Cybercrime is Killing Patients. Here’s What We’re Doing About It.

Your worst day starts like this. The emergency department at your small hospital is full of high acuity patients. A Fentanyl overdose and an ectopic pregnancy keep your team on their toes, while a patient with a gunshot wound needs immediate surgery. And just as your surgeon is scrubbing in, the hospital’s systems go down. All of them, from patient billing to email to EHR systems. None of your providers can access patient data – because the hospital has been hit with a ransomware attack.

If this scenario sounds absurdly dramatic, you might be surprised to hear how common it is. There has been a 300% rise in Ransomware healthcare attacks,  forcing hospitals to cancel surgeries and delay cancer treatment, lab testing, and prenatal care. Today’s average ransom paid out is roughly $4.4 million while hospitals experience an average loss of $900,000 in downtime.

Patients pay the ultimate price. Microsoft researchers found Ransomware attacks increased waiting room time by almost 50%, the number of confirmed strokes by 113%, and cardiac arrest cases by 81%.

Small clinics, private practices, and staffing companies are also prime cybercrime targets. A 2020 breach at one staffing agency provided unauthorized access to 30,000 staffers’ private information, with the staffing company paying $10,000 to each individual impacted.

Healthcare is a Tempting Cybercrime Target

Over the last three years, 93% of healthcare organizations experienced a data breach. Here are a few reasons why the healthcare sector can be easy prey.

• The stakes are life or death, which means hospitals will pay up quickly to regain control of their systems.

• Healthcare organizations are also rich in high-value data like patient social security numbers or staff identification card details. Dollar for dollar, the black market value of electronic protected health information (ePHI) is worth more than credit card data. A single patient record can sell for $1,000 or more.

• Traveling clinical staff log in and out of systems such as EHR applications from different locations and devices. Cumbersome security measures can feel burdensome in their fast-paced world. They may find workarounds to get their jobs done, even if it means flouting security policies – a gift to hackers waiting to steal their credentials.

• A small healthcare IT team is often technologically outclassed by highly skilled, well-funded criminal rings. These teams must protect an ever-changing suite of technologies across the Internet of Things, cloud-based platforms, remote access, medical wearables, and systems spanning patient records, billing, payroll, and other needs.

 

Despite these vulnerabilities, many healthcare leaders consider cybersecurity “just a tech issue” that eats up budget they’d rather allocate to patient care. What they don’t understand is that just one disruption can be disastrous to clinical outcomes. A patient’s greatest danger may come not from a medical error but a digital crime – making security a patient care issue.

 

Strengthening Your Cybercrime Security Program

Security is interdependent. One vulnerability in one system can affect multiple organizations. And the cybercrime aftermath hurts everyone, from the loss of patient trust to employee ID theft to fines and HIPAA penalties.

You’ll often hear security teams refer to the PPT model – People, Process, and Technology. Hopefully your organization practices basic security hygiene via privileged access, risk assessments, password policies, third-party penetration testing, and other tools. However, it’s worth checking that you’re covering your people and process bases too. Here are the essential building blocks for a healthcare security program.

• Build a culture of security. Leaders should understand that security impacts all departments, from delayed chemotherapy to HIPAA fines to staff walking out the door when their private information is stolen. Employees should understand their role in protecting patients and colleagues so they follow best practices and don’t try to “cheat” security controls.

• Invest in the right technology. Tools abound across encryption, backup and disaster recovery, perimeter protection, intrusion detection, and multi-factor and adaptive authentication. But these tools must both satisfy security and compliance protocols and provide a flexible and efficient experience for clinical staff. If providers don’t have frictionless access to patient data, the tools aren’t working.

• Design an incident response plan.  A recent American Hospital Association podcast described a hospital that had to buy walkie-talkies from Best Buy to keep operations going after a ransomware attack. When attackers infiltrated another hospital and encrypted its 1,300 servers and deposited malware on 5,000 devices, the hospital was forced to operate by paper for a month while they rebuilt their infrastructure. Younger physicians didn’t know how to write orders on paper; no one could access clinic schedules.

• Train staff. Employees are always your biggest vulnerability. The above mentioned attack started when an employee opened an emailed file from her homeowners association, which had been hacked. Teach staff to recognize the signs of phishing emails and CEO fraud, in which a criminal impersonates a trusted company or leader to request personnel data, gift cards, or an electronic funds transfer. Even basic tips such as hovering over links, confirming sensitive requests, using different passwords, and not opening unexpected attachments can help staff keep the door locked against criminals.

• Test clinical and administrative staff. Security vendor Barkly found that more than three-quarters of users who said they understood the risks of clicking on links in emails clicked on them anyway. Another study found that 4% of employees clicked 80% of phishing links, and 3% were responsible for 92% of malware events. Testing can identify the employees most at risk and train them before an incident happens.

Stopping Tomorrow’s Attacks with Today’s Security

Healthcare is an industry at war with cybercriminals. Attacks will grow more sophisticated; the damage will become more severe. Healthcare leaders must make security a priority if they want to honor their responsibilities to their patients and their providers.

After the holidays, we will release a training for healthcare organizations who want to assess their current security program and train their teams. We’ll share details on the types of cybercrime attacks to expect and how your organization can tighten its security posture. To join our training release list, email hello@tribalhealth.com.