one breach.
Here are some sobering stats from last year:
* 67% of healthcare organizations were hit by ransomware—nearly double the rate in 2021 (34%).
* 53% of those encrypted paid the ransom. The median ransom? A cool $1.5 million.
* Recovery times are stretching: 78% of victims needed over a week to fully restore systems, compared to 66% in 2022.
The bullseye on healthcare isn’t shrinking anytime soon. Patient data is pure gold for cybercriminals—lucrative, sensitive, and crucial to care delivery. Worse still, these attacks don’t just steal money; they jeopardize lives by crippling access to critical information and delaying treatment.
If 2024 taught us anything, it’s this: protecting our healthcare systems is no longer optional. It’s essential.
The Takeaway
Bad News: The Hackers Are Winning. Good News: New Rules Are Coming.
With no end in sight to the cyber onslaught, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is stepping in with proposed updates to the Health Insurance Portability and Accountability Act (HIPAA). These new cybersecurity requirements aim to better protect patients' health data and should be finalized by the end of February.
The silver lining? These rules offer a clear roadmap for securing your own organization, whether you're in healthcare or not. Here's a sneak peek at the key requirements:
1) Encrypt PHI (and critical, private files) at rest and in transit. If attackers can’t read the data, they can’t use it against you.
2) Document everything. Security policies, procedures, recovery plans, and incident analyses all need to be written, reviewed, and actionable—especially for restoring operations within 72 hours.
3) Enable multi-factor authentication (MFA). A single password just won’t cut it anymore.
4) Segment your networks. Keep attackers from taking down the whole system by isolating critical components.
5) Maintain an up-to-date inventory and network diagrams. Know what technology and devices you have—and how they’re connected.
6) Regular network scans and penetration tests. Identify vulnerabilities every six months and simulate attacks annually to stay ahead of hackers.
7) Deploy anti-malware and declutter. Keep systems protected and remove unnecessary software that increases your risk profile.
While the cost of compliance is estimated at $9 billion in the first year and $6 billion annually after that, the price of inaction is far greater. Stolen health data can fund criminal enterprises, while disrupted hospitals put lives at risk.
Whether or not you’re in healthcare, these measures are a great blueprint for strengthening your own cybersecurity defenses. If you’re curious about how to implement them in your organization, reply to this email—we’d love to help.
Stay safe out there.
-Attila
Reminder: The Riskara 360 Employee Security Risk Assessment is coming soon. It reveals the employee behaviors and habits that could be putting your organization in jeopardy and gives you a step-by-step plan to making critical improvements.
We've had a lot of interest in the assessment since announcing it's development. Click here to request early access.
PS. If you think that this email might be helpful to a friend, family member, client or co-worker, feel free to pass it along. Thank you for your continued support of Cypac's mission.Thank you for helping us accelerate humanity toward a safer, more secure high-tech future.
New Friday Funnies
What kind of a prize do you give someone
who hasn't moved a muscle in over a year?
A-trophy
What happens if you boil a funny bone?
It becomes a laughing stock.
(Haha, that’s humerus)
I have a HIPAA joke...but I can't tell it to you.
Commenti