It’s Friday night. You, your husband, and your 2 children are settling in for a fun pizza and movie night together. Unexpectedly, your elderly neighbor, Anne, calls in a panic. Her husband Steve is having severe chest pains. While Anne has already called emergency services, she asks that you come over to help. As an internal medicine doctor, you know that Steve’s treatment in the next several minutes and hours is absolutely vital. While Steve has the benefit of world-class care at your local medical facility, his recovery and survival may be hindered by an unlikely yet increasingly pervasive and insidious factor in healthcare—it’s called cybercrime. And it is running rampant, skyrocketing vulnerabilities, bankrupting healthcare organizations, and—of grave concern—degrading patient care. This is happening at healthcare facilities around the world, none of which are exempt from its potential and often devastating impacts.
How Cyber Vulnerabilities Impact Patient Care
Specifically, cybercrime can disrupt care, delay prognosis or treatment, and in the worst cases, cause fatalities. That’s because cyberattacks hinder the availability, reliability, and trust of healthcare records, insurance coverage, and access to medical networks. There is a broad array of potential attack surfaces in healthcare, all of which are linked to patient care, such as payment systems, applications, electronic patient data, claims processing, and care management.
In one report, it was found that “hospitals hit by a data breach or ransomware attack can expect to see an increase in the death rate among heart patients in the following months or years because of cybersecurity remediation efforts.”1 For healthcare organizations, full recovery from a cyberattack, which can take months or years, can disrupt the timeliness of care, upset patient processes, and worsen patient outcomes. Patient care is also impacted by facility closures. After weathering a cyberattack and its financial consequences, including compliance violations, some healthcare facilities are shutting down, reducing the availability of local patient care options.
Why Healthcare Data Breaches Are the Most Expensive Attacks
Across industries, cybercrime is on the rise. Healthcare, however, is the largest- and fastest-growing target for cybercrime.2 When a healthcare data breach occurs, it is also the most expensive attack, at double the average cost of breaches in other industries.3 Faced with strict compliance requirements (ie, from the Health Insurance Portability and Accountability Act of 1996 [HIPAA] and the Centers for Medicare & Medicaid Services [CMS]), lower margins, and steep regulatory fines, events of this magnitude can devastate a healthcare organization, financially and reputationally.
Why is healthcare such a highly targeted industry? There are several factors in play:
- Medical data’s worth. On the black market, medical data is worth 10 times more than credit card information. In other words, healthcare provides high profit for cybercriminals.
- PHI’s growth. Patient health information (PHI) and thus personally identifiable information (PII) data is growing exponentially.4 Electronic information in hospitals is increasing by approximately 40% on a compounded annual growth rate basis. Some applications, such as electronic medical records, are growing up to 70% per year.
- Healthcare IT transformations. As healthcare providers offer improved patient experiences via telehealth and other digital channels, the adoption of in-house and third-party cloud-based technologies and applications has risen rapidly. With a dearth of concrete security approaches, together with public cloud usage, cyber gaps and vulnerabilities are created—and often unknowingly remain unaddressed.
- Inherent vulnerabilities. As systems go, healthcare systems are a relatively easy target for cybercriminals.
- Increasing access. In addition to public cloud usage, there is the rise of remote work that also increases the attack surface. And comprehensive care requires that system and data access be provided to a large number of people, including the supply ecosystem, spurring additional vulnerability.
- Common shortfalls. Layered on top of these factors are outdated information technology (IT) systems and limited IT staff, which are commonly found in healthcare organizations that operate on slim budgets and narrow profit margins.
- Inadequate cybersecurity protocols. Most healthcare organizations have aging cybersecurity protocols in place. For example, perimeter and network security are not enough protection. In addition, insufficient security controls are often deployed at the data layer to meet mandatory compliance requirements and regulations. That is because encryption, access control, and data loss protection (DLP), while helpful, are deficient, especially to insider threats. These gaps introduce security and compliance risks by creating a false sense of protection, leaving vulnerabilities unrecognized, unmitigated, and under-prioritized.
Simply put, the numbers and factors show that healthcare organizations are facing a gravely serious, “not if, but when” situation—in terms of breaches in both cybersecurity and regulatory compliance.
The Dark, Stark Reality of Healthcare Data Breaches
Cybercriminals are exploiting these vulnerabilities. Healthcare organizations and their PHI and PII data are under intense attack and those attacks are increasingly successful. Studies show that more than 93% of healthcare organizations have experienced a data breach in the past 3 years and 57% have had more than 5 data breaches during the same time frame.5 These elevated attack levels are forecasted to keep growing. Cybersecurity Ventures estimates the global healthcare cybersecurity market will increase 15% year-over-year during the next 5 years, reaching $125 billion cumulatively over 2020-2025.5
The most prevalent types of attacks in healthcare are ransomware attacks. They encrypt patient data and hold it hostage until a ransom is paid, significantly disrupting and broadly disabling patient care until the data is restored. Similar in impact is a distributed denial of service attack that “hides” patient data from healthcare organizations until a ransom is paid to restore the data.
Sadly, the longtail impacts of breaches are often devastating to healthcare organizations. Data breach costs in highly regulated environments like healthcare linger for 2 or more years after the data breach. These are known as “longtail” costs and approximately 24% of them are accrued more than 2 years after the breach occurred.6
What Got Us Here Won’t Get Us There
These converging factors are leaving patients and healthcare facilities and their PHI and PII data vulnerable to potentially devastating consequences—often unnecessarily and unknowingly. HIPAA and CMS compliance, while helpful and necessary, do not equal data security. Encryption, DLP, and access control do not provide sufficient protection. Simply put, yesterday’s solutions are inadequate to counter the current cyber and compliance challenges faced in healthcare—both for today and tomorrow. In cybercrime, every minute and day matters, and taking action today is imperative for healthcare companies of all sizes across the globe.
While healthcare organizations have mighty missions, successfully fulfilling those missions relies on comprehensively securing data. The first step is for healthcare to more clearly recognize that good data protection and security are essential to achieve good privacy and ultimately, to deliver better patient care.
Here are some recommendations to help bolster a healthier data security posture:
- Adopt a risk-based cybersecurity framework that identifies, assesses, and prioritizes risks for rapid remediation is needed to combat the skyrocketing sophistication and escalating volume of cybercrime in healthcare. For instance, comprehensive frameworks are outlined by:
- National Institute of Standards and Technology’s Cybersecurity Framework (www.nist.gov/cyberframework)
- HITRUST Cybersecurity Framework (https://hitrustalliance.net/product-tool/hitrust-csf/).
- Prioritize and reach a consensus on data-centric security measures across all data types, such as structured, semistructured, and unstructured. And across all data repositories such as multicloud, hybrid cloud, on-premises environments, databases, data lakes, file servers, and software as a service.
- Inventory all sensitive data, user privileges, and access rights using a holistic discovery, classification, and monitoring approach.
- Prevent data breaches by using a detection-first approach that keeps data accessible and protected before a breach can cause damage.
Safeguarding Data Safeguards Patient Care
Healthcare organizations must protect data before a breach occurs and when successful remediation can contain risk and cost at the lowest possible levels. In cybercrime, there are no reverse buttons. Once breached, the damage is underway and escalates over time. Even more importantly, comprehensive data security helps safeguard sensitive patient information and thus patient lives, making it the most urgent imperative and enabler to the collective mission of healthcare organizations around the world.
- Krebs B. Study: ransomware, data breaches at hospitals tied to uptick in fatal heart attacks. November 7, 2019. https://krebsonsecurity.com/2019/11/study-ransomware-data-breaches-at-hospitals-tied-to-uptick-in-fatal-heart-attacks/. Accessed March 7, 2023.
- IBM Security, Ponemon Institute. Cost of a data breach report 2022. www.ibm.com/reports/data-breach. Accessed March 7, 2023.
- Brook C. How much does a data breach cost in 2021? August 22, 2022. www.digitalguardian.com/blog/how-much-does-data-breach-cost-2021. Accessed March 7, 2023.
- Iron Mountain. Managing the exponential growth in healthcare data: EP 2, HealthcareTalks webinar. www.ironmountain.com/resources/multimedia/m/managing-the-exponential-growth-in-healthcare-data-ep-2-healthcaretalks. Accessed March 7, 2023.
- Morgan S. Healthcare industry to spend $125 billion on cybersecurity from 2020 to 2025. September 8, 2020. https://cybersecurityventures.com/healthcare-industry-to-spend-125-billion-on-cybersecurity-from-2020-to-2025/. Accessed March 7, 2023.
- Hill M. What is the cost of a data breach? August 23, 2022. www.csoonline.com/article/3434601/what-is-the-cost-of-a-data-breach.html. Accessed March 7, 2023.