By: William Ecenbarger
Like most other organizations, healthcare facilities have moved toward total digitization. The major benefit of this change is that it has provided an efficient way of sharing patient records among healthcare professionals. Compared to paper-based records, electronic health records require less workforce, time, and physical storage.
However, this shift has created a new and growing risk: cyber-attacks that are compromising patient information, delaying patient procedures and tests, and rerouting ambulances to alternative emergency rooms.
“The health care sector is experiencing a significant rise in cyberattacks, putting patient safety at risk,” warns Andrea Palm, deputy secretary of the U.S. Departent of Health and Human Services. “These attacks expose vulnerabilities in our health care system, degrade patient trust, and ultimately endanger patient safety.”
The HHS Office for Civil Rights said the medical information of some 88 million Americans was exposed in the first 10 months of 2023. HHS also reported a 93 percent increase in large, healthcare-related cyber breaches between 2018 and 2022.
Much of the official concern is focused on breaches of patient privacy.
Healthcare institutions are a gold mine for cyber attackers. They hold huge amounts of information on patients–not just medical records, but also financial information, Social Security numbers, names and addresses. Moreover, unlike most businesses, they are open all the time–meaning, as the Seattle Times pointed out in a recent article, “they might be more likely to prioritize avoiding disruptions and, therefore, more likely to pay a hacker’s ransom.”
Geetha Thamilarasu, an associate professor of computing and software systems at the University of Washington and a specialist in health care security, said patients’ health information is valuable to cyber-attackers, who can use stolen medical records to buy bogus prescriptions, sell identity information online and file fraudulent insurance claims.
“There is a huge underground market on the dark web,” Thamilarasu told the Seattle Times. “Research shows that if a compromised credit card sells for about $1 to $5 each, a compromised medical record can sell anywhere from $400 to $500 — sometimes even $1,000.”
Moreover, anyone concerned about stolen Social Security numbers can enroll in a credit-monitoring agency, but patients have little recourse if their personal health information is stolen.
There are often hundreds of Internet-connected devices in a hospital, each of which may require a different type of security. “While an X-ray machine itself might not carry any patient data, it can act as an entry point for attackers trying to break into an organization’s broader network,” Thamilarasu said.
The American Hospital Association recently warned: “Health care organizations are particularly vulnerable and targeted by cyberattacks because they possess so much information of high monetary and intelligence value to cyber thieves. The targeted data includes patients’ protected health information (PHI), financial information like credit card and bank account numbers, personally identifying information (PII) such as Social Security numbers, and intellectual property related to medical research and innovation.”
John Riggi, the AHA’s Senior Advisor for Cybersecurity and Risk, said hospitals and other healthcare organizations constantly face attacks that can put patient safety at risk. “That’s why I advise hospital senior leaders not to view cybersecurity as a purely technical issue falling solely under the domain of their IT departments. Rather, it’s critical to view cybersecurity as a patient safety, enterprise risk and strategic priority and instill it into the hospital’s existing enterprise, risk-management, governance and business-continuity framework.”
Riggi, a former FBI cybersecurity specialist, urges hospitals to adopt “a culture of cybersecurity” that would result in staff members seeing themselves as “proactive defenders of patients and their data.”
“The cyber bad guys spend every waking moment thinking about how to compromise your cybersecurity procedures and controls. The best defense begins with elevating the issue of cyber risk as an enterprise and strategic risk-management issue. If possible, you should also dedicate at least one person full time to lead the information security program, and prioritize that role so that he or she has sufficient authority, status and independence to be effective. Furthermore, you and your team should receive regular updates on your organization’s strategic cyber risk profile and whether adequate measures are dynamically being taken to mitigate the constantly evolving cyber risk.”
According to the healthcare news publication HealthcareDive, cyber-attacks exposed 385 million patient records from 2010 to 2022. though individual patient records could be counted multiple times. The HIPAA Journal says the number of healthcare data breaches has been increasing over the past 14 years. In 2023, 5,887 data breaches of 500 or more records were reported to the federal officials. In 2023, more than 540 organizations reported healthcare data breaches to HHS, affecting more than 112 million people.
Riggi said hospitals have been working to put in place better safeguards and more backup systems to prevent such attacks and respond to them when they occur. But he said it is almost impossible to make them completely safe, especially because the systems need to rely on Internet and network-connected technologies to share patient information among clinicians involved in a patient’s care. “Overall, that’s a good thing,” he said. “But it also expands our digital attack surface.”
The HHS recently released a cybersecurity strategy for the healthcare sector that includes these actions:
–Publish voluntary healthcare sector cybersecurity performance goals to “help healthcare institutions plan and prioritize implementation of high-impact cybersecurity practices.”
–Provide resources to “incentivize and implement cybersecurity practices.” HHS said it would work with Congress to obtain new authority and funding to administer financial support and incentives for domestic hospitals to implement high-impact cybersecurity practices.
–Implement an HHS-wide strategy to support greater enforcement and accountability. HHS will propose new enforceable cybersecurity standards.
–Expand and mature the one-stop shop within HHS for healthcare sector cybersecurity. This will “deepen HHS and the Federal government’s partnership with industry, improve access and uptake of government support and services, and increase HHS’s incident response capabilities.”
The AHA’s Riggi offered his expertise. “I am available to assist your organization in uncovering strategic cyber risk and vulnerabilities by conducting an in-depth cyber-risk profile, and by providing other cybersecurity advisory services such as risk mitigation strategies; incident response planning; vendor risk management review; and customized education, training and cyber incident exercises for executives and boards. Please contact me for more information at 202-626-2272 or jriggi@aha.org.
