The Rising Price Tag of Healthcare Cyberattacks
The correlation between the pandemic and a massive spike in ransomware and other cyberattacks on businesses has been well documented. Perhaps not as prominent in the headlines has been the parallel healthcare cyberattacks trend. The Department of Health and Human Services (HHS) noted a 50 percent increase in healthcare cyber breaches in the first half of 2020 alone.
Like other industries, health providers had to quickly transition to alternative ways of delivering care, including telehealth visits. This paired with a sudden shift to work from home (WFH) of administrative and non-clinical staff, often left a trail of security gaps to exploit, and hackers have taken full advantage.
Thinking back to the crisis just last April when the pandemic was in full swing, overcrowding in hospitals and staff being stretched to their breaking point created a perfect storm for healthcare. Governance had to change on the fly, administrative personal shifted to work from home, and IT was scrambling to maintain accountability and patient throughput in an entirely new way. This was the most stressful time in recent history for healthcare, but also a time of immense innovation and creativity.
The unique nature of the data maintained by healthcare providers makes the cyber issue especially sensitive. A business might lose or have held for ransom customer data and financial records. A healthcare organization is a steward for the most profoundly personal information, which is why we have the HIPAA statute to protect that data.
Combine that with the other ransomware trend transitioning to extortionware, and you have a recipe for disaster. A ransomware attack encrypts data until the ransom is paid. An extortionware attack is a threat to publish that information to the Dark Web instead, which no one except the bad actors wants to see happening with personal medical information.
The current average cost of recovery from a healthcare cyberattack: $1.4 million. What can health organizations do to prevent damage of that scale, not to mention the reputational damage that lingers long after?
With the increase in telehealth visits, health providers should be using enterprise-grade platforms to conduct remote appointments for greater security. Privacy settings can be made unique to the organization, ensuring that confidential conversations remain private.
Staff training from top to bottom is another necessity. While hackers have many methods to gain illicit access to systems, a malicious link clicked by an unwitting employee still is often the cause of a breach. As with any other business, cybersecurity isn’t just the CIO’s job … it’s everyone’s job, and every staffer needs to understand both what to look for and the ramifications of being careless.
Healthcare could also take a page from the sector with arguably the second-most to lose in a breach: financial services. Banks and other financial providers are adopting digital tools, including analytics and machine learning, to stay a step ahead of malware purveyors. They’re also stepping it up in the budget department, with JPMorgan Chase last year allocating a whopping $11 billion to technology.
Even though healthcare budgets are vastly different than the financial industry, the idea here is to invest in cybersecurity protocol. With so many factors combining to produce an upward spiral in healthcare costs, and now with newly introduced competing priorities, healthcare organizations are faced with a difficult decision on where and how to spend. But the bottom line is that cybersecurity should fall under the heading of “spare no expense” because hackers can – and have – put hospitals out of operation for extended periods and that costs lives.
Just as healthcare organizations have had to adapt to new layers and levels of personal protection to insulate frontline workers from infection, so will they need to embrace new layers of security in the escalating battle against ransomware.