BakerHostetler, a national law firm, released its annual 2023 Data Security Incident Response (DSIR) Report, detailing the latest trends in cybersecurity and finding 24% of cases handled by the firm are in the healthcare industry.
What happened
BakerHostetler's 2023 DSIR Report analyzed 1,160 incidents in their Digital Assets and Data Management Practice Group that occurred over the last year.
Overall, they did not find a significant increase in incidents between 2022 and 2021, but they did notice a surge in ransomware attacks near the end of 2022. The healthcare industry also saw the largest increase in ransom payments. The average amount paid is now $1,562,141. The DSIR report also found that the industry's recovery time needed increased by 69%.
Related: The NCC Group releases data on March ransomware attacks
While ransomware is making waves, it's not the only issue taking the stage. Some healthcare organizations are finding themselves in hot water for their use of third-party pixels, which can send data to other companies for marketing purposes.
BarkHostetler said they are currently handling over 50 cases related to pixel use.
Why it matters
In the healthcare industry, ransomware isn't just a security violation; it can result in delayed care for patients with devastating consequences. For this sector, the report found it took an average of 10.3 days for an organization to operate at an "acceptable" capacity again.
They also found that 40% of organizations opted to pay the ransom even though 85% were able to at least partially back up their data without paying. Even if data is restorable, it can have significant financial consequences if it's not secure.
Pixels represent another, although inadvertent, potential privacy breach. Many healthcare organizations use embedded pixels that can be shared for advertising and other purposes. The Office for Civil Rights, however, issued guidance explaining that their use could result in data breaches and penalties.
Read More: 98.6% of hospitals use tracking that puts patient privacy at risk
What was said
Theodore J. Kobus III, chair of BakerHostetler's Digital Assets and Data Management Practice Group, said the report is intended to help organizations with projections so that they don't have to make decisions "based on hype and fear." Kobus III also said, "As organizations implement stronger security measures to adapt to the changing risk landscape, we see threat actors adapting their methods accordingly. The need for vigilance remains ever present."
When it comes to ransomware, Craig Hoffman, co-leader of BakerHostetler's national Digital Risk Advisory and Cybersecurity team, says, "Securing an enterprise is a significant challenge–there are a lot of risks, and just spending more money does not automatically equate to more effective security."
The DSIR report also suggested that the focus on website technologies would continue and that entities should aim to have an "in-depth understanding of the use of this technology" to understand the benefits and risks of technology like pixels.
Bottom line
Those analyzing the DSIR report should look for continuing trends and new developments to understand how best to protect their data. The report should also serve as a reminder of the fiscal costs associated with data breaches that can occur both from ransomware and pixel-related lawsuits.
Related: HIPAA Compliant Email: The Definitive Guide
Abby Grifno
