The True Cost of Healthcare Cybersecurity Breaches
When most of us think of organizations being hacked or breached, we think of sensitive data being leaked, causing profits to plummet, or vital documents being held hostage until a ransom is paid. However, when it comes to the healthcare industry, often the true cost of an attack is much more than just money.
The Cost to Patients
The inability to access medical records, lost productivity as systems are down, and money paid to cybercriminals all have a real impact on the health and wellbeing of patients. One famous healthcare-focused cyberattack, the 2019 ransomware attack on the Grey’s Harbor Community Hospital and Harbor Medical Group, forced the hospital and the medical group’s clinics to revert to paper medical records and affect backups. Though most records were recovered, it still isn’t clear if some medical records were permanently lost.
A breach can also damage the relationship between the patient and their doctor, as many patients may avoid seeking medical help if they are worried cybercriminals or other unauthorized users may access their private medical information. These emotional consequences can seriously damage the health and wellbeing of patients and make it more difficult for doctors to rebuild patient trust and ensure their patients are getting the care they need.
The Cost to Medical Science
Depending on the nature of the breach, valuable research data and intellectual property may be damaged or lost, which can delay research into life-saving treatments. That sort of research is invaluable, and its loss can have devastating consequences for the health and wellbeing of potentially millions of people.
The Unique Challenges of Healthcare-Focused Cybersecurity
Research has shown that the healthcare industry is a prime target for medical information theft at least in part because it lags behind other industries in securing its vital data. So why does this industry, whose assets are crucial to human health and wellbeing, lag so far behind?
To begin with, so much of what hospitals do relies on the internet, from patient test results and medical records to the various machines and technologies used to provide patient care. While this interconnectedness is excellent for data integration, patient engagement, and clinical support it also means that a ransomware or other attack can spread quickly between vital systems, accessing patient data and other highly sensitive information, hijacking medical equipment to mine cryptocurrencies, or shutting down entire hospitals or hospital networks until a ransom is paid.
Not All Software Can be Patched
One of the unique challenges of healthcare is that there is a wide mix of equipment. While some equipment is cutting edge, many pieces of healthcare technology still in use were made by companies that are no longer in business or run on old software that has gaping security holes that can’t be patched. That means that even if vulnerabilities are known to exist (which isn’t always the case), there may not be a way to fix them.
The obvious answer would be to move away from outdated software and equipment with known vulnerabilities, but that is easier said than done. While a small or even medium-sized business could handle a temporary shutdown to migrate the entire network over, hospitals and other healthcare facilities don’t have that luxury: the entire system needs to be running 24/7/365.
Shutting down older equipment and transferring all of the data stored on the network can also be incredibly costly. The ability to patch and update software both extends the lifespan of current equipment and reduces costs.
Human Error Can Expose Patient Data
On the data privacy side of things, recent research from the JAMA found that most breaches in medical settings were triggered by unauthorized disclosures or employee error. When multiple shift doctors, nurses, and specialists need to be able to quickly and easily access sensitive employee data, it increases the odds of one person making a mistake that could leave this data vulnerable.
The Biggest Cybersecurity Threats to be Concerned About in 2020
There are a few threats that healthcare providers should be particularly concerned about in 2020. If you are unsure what steps you can take to improve your organization’s cybersecurity posture, please speak to your MSSP (Managed Security Services Provider).
Ransomware was a huge problem in 2019, particularly for healthcare providers, and it is likely only going to get worse. Unlike some other businesses, healthcare providers aren’t able to pause operations to try and get their files unencrypted to avoid paying the ransom. And while some businesses can carry on even if they are unable to recover a few encrypted files, sometimes even a single unrecoverable file, such as a patient’s electronic file or test results, can have disastrous consequences for the health and wellbeing of patients.
Unsecured Medical Devices
Businesses in a variety of industries, including the healthcare industry, have enthusiastically adopted a wide variety of Internet of Things (IoT) devices. In fact, some reports speculate that from 2019 and 2024, we will see a combined annual growth rate of 27.6% for healthcare IoT devices.
However, in 2019 the FDA warned that a cybersecurity firm had identified 11 vulnerabilities that could allow hackers to control medical devices remotely. That report has likely prompted many healthcare providers to take a closer look at their current cybersecurity postures. Hopefully, that focus will continue in 2020 so that these and other vulnerabilities can be addressed.
Unsecured Electronic Health Records
Electronic health records have made it significantly easier for both healthcare professionals and facilities to access patient files, though this system does come with special cybersecurity considerations.
Though there are already privacy laws in place to safeguard sensitive patient data, these laws were mostly written with people in mind, not software. That means that many of these systems remain vulnerable to exploitation by cybercriminals, since the software that many of these systems run on or interface with may have been written in a time before the IoT. Depending on when the software was written, the company may not be around to issue software updates and patches, and even if they are, the software may not be compatible with many necessary cybersecurity updates.
Hopefully, findings like the FDA report mentioned above will encourage the companies that design electronic health record systems to evaluate their software critically so that it can be modified to better safeguard patient data.
How Can Healthcare Organizations Improve their Cybersecurity Posture?
Every organization is different and has slightly different cybersecurity needs. As such, the first thing any organization should do is sit down with their MSSP to identify their cybersecurity needs and create robust yet flexible cybersecurity protocols.
Organizations should also work with their healthcare-focused MSSPs to identify credible threats and create tailored response plans to address those threats. These response plans should be designed to minimize or even eliminate damage to critical systems and help safeguard both vital infrastructure and sensitive data.
To help you get started, please review our blog post Cyber Hygiene 101: Basic Steps to Keep Your Company Secure.