A recent report from the consulting firm, Accenture, forecasts that cyberattacks will impose costs of more than $300 billion on U.S. healthcare centers and medical facilities over a five-year period due to cyberattacks, and that hackers will gain access to 1 in 13 patient records over the same period. It is not difficult to understand why hackers are targeting healthcare providers.
- Government regulationsforced healthcare providers to digitize patient information. The American Recovery and Reinvestment Act obligated healthcare providers to move toward digitizing patient records before the beginning of 2014. Healthcare systems were already shifting to electronic medical records, but few of those systems included significant cybersecurity controls over those records, leaving them exposed to cyberattacks.
- Patient medical records include high value information for hackers. A single medical record might sell for $1,000or more on the dark net. A complete medical record can include a patient’s name, date of birth, social security number, and other related information that a cyberthief can use to apply for credit or to commit other financial fraud.
- The healthcare industry lagsother industries in installing strong cyber-defenses. Hospitals that operate on a round-the-clock basis do not schedule regular system downtime for installation of patches and bug fixes, and hackers take advantage of known holes in hospital networks that have not been updated. Moreover, few healthcare facilities have made provisions in budget for cybersecurity teams or training for regular employees. Lower defenses and less attention to cybersecurity make healthcare centers an attractive target to hackers.
- The mission critical nature of healthcare facilities makes them uniquely susceptible to ransomware attacks. Health care providers need up-to-the-minute information on their patients and cannot afford to be pocked out of electronic patient records. This increases the urgency and need for hospitals to pay a ransom demand when their systems are frozen in a ransomware attack. As more hospitals demonstrate their willingness to pay ransoms, hackers shift their focus to hospitals to make more money.
- Even when healthcare systems include cyberdefense strategies, the medical devicesthat feed information into those systems will elevate the cyberattack risk. Medical technology that feeds data into healthcare systems often runs on firmware that has never been updated and that includes known security holes. A hacker that is unable to access a healthcare system directly might be able to do so indirectly by targeting the IP addresses of X-Ray machines, patient monitors, and the plethora of other medical devices that reside in every healthcare facility.
As healthcare facilities become more aware of the cyberattack risks they face, they are beginning to adopt cybersecurity strategies that have become common in other industries. These strategies include regular training and education of healthcare employees in good cybersecurity practices, beefed up information technology employee teams that focus on cybersecurity improvements and strategies to prevent data breaches, and regular system and software updates to patch vulnerabilities as they are discovered.
Healthcare facilities are also adopting post breach containment strategies to minimize the damage that a successful cyberattack might cause. The largest damages that a healthcare facility will face is in the form of liabilities to patients whose personal data has been lost, and fines imposed by regulators on account of a facility’s failure to adequately protect that data. For example, Advocate Health paid a $5.5 million fine following its loss of patient data. That fine is the largest regulatory levy imposed against a healthcare system to date.
No modern healthcare cybersecurity strategy is complete without provisions for reimbursement of those liabilities and fines. The current threats to the U.S. healthcare system are best managed with cybersecurity insurance that reimburses a facility for its losses when a cyberattack does break through its defenses. That insurance can help a healthcare facility to recover its operations more quickly and to continue to fulfill its primary goal of providing the best patient care.