In the last two years, 89 percent of healthcare organizations suffered at least one data breach involving the loss or theft of patient data. The question, experts say, is not if a hospital will be attacked, but rather when—and how prepared its teams will be to mitigate damage.
Hacks hit hospitals hard
Just a month after one California hospital paid a $17,000 ransom to end a cyberattack, three more medical centers in the state were hit by hackers. Some clinical systems, such as radiology, were down for days at three Prime Healthcare facilities—Desert Valley Hospital, Chino Valley Medical Center and Alvarado Hospital Medical Center—as the hospitals worked to contain the ransomware that infected their computers. Yet no patient’s safety or data were compromised, and no ransom was paid, says Prime spokeswoman Elizabeth Nikels.
“Prime Healthcare had various levels of protection and controls built into its systems, including multiple levels of backup,” Nikels says. “Our [chief information officer] and IT teams ... had an extensive cybersecurity strategy in place and were quickly able to execute their incident plans alongside national expert incidence response firms.”
Hospitals and healthcare organizations across the country are increasingly finding themselves the targets of hacks and ransomware attacks. In fact, 45 percent of healthcare organizations had more than five data breaches—though most were small, containing fewer than 500 records—in the past two years, according to a 2016 report by Ponemon Institute, a Michigan-based research organization focused on IT security. In 2016 alone, hacks of healthcare facilities were reported in California, Indiana, Kansas, Kentucky, New Jersey and the Washington, D.C., area.
While there has been no known patient injury stemming from a cyberattack, reports have indicated rescheduled appointments and delayed treatments. “There’s no evidence of any direct harm yet,” says Kevin Fu, PhD, director of the Archimedes Center for Medical Device Security at the University of Michigan. “It’s more about the safety net beginning to crumble.”
But even with patients out of harm’s way, the ramifications of a hack on a hospital can be severe. Healthcare hacks cost $355 per lost or stolen record—the highest of any industry—due to fines and a higher-than-average rate of lost business and customers, reports the Ponemon Institute. If the hack constitutes a breach, hospitals could face the added costs of credit monitoring for patients and media notification. And with that publicity comes another potential hit: a decline in reputation and loss of patient trust.
“How do you maintain continuity of operations?” asks Fu. “How do you have not just continuity, but assured continuity of operations? And then the follow-up is, how do you recover when you have a disruption to continuity of operations? Ransomware plays havoc with how things are done today in healthcare.”
Why hacks happen
Experts say the reasons for the surge in hacks are two-fold: there’s money in health data—and in the ransomware itself—and the healthcare industry is a particularly vulnerable cyber-target. While hospitals have paid thousands in ransom to get their medical records de-encrypted, perhaps more lucrative for hackers is the health information itself. A stolen medical record, which could be used to file false insurance claims or commit identity theft, could sell for five or 10 times more than a stolen credit card number.
“The data is much richer and, as a result, much more attractive” says Chris Paravate, MBA, chief information officer at Northeast Georgia Health System in Gainesville. “There are lots of different fraudulent activities you can do with that much data.”
As health data becomes more valuable, medical organizations are becoming more vulnerable to cyberattacks. Many factors make a typical hospital more likely to experience a breach, according to a report by Meditology Services, an Atlanta-based healthcare IT company. These include storing large volumes of medical data on a variety of systems with varying security, using legacy systems without routine security updates, allowing open physical security policies and connecting unsecure medical devices to the network. Healthcare organizations have made moderate improvements