An increasing number of health systems are falling prey to cyberattacks, leading to questions about what security measures are in place and how far-reaching the effects are when they fail.
The federal Office for Civil Rights has begun 18 investigations into data incidents in August, including eight at healthcare providers and seven at health plans. The breaches occurred via email or network servers, which users in an organization typically share.
Related: Healthcare data breach costs keep climbing
In late July, Nashville, Tennessee-based HCA Healthcare revealed a data security incident that compromised the personal information of an estimated 11 million patients, making it one of the largest breaches since tracking started in 2010. The for-profit health system said data was stolen from external storage and included patients’ names, contact information, gender, birth dates and locations.
Two large healthcare-related breaches occurred in May—Managed Care of North America, affecting 8.9 million patients, and PharMerica Corp., affecting 5.8 million.
Cyberattacks can have far-reaching impacts on healthcare organizations, leading to costly disruptions in operations and regulatory hurdles to address. Cybersecurity and risk management experts say healthcare organizations can mitigate those consequences by investing in insurance and having comprehensive protection.
“Healthcare right now is in a recovery state. … When the hospital is focused on the health of the people, who’s focusing on health of the network?” said Bobby Cornwell, vice president of strategic partnership enablement and integration at cybersecurity company SonicWall. “To the bad guys, it’s the best opportunity ever.”
Healthcare is very vulnerable to cyberattacks
Attackers target healthcare organizations because of the amount and type of valuable data information they collect, experts say.
One of the most common tactics involves ransomware, which is malware designed to keep users from accessing their files until they pay a certain amount. Providers often have no choice but to pay the ransom to regain access to records and prevent any harm to patients.
About a quarter of ransomware attacks targeting critical infrastructure happen in healthcare, said Karl Sigler, senior security research manager at cybersecurity company Trustwave Holdings Inc.’s SpiderLabs unit.
Providers often have custom applications to provide care specific to their organization, and those often don’t go through security checks, Sigler said. Biotechnology devices such as infusion pumps or pacemakers also increase vulnerability to potential attacks because each one is essentially a computer that can connect to the network, he said.
Health systems are particularly vulnerable during mergers and acquisitions because of the vast exchange of information and integration of information technology systems. The probability of a data breach doubles during and after the merger process, according to a peer-reviewed study released this summer from economics doctoral candidate Nan Clement at the University of Texas at Dallas.
Another popular tactic is email phishing, when attackers send scam messages that appear to be from a trusted source. Clicking a link or downloading an attachment installs malware on the device.
“You’ve got all these people stressed out. Everybody’s working overtime. Everybody’s trying to deal with all of these things, and one person accidentally clicks on the link on the email,” Cornwell said. “Boom—the whole operation is compromised.”
In many cases, it takes weeks for a healthcare organization to realize a breach has occurred, leaving patient information vulnerable for an extended period.
Health systems, whether they’ve recently had data incidents or not, either declined to discuss their cybersecurity strategies or did not respond to interview requests.
Cyberattacks can have extensive impacts
Financial losses from a cyberattack can reach hundreds of millions of dollars, depending on the system’s size, how long the network is compromised and whether a ransom payment is made. Last year’s data breach at CommonSpirit Health, for example, cost roughly $150 million and affected more than 600,000 patients, the Chicago-based system estimated.
The financial hit can include lost revenue from suspended operations, remediation expenses, regulatory fines and costs of enlisting third-party help. Attackers can also target vendors servicing multiple health systems, casting a wider net on where and what information they can steal.
“The financial implications can be absolutely devastating,” Sigler said. “It’s difficult to recover from these things.”
Organizations may be required to notify patients and the media within 60 days of discovery under the HIPAA Breach Notification Rule if “unsecured protected health information” is involved, as well as inform the Office of Civil Rights within 60 days if the breach affects more than 500 individuals. The Federal Trade Commission and some states also have notification requirements.
HCA sent emails to affected patients and said last week it is mailing notification letters. It is offering credit monitoring and identity protection for two years. CentraState Healthcare System in Freehold, New Jersey, mailed letters to almost 618,000 patients after discovering an attack in December and began offering identity theft protection for patients who had their Social Security numbers compromised.
To determine risk, healthcare organizations complete an assessment that looks at the nature and extent of the health information involved, the unauthorized person who used the data, whether the data was actually acquired and the extent to which the risk has been mitigated.
“You have to divert time and resources that you don’t have to respond to this attack as a victim, and it takes you away from the good work that these institutions are doing,” said Linn Freedman, chair of the data privacy and cybersecurity team at law firm Robinson + Cole.
Patients may also pursue class-action lawsuits, despite the challenges of proving a particular breach caused them harm. HCA, for example, is facing multiple lawsuits regarding its recent breach. An Alabama woman recently filed a suit against Springhill Memorial Hospital in Mobile, alleging a 2019 ransomware attack that shut down its network led to birth injuries and eventually her infant daughter’s death.
Cybersecurity protection is mandatory
As cyberattacks become more sophisticated, it’s more important than ever for healthcare organizations to put the necessary protections in place, experts say.
Peter Halprin, a partner at law firm Pasich LLP, said investing in cyber insurance is one way to prevent financial catastrophe. Healthcare organizations can file claims to cover lost operating revenue and ransomware payments, plus the costs of working with vendors such as ransomware negotiators and privacy counsel to navigate the crisis, he said.
Large companies in many industries often invest in insurance coverage towers, essentially stacking layers of insurance plans for increasing amounts of coverage. Each successive plan covers a greater amount, but the cost for coverage gets cheaper with each layer because the risk for the additional insurers declines.
The cost of cyber insurance, estimated at $1,000 to $7,500 per $1 million of first-layer coverage for small to mid-sized organizations, is determined by the size of an operation and the level of desired protection, said Evan Bundschuh, commercial lines manager at insurance brokerage GB&A.
Healthcare organizations can also invest in cybersecurity services such as network security monitoring, firewall protection and encryption tools, among others. The cost for the services varies, ranging from a few thousand dollars at a small practice to multiple millions of dollars at a large hospital system, SonicWall’s Cornwell said.