Healthcare and Cybersecurity Risks

The strain of Covid-19 has overwhelmed our hospitals and clinics.  Limited resources coupled with technology advancements burden health care organizations. The first priority is always patients. The current healthcare system is patient-forward with the most critical needs at the forefront. While it makes sense in the short term, insufficient cybersecurity disrupts business and puts patients and staff at risk. 

Identifying that cyber safety is not separate from day-to-day responsibilities and does extensively impact hospitals is the beginning of an equipped cybersecurity plan. Technology aids everyday functions. Protecting against potential threats leads to higher-quality of care, uninterrupted service, and secure peace of mind. Ideally, all hospitals would operate with the same mindset on cybersecurity protocols and carefulness. Realistically, healthcare organizations have a long way to go. 

What’s at Risk When Cyberattacks Hit Hospitals?

Cyberattackers take advantage of electronic health records, centralized command centers, and the use of digital systems to upload information. The Health Insurance Portability and Accountability Act (HIPAA) ensures there is no unauthorized patient disclosure of any protected Health Information (PHI). 

Hackers can jeopardize a considerable amount of healthcare information and impact performance:

• Patient safety 
• Medical records
• Lifesaving medical devices
• Private patient data - can be stolen or corrupted
• Health outcomes 

The American Hospital Association (AHA) Center for Health Innovation expresses the importance of cybersecurity guidelines. The guide warns that lost “access to medical records and lifesaving medical devices, such as when a ransomware virus holds them hostage, will deter your ability to effectively care for your patients.”

The Brookings Institution came out with an article studying why cybersecurity is a risk for hospitals. It seems that healthcare is more financially appealing to cybercriminals. The broad attack surfaces in healthcare increase vulnerabilities that hackers can easily target. 

In 2020, a German woman died from an aortic aneurysm. While this was the primary cause of death, there was more to be told. The woman’s ambulance was en route to the hospital when a ransomware attack denied them access. Right before, hackers encrypted data and did not let the hospital obtain it until they paid them. 

As a result, this ransomware attack “forced the hospital to turn the ambulance away.” It “compromised the digital infrastructure that the hospital relies on to coordinate doctors, beds, and treatment, forcing the cancellation of hundreds of operations and other procedures.” The hospital had to shut down operations by half and turn away new patients to deal with the crisis. Investigators concluded that while “the ransomware attack did indeed contribute to the victim’s death,” it wasn’t enough to prosecute the cyberattackers. 

Two more incidents from cyberattacks wreaked havoc on U.S. hospitals. One furloughed 300 employees, and “another [couldn’t] administer computer controller cancer treatments.” 

There are widespread security attacks the 2020 HIMSS Cybersecurity Survey reports, indicating hospitals are a cyberattack target. 

“70% of hospitals surveyed had experienced a ‘significant security incident’ within the past twelve months.” This includes “phishing and ransomware attacks that resulted in the disruption of” the following:

• IT operations (28%)
• Business functions (25%)
• Data breaches (21%)
• Financial losses (20%)

With today’s technology, healthcare relies on dependable systems. Cybersecurity not only protects data but can have a role in patient care and safety. The prolific attacks only prove that cybersecurity in healthcare needs improvement. 

What is the Price of Stolen Healthcare? 

Stolen medical records from phishing attacks in the U.S. can be $10 to $1,000. These attacks continue to increase, “with substantial financial cost.” Risks to stolen, damaged, breached, or exploited healthcare data are hurtful, as mentioned earlier. JAMA Network assesses the non-monetary price as well. They use an example of “a large hospital network…taken offline by a virus for almost 2 weeks":

• Patient confusion
• Service disruption 
• Radiation therapy delays 
• Other repercussions 

Regarding the “failure to proactively invest in cybersecurity, healthcare organizations hit with cyberattacks have paid steep costs to mitigate the threat.” In fact, healthcare spent the highest average cost for a data breach, going on eleven years. The costs went up 29.5% from $7.13 million in 2020 to $9.23 million in 2021. 

Ransomware, data breaches, and cyberattacks as a whole cost the healthcare industry far beyond budgetary losses. 

How Do Hospitals Handle Cybersecurity?

The newer 2021 HIMSS Healthcare Cybersecurity Survey points out challenges healthcare cybersecurity programs face:

• 47% of respondents say the budget
• 43% is the staff compliance with policies and procedures
• 39% is legacy technology 
• 34% is patch and vulnerability management 

Healthcare deals with staffing shortages, low budgets, and other restrictions, often undervaluing cybersecurity:

• 24% of respondents reported that they do not have room in their budgets for improved cybersecurity
• 40% reported that 6% or less of the information technology budget was allocated to cybersecurity
• 59% reported an increase in cybersecurity budgets in 2021 from 2020
• 40% reported either a decreased budget or a budget that did not substantially change

The report also had respondents rate potential threats. On a scale from 1 to 5, with the threats increasing with numerical value, respondents rated:

• 3.72 for phishing attacks 
• 3.50 for ransomware attacks 
• 3.38 for breaches or data leakage

For these concerns, “many healthcare organizations are not able to have robust plans of action.” There are cybersecurity tools hospitals have to control attacks. According to HIMSS, implemented security controls are hard to reach 100%. 

• 78% of healthcare organizations have 100% antivirus/anti-malware 
• 57% have 100% email security gateway 
• 38% have 100% encryption - data at rest
• 38% have 100% patch and vulnerability management 
• 28% have 100% data loss prevention

HIMSS lists 16 security controls, with 13 having 50% or less of respondents fully (100%) implementing cyber protection tools. These are basic factors of cybersecurity. Accessing and applying all of these features gives organizations stronger prevention and safety measures. 

What Do Hospitals Need to Do to Strengthen Cybersecurity? 

Public healthcare provided through the government can receive cybersecurity support through federal administration. Brookings Institute leans on policymakers. They can “encourage proactivity by providing matching funds to organizations that seek to engage in risk-based planning and bring their practices up to par with state and federal regulations.” Collaboration is another objective to develop strategies that dodge looming cyberattacks. 

The HIMSS survey requests that healthcare organizations subsidize IT professionals. This, paired with standard security protocols, can help overcome cybersecurity challenges. 

AHA also suggests “instill[ing] a patient safety-focused culture of cybersecurity.” When done properly, healthcare organizations can merge and “leverage their existing culture of patient care to impart a complementary culture of cybersecurity.” The hope is that “staff members [will] view themselves as proactive defenders of patients and their data.” Rethinking cybersecurity is a revelation that can make the healthcare industry respond differently to IT. 

HealthIT.gov has 10 Tips for Cybersecurity [PDF]. An essential part of this list is to plan for the unexpected. “Fire, flood, hurricane, earthquake, and other natural or man-made disasters” can happen to anyone. The keys to protecting healthcare records are creating backups and having sound recovery plans. 

Security is central to software design at Macrium. Our applications give you complete control over where your data is stored and will operate fully offline for the most secure, air-tight networks.

Backup recovery is an unmatched part of cybersecurity. In the case of spontaneous attacks or losses, a regular backup can be the final step in recovering data. Industries are looking for streamlined, efficient, and reliable plans to add to their IT infrastructure. 

Macrium Software offers backup that doesn’t expect businesses to change existing software. The technology at Macrium can work with IT professionals to easily adapt to their systems. Check out our website to learn about installing effective backups to prevent data loss at Macrium.com.