The federal government has warned hospitals that using third-party analytics tools on their websites could violate HIPAA, and more than 20 hospitals are facing class-action lawsuits over the use of these tools. But a recent analysis found that hospitals are doing a poor job of fixing their websites and preventing patient data collection.

As health systems shore up their defenses against cybercriminals, they should openly communicate with their third-party vendors about data security risks and work together to actively manage those risks. That was some of the advice given by Aaron Miri, Baptist Health’s chief digital and information officer, during a Tuesday webinar.

HHS issued an alert warning providers about Rhysida, a ransomware gang that recently begun launching attacks on healthcare organizations. The group deploys its ransomware primarily through phishing attacks or the exploitation of legitimate cybersecurity tools.

The average cost of a healthcare data breach is now $10.93 million, up from $10.10 million in 2022, according to a new report. Healthcare has the highest data breach costs of all industries — breaches are second costliest in the financial sector, where the average cost is $5.9 million.

The Health3PT Initiative recently released recommendations on how providers can better address the cybersecurity risks linked to their third party reliance. Some of the group’s recommendations included ensuring that contract language ties financial terms to a vendor’s data management transparency and establishing metrics and reporting requirements for organization-wide vendor risks.

To prevent the proliferation of data security incidents in the healthcare industry, providers must examine their use of legacy systems as well as their reliance on third parties, according to a new report. It pointed out that most providers fail to probe their third-party partners’ cybersecurity measures, and many continue to use legacy systems that are no longer supported by vendors or are hard to patch and update.

HCA Healthcare recently suffered a data breach affecting 1,038 hospitals and physician clinics across 20 states. The health system said hackers stole data from an external data storage location “exclusively used to automate the formatting of email messages.” It also said that the incident has not caused any disruption to HCA’s daily operations or the services it provides to patients.

Clop, a Russian ransomware gang known for going after healthcare providers, has been recently exploiting a software vulnerability called MOVEit. Johns Hopkins University and its health system were recently victims of a data breach caused by hackers targeting this vulnerability, as was Texas-based Harris Health System.

HC3 recently warned healthcare providers about a “relatively unknown” ransomware gang named TimisoaraHackerTeam. The group leverages legitimate software tools like Microsoft’s BitLocker and Jetico’s BestCrypt to deliver its malware.

A group of federal agencies recently released an updated set of guidelines to help healthcare organizations protect themselves from ransomware attacks and the data breaches that often follow. The guidance lays out best practices to prevent the six major ways that bad actors gain access to providers’ systems, which include compromised credentials and phishing.

Regulators have become increasingly concerned about the potential for medical devices to become a vector for spreading malware attacks across hospital networks, resulting in untold patient harm and billions of dollars globally.

Federal officials are sounding the alarm on two ransomware groups that are actively targeting the healthcare sector: Cl0p and LockBit. In recent months, the groups have been exploiting three known software vulnerabilities in cyberattacks they have waged against healthcare businesses across the country. 

The Health Sector Cybersecurity Coordination Center (HC3) recently issued a report letting healthcare organizations know that they are still being heavily targeted by KillNet, a Russian group of cybercriminals. The number of daily attacks KillNet waged against healthcare organizations using Microsoft Azure increased significantly between November 18 and February 17 — from 10-20 attacks per day in November to 40-60 attacks per day in February.

The ViVE conference in Nashville, powered by HLTH and CHIME, offered an overview of the latest developments in health tech spanning interoperability, cybersecurity, price transparency, behavioral health and health equity.

In an interview at the Vive conference in Nashville, Tennessee, Craig Richardville, Intermountain’s chief digital and information officer outlined the three areas of priority for Intermountain Health for which technology can be leveraged. But when it comes to a major headache for CIOs, Richardville seems to suggest that a government-led all-hands-on-deck approach is what is needed.

Executives from health systems and subject matter experts shared how they are contending with data security challenges, particularly training to change behavior and acquiring expertise in cybersecurity.

The healthcare industry of the future will be defined by interoperable systems that need to securely share critical data across devices, distributed applications, and networks. Device manufacturers play a pivotal role in the delivery of these secure and connected solutions

The FBI, CISA and HHS have all recently issued warnings about the dangers associated with the Royal Ransomware gang. Since approximately September of last year, cybercriminals have been using a Royal ransomware variant to compromise organizations across the U.S., many of which have been healthcare providers.

David Finn, CHIME Association Executive Healthcare and Information Sector, lead of the cybersecurity pavilion initiatives at ViVE 2023, does not mince words. With ransomware attacks surging to an all time high this month, Finn said in an interview that security is no longer a defensive posture; we are engaged in a war.

Russian hacker group Killnet has claimed responsibility for a string of recent cyberattacks that took more than a dozen hospital websites offline across the U.S. — including the websites for Cedars-Sinai, Michigan Medicine, and UPMC. The group has been active for at least a year and is known to target countries that support and/or send resources to Ukraine.

Ransomware group BlackCat has been targeting healthcare organizations in recent months, and it just went after NextGen Healthcare. Healthcare organizations would be wise to enhance their cybersecurity strategy in defense against BlackCat, as it is “one of the more adaptable ransomware operations in the world,” according to HHS.

MemorialCare, Ballad Health, Cedars-Sinai and UNC REX Healthcare recently participated in Censinet’s $9 million funding round. The company’s flagship product is a cloud-based network that allows healthcare organizations to share and manage risk data to strengthen cybersecurity planning.

CommonSpirit Health is facing a proposed class-action lawsuit over a ransomware attack it suffered last fall that exposed 623,774 patients’ personal data. However, hospitals’ data breach lawsuits usually never make it court, a legal expert said.

As with most industries, healthcare should consider adopting a zero-trust approach. This security measure can help decrease an organization’s attack surface, create accurate response automation and prevent the compromise.

In 2022, the healthcare sector is on track to meet or exceed the more than 50.4 million patient records that were breached last year. As we look ahead to 2023, increasing cybersecurity budgets will be a necessity for healthcare organizations, despite their tight financial circumstances.

Based on some independent research that my company commissioned with more than 200 companies, we came to several conclusions that are highlighted in the article. Broadly, however, it signals the false sense of (cyber)security that many companies are currently harboring.

ECRI recently issued an alert warning hospitals about the cybersecurity risks associated with the use of third-party analytics tools, such as Meta Pixel, Google Analytics and Adobe Analytics. When providers install these tools on their websites and patient portals, they may be exposing patient data — which tech companies can use to target medical-related ads to consumers as they browse the Internet.

MedCrypt, a San Diego-based provider of cybersecurity solutions for medical devices, recently closed a $25 million Series B funding round. The startup sells its software to medical devices manufacturers so they can enhance the security of their products, which range from pacemakers to CT scanners.

The patient is alleging that the patient portal he used to communicate with his doctors at Advocate Aurora and to schedule appointments used a pixelated code that also enabled logging in via Facebook and then shared data with Facebook.