In three major cyber attacks on companies to which Dutch healthcare institutions had outsourced their ICT, the medical data of around 900,000 people were leaked last year.
The Dutch Data Protection Authority reports this in its annual data breach report. Healthcare is the sector with the most reports and incidents: almost nine thousand in 2022. That was also the case in 2021. This not only concerns vulnerable hospitals, but also, for example, care for the elderly, physiotherapists, general practitioners, pharmacists, midwives and dentists.
In 2022, things went wrong three times on a large scale because hackers managed to penetrate ICT companies to which many healthcare providers had outsourced their ICT.
Recently, branch organization Z-CERT (computer emergency response team for healthcare) alarm about the vulnerability of healthcare providers. In 2022, the nuisance mainly caused by attacks with ransomware was ‘much greater’ than in 2021. At the European level, Z-CERT registered 51 ransomware incidents at European healthcare institutions, which is 65 percent more than in 2021.
Unclear emails, little urgency
“Shared infrastructure can greatly increase the impact of a single incident,” says one report from C-zert. Healthcare institutions would be insufficiently aware of the risks if they store their patients’ data on a ‘cloud’ and are therefore dependent on an external party.”
The data that an ICT supplier manages is ‘worth gold to criminals,’ the Dutch Data Protection Authority points out. The privacy organization does not disclose the names of the companies that did not have their security in order. The AP mainly tries to ensure that affected companies inform their customers or patients, so that they can be extra alert. That does not always go well, according to one sample by the Consumer Association. Victims often receive unclear e-mails that express little urgency.
are healthcare institutions high-potential targets for criminals who use hostage software, says Desmond de Haan of the Dutch Data Protection Authority. Healthcare institutions are relatively blackmailable to pay ransoms, for example, because they are very dependent on their data and it often concerns very sensitive information.
Also read this article: Seventeen arrests in the Netherlands in international investigation into cybercrime
Blackmailable
There is no reliable way to verify whether healthcare institutions pay a ransom to regain access to their data after a cyber-attack and to prevent data about their patients from being traded. Make sure it happens.
“That is up to the parties themselves,” says Özlem Sehirli-Kaya, leader of the data breach team about this. “But that is no reason not to report the data theft.” She emphasizes how important it is for healthcare providers to have their security in order. “If you go to an obstetrician or physiotherapist, you just have to be able to trust that your data is safe.”
The Dutch Data Protection Authority also sees a large increase in the number of reports in which personal data has been added to an incorrect file. These are often human errors, not external attacks.
The concern is a negative outlier. The total number of reported data breaches in 2022 was lower than the year before, down from 24,866 to 21,151. The same applied to the total number of reports of cyber attacks. That fell after years of increases from 2,210 to 1,826.
Also read this article: Has your data been leaked? You can do this to prevent phishing