Page 117 - Cyber Defense eMagazine RSAC Special Edition 2025
P. 117
1
the United States. This is unfortunately not surprising as statistics show that medical records are 50
times more valuable than traditional financial information – the risk/reward is worth it to the cyber
criminals.
Even in the early months of 2025, the trend persists. In its February 2025 Data Breach Report, the HIPPA
Journal reported on 46 large health care data breaches (incidents involving 500 or more individuals),
2
affecting 1.2 million individuals. While this showed a month-over-month reduction, the high number of
breaches throughout 2024 suggests this may be a temporary dip in an otherwise upward trajectory.
The causes behind this epidemic are multifaceted. According to the reported data, foremost among them
are hacking and other IT incidents, which accounted for 74% of reported breaches in February 2025 and
exposed the protected health information (PHI) of over 1.1 million individuals (89% of the total affected).
These incidents encompass a range of malicious activities, including data theft, ransomware attacks, and
the compromise of email accounts through phishing campaigns. Health providers network servers remain
the primary target, reflecting the wealth of sensitive information they often contain. The persistent success
of email-related breaches, with 14 such incidents reported in February 2025, underscores the critical
need for robust email security measures and user awareness training.
However, the threat landscape extends beyond external actors. Insider threats, both in the form of
unintentional errors and deliberate malicious actions, also pose a significant risk. While perhaps less
frequent than hacking, insider breaches can directly compromise patient privacy and erode trust in health
care providers.
1
Furthermore, the interconnected nature of the health care industry introduces vulnerabilities through
business associates – third-party entities that handle PHI on behalf of covered entities. In 2024, the 2025
Breach Barometer connected breaches involving business associates to a remarkable 77% of all
1
breached records. This highlights the extended attack surface and the critical importance of ensuring
robust security practices throughout the entire health care ecosystem.
Despite increasing awareness and regulatory mandates like HIPAA, many health care organizations
continue to exhibit fundamental failings in their cybersecurity posture. A significant concern is the lack of
comprehensive risk analysis and risk management processes. Without a thorough understanding of
potential threats and vulnerabilities, organizations struggle to implement effective safeguards.
Inadequate access controls often grant unauthorized personnel access to sensitive electronic protected
health information (ePHI). Moreover, a recent survey produced by the HIPAA Journal indicated that at
least 43% of HIPAA-covered entities either rely on manual processes or may not track HIPAA compliance
3
at all. This reliance on outdated methods can lead to inconsistent record-keeping, increased
administrative burdens, and a higher risk of non-compliance and subsequent breaches.
Weaknesses in email security infrastructure, including the absence of advanced threat protection and
multi-factor authentication, contribute significantly to the success of phishing attacks and email account
compromises. Delayed patch management cycles leave critical systems vulnerable to known exploits,
providing easy entry points for cybercriminals. Finally, insufficient oversight and due diligence regarding
business associates can lead to breaches occurring within these third-party systems, with cascading
effects.
117
