Why cybersecurity should be important to hospitals

The rise of digitization in healthcare, heavily fueled in the U.S. in recent years by incentives of the outgoing administration, has brought an unintended and treacherous side-effect: vulnerability to the increasingly rampant hacking of healthcare data.

Hackers have found numerous avenues to make healthcare data lucrative, including its sale on the black market for uses including Medicare fraud, foreign intelligence, identity theft and other financial purposes. However, as that market has become more saturated, causing the value of health records to drop, a newer and even bolder threat took precedence in 2016, according to cybersecurity firm TrapX. In this scheme, hackers hold a hospital’s healthcare data hostage until money is paid through what is called ransomware, interrupting services and literally putting patients’ lives on the line.

A recent Accenture survey gave a sliver of insight where and how health data breaches are occurring:

From insider threats to ransomware attacks, hospitals need to be aware about cybersecurity practices within their walls. Slipping up can cause a hit to their bottom line and credibility among patients.

Why it’s important

Cybersecurity involves the technologies and practices put forth to shield digital data from unauthorized access, as well as from internal threats and mistakes that put data at risk. It’s a never-ending race as hackers perpetually push the envelope. Healthcare data has become a growing target as more of it is generated and inadvertently made vulnerable via avenues such as digital health records, data sharing and medical devices that communicate with hospital systems but fail to include security safeguards.

It is increasingly critical for CIOs and hospital administrative staff to understand the importance of cybersecurity, given that the stakes are no longer primarily a matter of privacy and reputation but of actually maintaining control of hospital systems.

Real world examples give the industry a preview of potential attacks

Ransomware attacks triggered outrage as hackers held numerous health systems hostage in 2016, leaving administrators in the impossible position of deciding whether to pay up – which helps fuel the trend – or risk their patients’ lives as data remains inaccessible and services interrupted.

It was a year ago, in February 2016, when ransomware first made major news as hackers hit Hollywood Presbyterian Medical Center in Los Angeles which then famously made its own waves by agreeing to pay the demanded ransom of 40 bitcoins (bitcoins being an internet currency intended to be untraceable) worth about $17,000. The hospital reportedly spent a week locked out of its systems and reliant on pen and paper. Two more attacks followed a month later at other California hospitals, Chino Valley Medical Center in Chino and Desert Valley Hospital in Victorville, both operated by Prime Healthcare Services.

Columbia, Md.-based hospital chain MedStar, with 10 hospitals and about 250 outpatient facilities, also went old-school after it was then hit in March, with employees working around its days-long system outage as well as possible by reverting back to paper. The system reported that it was ultimately able to regain control without paying the ransom.

The struggle is real

The scope of the breach threat is significant; according to a joint report by Protenus, Inc. and DataBreaches.net, 2016 saw an average of at least one health data breach per day, affecting a total of more than 27 million patient records. The analysis is based on 450 incidents disclosed to HHS, the media and other sources. It found breaches to have been steady throughout the year. This year isn’t shaping to be any better. Protenus found 31 health data breaches occurred in January affecting 388,307 patients.

Further, the costs around a healthcare data breach can be significant, due to hits to trust, loyalty and brand value, as well as the expenses around notifications, forensics and lawsuits, according to Protenus. The direct costs can take years to unfold, while the indirect costs can be difficult to gauge.

A breached healthcare organization can expect to see a 6.7% increase in customer churn and to lose nearly $4 million in business as a result of its tarnished reputation, Protenus estimated, making that potentially the largest single cost compared to expenses such as forensics, for which a healthcare organization can expect to pay about $610,000. The total direct costs for remediating a breach total above $1 million, Beth Israel Deaconess Medical Center CIO John Halamka told Politico. That said, stock values for healthcare related companies have yet to suffer lasting damage as a result of data insecurity, Politico added.

Kicking and screaming into cybersecurity?

Critics have suggested hospitals and providers were forced into the digital age before the industry had a chance to develop the proper expertise and infrastructure. Even if that’s the case, debate still remains around what that proper expertise and infrastructure should look like – and how health systems are supposed to pay for it, and keep up with the constantly emerging new threats – unless the federal government is willing to cough up some more incentives, which has not yet been the case.

Next steps

The federal government’s support on the matter has so far consisted primarily of some security guidance for the healthcare industry and the creation of the Health Care Industry Cybersecurity Task Force, expected to deliver a report sometime this year given the current term’s expiration in March.

Until healthcare data security is better resolved, cyberthreats not only keep hospitals at risk but also hold back the movement toward sharing patient data among healthcare entities, which was much of the point for digitization in the first place to aid in efforts around big data, precision medicine and transparency.