“Healthcare leads the charge in data breaches because there is a lot of value in that data,” said Thomas DeMayo, a principal in the Cybersecurity and Privacy Advisory Group at PKF O'Connor Davies, LLP, who spoke at the Foundation for Accounting Education’s Healthcare Conference on Sept. 22. “Electronic health records are a treasure trove for the cybercriminal,” he added, posting a graphic to emphasize his point.

DeMayo’s presentation was insightful, sometimes scary, possibly overwhelming, but ultimately informative. He covered a wide array of topics that could keep IT and other professionals up at night.

Fortunately, in naming all the threats and their implications, DeMayo offered a number of solutions for those in charge of these systems, as well as other employees and stakeholders.

He started by discussing data breach trends, noting that there was an increase in those breaches in 2019, followed by decreases in 2020 and 2021.

That may not tell the whole story, as he said that many organizations don’t report such breaches. But, in noting how susceptible healthcare entities are to data breaches, he had a sobering warning for the session attendees.

As might be expected, and consistent with the tempting target that those records present to the cybercriminal, he spoke in detail about the topic of ransomware.

The numbers are bracing: the average ransom demand is now $1.8 million, and the average ransom paid is $812,000.

“They [cybercriminals] will typically settle for 50 percent,” he said.

Furthermore, the average down time increased from 6.2 days in 2018 to 20 days to 2022.

Cybercriminals “try to take over as many machines as possible,” he said. “The more damage they cause, the more time it takes you to get back up and running”—increasing the urgency to pay the ransom.

Saying that most ransomware attacks remain external, he cautioned that internal breaches still happen—though they are mostly made by mistake.

“You get around that through training and awareness,” he said.

An emerging threat that he warned is bound to increase is something called triple extortion. Such an extortion occurs when cybercriminals, first, lock a target hospital’s data; second, threaten to release the data; and, third, then threaten to inform patients that their data has been obtained—another means of pressure to get the hospital to pay.

He cited two recent instances of such a threat in recent months: those of Summit Credit Union and Suffolk County.

Later, during the question-and-answer period, he was asked about what to do if a ransom is paid but the ransomed data is still released despite the payoff.

His answer was about as reassuring as one could be in such an instance.

He mentioned that ransomware in its current form is a relatively new type of crime, as it dates to 2020. “There is a business motivation for [these] criminals,” he said. “If they release anyway, no one will pay [the ransom the next time].”

Another favored technique of cybercriminals is the funds transfer fraud, a typically nine-step process that begins with the identification of the victim, followed by a phishing email, which allows the creation of a malicious log-in, then a process of searching for transactions to intercept, mailboxes rules to be set up, payment instructions to be sent, and all the way through a typical process of receiving the fraudulent funds. Once access is gained to the victim’s address book through this method, the criminal then repeats the attack on the victim’s contacts.

The average fund transfers fraud in 2021was $347,000, up by 78 percent from 2020, according to his research, DeMayo said.

“More than half of all attacks are from phishing and social engineering,” he said.

In response to all of these threats, DeMayo recommended building a “shields up” approach based on five pillars: identify, protect, detect, respond and recover.

An important part of that approach is awareness of where and how data is stored, processed and transmitted—“a core component of HIPAA [the Health Insurance Portability and Accountability Act of 1996],” he pointed out.

He also strongly advocated a constant performance of risk assessments.

“A computer that prints lunch menus is not as important as one used by nurses or [certified nursing assistants],” he said by way of explanation.

Despite the best preparations, DeMayo warned, reality can still intrude.

“Things will fail,” he said. “You have to be prepared to respond.”