Q1 Cybersecurity Recap: Major events, initiatives, and trends

This quarter, we’ve seen some major events–from the Change cyberattack to new government initiatives. Read on to learn what’s happened so far this year and what we can expect next. 

The big picture

We are a quarter through the year, and it’s proving to be an eventful one for healthcare organizations everywhere.  

Many companies face threats from old and new actors, and the public is becoming increasingly involved and diligent in holding companies responsible. As some struggle to safeguard data, the HHS and other governing bodies continue to enforce rulings and develop new strategies to prevent and recover from attacks. 

No quarterly report would be complete without discussing the shockwaves the Change ransomware attack had on hospitals across the nation, presenting new challenges and concerns for the industry.  

Our quarterly report includes:

• Most impactful breaches so far
• New government initiatives
• Continued challenges
  • Artificial Intelligence
  • Attack vectors
  • Pixels
• What’s next
• Recommendations

Biggest Q1 Breaches

Last year, we reported that data breaches were steadily rising. While we hoped to see a change in this trend, we knew it wasn’t likely. 

January and February both saw overall increases in breaches compared to the same months in 2023. March 2024 saw a slight decrease compared to 2023.

Network server breaches were the largest attack vector, with many breaches caused by malicious actors gaining unauthorized access. Email breaches continue to be a huge concern, especially as actors increase in sophistication for phishing and spoofing attempts. Breach prevention from this attack vector requires sophisticated software, as training alone is generally insufficient.  

Major breaches

• Concentra Health Services had a significant breach impacting 3,998,162 people. The breach was related to PJ&A, a transcription company that also suffered a data breach. 
• INTEGRIS Health also had a major ransomware attack that impacted 2,385,646 people and was caused by a network breach. 
• Medical Management Resource Group, LLC faced a breach impacting 2,350,236 people due to a server breach. 
• Eastern Radiologists, Inc. faced a breach impacting 886,746 people from a network breach. 

It’s important to note that breaches often span months, and the aftermath can span years. Breaches that remain relevant from 2023 Q4 due to their significance include:

• ESO Solutions, Inc.’s breach impacted approximately 2,700,000 individuals and was similarly caused by a network breach. ESO is a third-party cloud service provider and thus impacted many healthcare organizations associated with them. 
• HealthEC LLC’s breach impacted 4,452,782 people and was caused by a network error. 

Change Healthcare

The ransomware event impacting UnitedHealth Group’s healthcare company, Change Healthcare, created instability and uncertainty throughout the US. Change Healthcare is a massive health tech company that processes insurance and billing, among other operations, for many healthcare organizations. 

The initial impact occurred on February 21st and led to severe service delays; organizations had no way to bill patients, and over 100 other applications were briefly shut down. The impact was specifically devastating for small practices, many of which continued operating despite no longer being able to receive revenue. Pharmacies also experienced downed operations, resulting in some patients being unable to receive medication.

In a survey conducted by the American Hospital Association, 94% of hospital respondents said the attack had impacted them financially, and 74% said patients were directly affected. 

Since then, the government has stepped in, offering loans to healthcare providers. Change Healthcare only regained operational status after allegedly paying $22 million to ransomware organization BlackCat, a Russia-aligned organization. 

Yet problems are likely to progress into Q2; Change Healthcare now faces another ransomware demand, this time from RansomHub. The situation is also under investigation by the OCR, potentially prompting further legal action or new initiatives to prevent massive attacks like this in the future. 

Looking ahead

The Change attack was unprecedented and could signal a shift in future policy or response measures. For many companies, it likely led to the realization of how impactful attacks on third-party organizations can be. 

Attacks like these, albeit on a smaller scale, are occurring much more frequently. The attack on Concentra Health and ESO Solutions are both connected to third-party services. Many companies outsource tasks to companies like these, which can help streamline operational processes but can lead to more vulnerabilities. 

Unfortunately, we expect to see more attacks like these in the future.  

Lastly, email breaches are similarly a threat worth paying attention to and are often caused by human errors, complex attack strategies, and poor email security systems.  

New government initiatives

Outside of data breaches, Paubox has also been covering new government initiatives introduced in the last few months. 

In the news

The HHS recently delivered an annual report on HIPAA compliance and breaches. The reports found that in 2022, the OCR received 30,435 complaints of possible HIPAA violations and resolved 32,250 complaints (some of which were prior to 2022). They also found that reported breaches had increased by 3%, but it’s likely that the true number of breaches is much higher. 

The news coincides with the OCR’s decision to revive its HIPAA compliance program that had been on hiatus for seven years. As part of the program, healthcare organizations can expect to be audited. 

Outside of this, the NIST has released two valuable resources:

• A cybersecurity framework aimed to mitigate cybersecurity risks. This framework maintains the five original functions (identify, protect, detect, respond, and recover) alongside a new function, govern, focusing on supply chain risks.
• A HIPAA security rule guidance provides structured guidance on complying with the Security Rule alongside additional tools, resources, and guidance for conducting risk analysis.  

To help curb data breaches, the HHS released voluntary cybersecurity goals for healthcare organizations. They outline steps healthcare organizations should take with the following goals in mind: mitigating known vulnerabilities, email security, multifactor authentication, basic cybersecurity training, and more. 

Similarly, the Health Sector Coordinating Council (HSCC) unveiled a 5-year strategic plan to help improve the healthcare industry’s cybersecurity status from critical to stable by 2029.

Several other rulings or guidances have been released to improve healthcare security, including the Centers for Medicare & Medicaid Services (CMS), which finalized a ruling to increase patient access to information.     

The Government Accountability Office also released a report on preventing ransomware attacks. The report highlighted that the value of attacks in the US had increased to $886 million, according to the most recent data. Fiscal impacts were far from the only repercussions; many organizations that faced a ransom attack also had downed systems that prevented patients from receiving care.  

After the Change Healthcare breach, we’ve seen even more focus on how the government can improve cybersecurity. The Health Care Cybersecurity Improvement Act of 2024, for instance, aims to provide financial relief to healthcare providers impacted by a cyberattack despite having minimum cybersecurity standards. 

Value-based care

Over the last few years, we’ve seen a push for value-based care. These programs reward healthcare providers for the quality of care they provide to patients with Medicare. 

A report from the Center for Medicare & Medicaid Services (CMS) described value-based care programs as helping improve care for individuals at a lower cost, ultimately improving the health of the population. The goal is to promote quality care instead of the quantity of care. 

Several value-based programs already exist, including for end-stage renal disease, home health, and skilled nursing. 

The initiative hopes to improve healthcare for populations that have typically been underserved but are still growing. According to one outlet, the CMS is having some difficulty attracting practices to the payment model, allegedly because the current models are mostly focused on primary care rather than specialists. 

As more practices begin the transition, hospitals will have to combat the increasing burnout some providers face. The AJMC has offered framework suggestions on how to ensure the transition is smooth. 

For healthcare companies, it may be an ideal time to switch to value-based care as we remain early in the process, but it could dictate future hospital success. 

Telehealth

Paubox has also witnessed an increasing push for telehealth appointments, which allow for consultations or simple prescriptions to be provided online. Telehealth first became prominent during the COVID-19 pandemic, when hospitals were overcrowded and, at times, risky. 

Since then, the American Medical Association (AMA) has stated that telehealth will likely be a regular part of the post-pandemic healthcare system. 

While some practices had telehealth options before the pandemic, their popularity has skyrocketed in recent years. 

In many cases, it can reduce inequality, as some patients may have more access to appointments and a variety of care providers. Some inequality remains, however, as internet access is not always readily available. Yet, if providers can offer telehealth options in addition to traditional appointments, it could save patients and providers time and resources. With heightened efficiency, telehealth could also be helpful for practices with provider shortages. 

During the pandemic, certain provisions made it easier for patients to attend telehealth appointments, including required technology, lessened geographic restrictions, and lessened requirements for in-person visits. 

Now, it’s expected these provisions could expire. Many policymakers believe telehealth will remain a viable and equitable possibility and are pushing for extensions on related policies to continue encouraging providers to offer telehealth. 

Read more: What are HIPAA’s privacy requirements for telehealth? 

Continued challenges

Many of the same challenges from Q4 continue to be prevalent. It takes time for laws to catch up with what healthcare organizations experience on the frontlines. As governing bodies, like the HHS, determine appropriate next steps, it’s necessary for healthcare organizations to always err on the side of caution when it comes to patient data protection.

Artificial Intelligence

AI continues to impact multiple industries. In healthcare, the full potential of AI has yet to be realized; some research has discussed its potential for early diagnosis in the medical field, while in security, it could be used to detect malicious activity. Yet privacy concerns, how data is collected and used, and how it may be biased are prevalent in the field. 

Recently, US House Speaker Mike Johnson, alongside Democratic Leader Hakeem Jeffries, announced the creation of a bipartisan Task Force on Artificial Intelligence. The task force will help draft guiding principles, recommendations, and policy proposals that can allow AI to drive economic growth while protecting security and ensuring ethical development.  

Following a recent report from the World Health Organization outlining the risks and opportunities of AI in healthcare, the Federal Trade Commission launched an investigation into generative AI. Major companies, including ChatGPT and OpenAI, are required to disclose information regarding partnerships and investment decisions so the FTC can ensure fair competition and innovation. 

As challenges and potential uses continue to rise from AI, we will likely see increased attention from governing organizations. 

Attack vectors

Attack vectors have seen a slight change over Q1. In recent months, we’ve seen significantly more attacks on network servers. 

In many cases, malicious actors gain access to the network by using technology to access weak passwords. In other cases, they may access a network by sending malicious documents or software. Once in the network, actors may work their way up the ladder until they can access valuable files on the dark web.   

In some cases, files are removed, encrypted, modified, or damaged. 

With increased attacks, many malicious actors are engaging in compilation tactics in which data from individuals is compiled over multiple breaches. In these instances, even pieces of information that may seem insignificant could be harmful when combined with other pieces of personal information. 

Lastly, we’ve seen more attacks on third-party organizations that assist healthcare companies. Even though these companies don’t directly work with patients, many deal with sensitive healthcare or financial information. As seen with major recent breaches, it’s increasingly important for healthcare organizations to vet the companies with whom they share data. Ultimately, data is only as secure as its weakest point of access.   

Pixels

The debate surrounding pixels continues to unfold. These tiny pieces of code are frequently found on websites used by healthcare companies. Many companies work with Amazon, Meta, or other platforms for analytical tools related to website performance and maintenance. 

While many companies are reliant on pixels–nearly 99% of hospitals reported using some sort of website tracking last year–they could be a potential privacy violation by HIPAA. Pixels frequently track and record data inputted for marketing purposes, which is prohibited by law. 

Once the HHS announced its stance, many hospitals struggled to discontinue use. The American Hospital Association criticized the HHS, arguing that the stance was too limiting. 

This quarter, pixels continue to be debated. The OCR recently updated the guidance. While there were several changes, most notably the HHS said that pixels could be used to collect protected health information so long as that information is not disclosed to technology vendors for marketing purposes. 

Many healthcare companies are slowly, but steadily, beginning to stop using pixels. According to a recent report, 33% of healthcare websites still engage in pixel tracking. While the number is significant, it shows a steady decrease. Hospitals are taking steps to follow the guidance. 

What’s next

For healthcare companies, the next few months may be hard to predict. We will likely continue to see ramifications from the Change attack. Both malicious actors and governing bodies have witnessed the crisis unfold and it’s likely that similar attacks could be conducted in the future. 

We’re also likely to continue seeing attacks on third-party organizations that could impact multiple healthcare organizations. 

Lastly, mounting pressure from the public and increased government oversight and accountability measures could mean more healthcare organizations find themselves held to a high standard of data protection and security. While this could be troublesome and stressful in the short term, it will hopefully result in more compliance and security in the future. 

Recommendations

Today’s cybersecurity network is increasingly interconnected, which can improve operations and contribute to increased vulnerabilities.   

Cybersecurity is no longer solely a concern for healthcare organizations; every company that receives or holds protected health information must take steps to ensure data is safely collected, stored, and used. 

While HIPAA compliance is Paubox’s priority, our email security service can assist in protecting any private information. Many companies, regardless of HIPAA compliance requirements, choose to encrypt and protect data because of the costly implications of a breach.

Paubox is constantly working hard to keep providers and patients up-to-date on the latest news and events. 

Learn more about the Paubox Email Suite and Marketing Tools today.