Proactive cybersecurity measures are essential to safeguard against the increasing threat of cyberattacks that can erode patient confidence, completely disrupt health-care practices, and potentially cost over a million dollars in network costs, downtime, and lost revenue.
Cybersecurity has gained the attention of health-care entities. According to the ECRI Institute, cybersecurity topped the non-profit organization's Top 10 Health Technology Hazards list for 2022. The dangers of a cybersecurity occurrence will have multiple impacts on a health-care entity.
Cyberattacks can cause an interruption of business activities from scheduling appointments and check-ins to online payments. Cyberattacks can also endanger network-connected medical devices and data networks utilized in the delivery of health care to patients, leading to cancellations of patient appointments, procedures, and even surgeries; diversion of EMT vehicles; or closure of patient care locations.
In 2021, the Identity Theft Resource Center reported 1,862 data breaches, a 23 percent increase over the previous record set in 2017. This included 1,603 cyberattacks. Ransomware attacks doubled between 2019 and 2021.
When Ransomware Infected Hollywood Presbyterian Hospital
On February 5, 2016, Hollywood Presbyterian Hospital became the first health-care facility hit by ransomware. While other health-care entities had been breached before the Hollywood Presbyterian Hospital event, those incidents involved accessing patient health records without ransom demands.
It appears that the perpetrators used Locky ransomware malware, which is often disguised as a Microsoft Word document, but contains malicious macros. An employee clicked on the email attachment, and employees began informing their supervisors that they could not access the network. The ransomware demanded 40 Bitcoins (about $17,000 at that time).
Hospital management declared an internal emergency and took their computer system offline. The radiation oncology department and several other departments were advised to not even turn on their computers. Physicians and nurses were unable to access patient records and were unable to share radiology and medical test results. The hospital paid the ransom before they reported the incident to law enforcement.
What You Should Know About the Escalating Price of Ransomware Settlements
A 2021 survey by Sophos revealed that the average ransom paid by a medium-sized business was $170,404 in 2020. The ransom paid, however, is just the tip of the iceberg. The average cost to resolve a ransomware attack was $1.85 million. This included downtime, employee costs, device, and network costs, and lost revenue. At present, the average cost to a business of ransomware attacks continues to escalate precipitously.
Protecting Patient Information and Privacy
We must understand that any cybersecurity attack and breach will severely impact an organization's ability to deliver care and protect patient privacy, adversely affect our financial position, and possibly damage our reputation.
Protected health information (PHI) and personally identifiable information (PII) encompass key elements of the Health Insurance Portability and Accountability Act (HIPAA). The U.S. Department of Health and Human Services (HHS) defines PHI as "individually identifiable health information transmitted or maintained in any form or medium by a Covered Entity or its Business Associate." Personally identifiable information is any information that can be linked back to a person's identity, including Social Security numbers, driver's license numbers, email addresses, or any other information that could be traced back to a specific individual.
With the HIPAA Privacy Rule,HHS has strict requirements when it comes to privacy matters for health-care professionals (HCPs). These individuals must:
• ensure the confidentiality, integrity, and availability of all electronic protected health information (e-PHI) they create, receive, maintain or transmit;
• identify and protect against reasonably anticipated threats to the security or integrity of the information in order to avoid disclosure of said information;
• protect against reasonably anticipated, impermissible uses or disclosures; and
• ensure compliance by the workforce.
Recognizing The Critical Nature of Cybersecurity for Health-Care Entities
Cybersecurity should not be thought of as "just an IT issue." Like a stool, cybersecurity rests on three legs: the IT department, workforce, and senior leadership. By working together with a shared goal, they can protect the future viability of that business.
Yes, cybersecurity is critical to the survival of every business, but most especially to the survival of health-care entities. A cybersecurity breach can affect all of the following areas for health-care facilities.
Practical Steps to Take Now
A robust IT department is every health-care facility's best defense against cyberattacks, including ransomware. Now is a good time to review IT operating practices in radiology practices.
No longer is IT simply technical support for employees and keeping the network up and running. IT crafts the shield that protects patient records, networked medical devices, and the company's future viability.
Mr. Silva has more than 15 years of health-care compliance experience with both large and small entities. He is a member of the Health Care Compliance Association and the National Association of Healthcare Quality.