An active dialogue is growing in the medical community around Healthcare Cybersecurity, and for good reason. More hospitals have been making headlines due to growing patient data breaches that undermine public confidence and credibility. According to research from the Ponemon Institute, nine out of ten healthcare organizations experience some type of cyberattack annually. The Cyber Insecurity in Healthcare: The Cost and Impact on Patient Safety and Care survey explores findings from over 600 IT leaders at healthcare organizations.
In this blog, we explore what makes healthcare cybersecurity attacks so alarming and how you can act to prevent them.
1. Healthcare cybersecurity attacks are expensive.
89% of the healthcare IT leaders surveyed experienced a cyberattack over the last year, facing an average of 43 annual attacks with resulting costs in damages ranging from $10K to the mid-seven figures. But what was costing healthcare organizations the most might surprise you. Ensuring the impact on patient care was resolved usually totaled just over half a million at $644,350. But areas like lost opportunities, overhead costs, direct cash outlays, and more operational challenges cost considerably more. In fact, respondents lost an average cost of $1.1M in productivity alone.
The cost of healthcare provider breaches can be broken down into direct and indirect costs:
- Direct expenses include hiring cybersecurity and forensic experts, outsourcing phone support, and offering credit monitoring subscriptions and discounts at no cost for future services and products.
- Indirect costs include the time and resources allocated for internal investigations and communication in addition to the current and future impact on patient or customer and partner loyalty.
Both types of costs are constantly increasing with the acceleration of big data and the need to report the breaches, alert victims, and act strategically.
Breaches expose Protected Health Information (PHI), resulting in hefty HIPAA and regulatory fines. And while cybersecurity insurance can minimize financial fallout, organizations must usually have cybersecurity infrastructure in place in their IT environments to qualify.
The onslaught of attacks on HIPAA-compliant providers continue making healthcare cybersecurity a growing concern for healthcare IT leaders and their patients. Hackers have targeted more healthcare organizations in recent years because of the financial value of PHI that can escalate to identity theft and have a devastating financial impact to patients who are victims. Protected patient data is a magnet for malicious actors looking to capitalize on the pandemic and post-pandemic influx of treatment and preventative care.
Healthcare cybersecurity breaches also open providers to the potential of law suits. The CommonSpirit healthcare system is facing patient class-action lawsuits after a hacking exposed PHI on the dark web. In addition, the Office for Civil Rights can impose penalties against hospitals if HIPAA-protected patient data is compromised. And, paying ransomware can lead to costly government sanctions.
2. Breaches compromise your quality of care.
These healthcare cybersecurity breaches frequently lead to longer hospital stays, a lower level of patient care, and rising mortality rates—varying by the attack type:
- Half of healthcare organizations had supply chains attacked, disrupting patient care for 70% of those with supply-chain-security compromises. These patient care disruptions from healthcare supply chain attacks resulted in more than half of providers seeing an increase in patient condition severity and hospital stay. An alarming 23% of these organizations saw a devastating increase in patient mortality rates.
- Unsecured cloud, mobile, network, big data, and IoT technologies increase patient information and safety risks for almost 70% of healthcare organizations. Vulnerable medical and mobile apps are one of the most critical cybersecurity challenges in healthcare. Organizations have more than 26,000 network-connected devices on average and even medical devices like infusion pumps and pacemakers can be compromised by healthcare cyberattacks.
- Ransomware healthcare cybersecurity attacks are the most dangerous when it comes to patient safety and care. As a result, 64% of healthcare organizations reported procedure delays and poor testing outcomes. Virtually 60% of organizations hit by ransomware had an increase in patient stay, limiting already finite available resources. These ransomware healthcare cyberattacks can include phishing scams leading to Business Email Compromise.
3. Healthcare Cybersecurity breaches make headlines.
More hospitals and healthcare group cyberattacks are appearing in social media feeds and news outlets, harming brand reputation, and patient trust and loyalty levels. Johnson Memorial is a haunting example. The hospital went dark in 2021 after a cyberattack hit the healthcare provider—hard.
“I remember like it was yesterday,” recalls Dr. David Dunkle, chief executive officer of the health Indiana-based health system. “My chief of nursing said, ‘Well, it looks like we got hacked.’”
The healthcare cybersecurity attack on Johnson Memorial in October 2021 caused immediate and ongoing fallout. The state-of-the-art healthcare system had to rely on dated, manual patient care delivery methods. Ambulances with patients in critical condition were rerouted to other hospitals in the area with Johnson Memorial staff unable to access or restore any patient medical records without a cloud backup strategy.
“Our lives were absolute chaos and mayhem for months on end,” said Dona Thomas, an ER nurse at Johnson Memorial. “And we are still reeling from the effects of that (healthcare cybersecurity breach).”
The Johnson Memorial IT team identified a network compromise as the cause of the attack. The hackers, identifying themselves as Hive, left a ransom letter on every hospital server, demanding $3M in Bitcoin. Hive is a growing ransomware group that has targeted more than 1,500 hospitals, school districts, and financial institutions across 80 nations already.
HIPAA Compliance without Healthcare Cybersecurity is not enough.
Forrester weighed in on what growing federal scrutiny of healthcare cybersecurity means for providers. “For a long time, healthcare organizations have focused on compliance, specifically HIPAA compliance,” notes Alla Valente, Forrester senior security risk analyst.
“What we know since the pandemic and the increase in cyberattacks specifically targeting healthcare, is that you can be fully (HIPAA) compliant and still have a lot of cyber risk exposure.”
The analyst added that healthcare organizations must increase investments in cybersecurity services and risk management to qualify for cybersecurity insurance, warning that healthcare organizations can’t stop at being HIPAA compliant. You must look at how you secure your IT technology and infrastructure and how you operate with third parties.
How can you prevent healthcare cybersecurity attacks?
Your organization and patient community are at risk without the right healthcare cybersecurity best practices, solutions, and services. Building a cybersecurity strategy to prevent attacks is less complicated and costs less than the fallout after a breach. And having the right cybersecurity practices, protections, and services in play is key to shielding your organization from added disruption with Cybersecurity Insurance—a mandate in our disruptive, digital age. Organizations of every size need a range of cybersecurity solutions, including basics like Email Verification, Password Management, and Multi-Factor Authentication.
Dark Web Monitoring is imperative to flag any potential PHI leaked on the dark web with regular scanning, so you can respond immediately when necessary. Cyber awareness training helps employees organization-wide pinpoint and flag phishing emails and smishing texts. And Network and Cloud Server monitoring and backup are crucial to prevent data breaches and immediately restore your information and applications in the event of a compromise without losing patient records or the ability to offer the highest level of care. And these are just the basics.
Now is the time to act, Fruth Group can help.
Connect with one of Fruth Group’s security experts and learn how you can shield your applications, data, employees, and patients.
