Cybersecurity attacks can erode patient trust and create public relations nightmares, but the larger threat is their potentially devastating effects on patient safety. In an age of increasing cybersecurity threats, focusing on healthcare cybersecurity isn’t optional; it’s mandatory. The data on healthcare cybersecurity breaches—and the resulting threats to patient safety—are unsettling.
From 2019 to 2021, cybersecurity breach incidents tripled, according to a report that analyzes the data healthcare organizations report to the U.S. Department of Health and Human Services (HHS). In 2021, healthcare cybersecurity attacks involving ransomware, credential harvesting, legacy systems, or stolen medical devices affected 45 million individuals in the U.S. There was also a 16% increase in the average cost to recover each patient record in 2020 versus 2019, and restoration of systems to pre-attack status took healthcare organizations an average of 236 days.
The surge in cyberattacks on healthcare organizations prompted the Cybersecurity and Infrastructure Security Agency, the FBI, and the HHS to release a joint advisory warning of “an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.”
What is healthcare cybersecurity, and why is cybersecurity important in healthcare?
Cybersecurity in healthcare involves the protection of patients’ sensitive information and other data assets from unauthorized access, use, and disclosure. Cybersecurity is increasingly important in an era of electronic health records (EHR). However, the EHR is only one type of specialized hospital information system that is vulnerable to healthcare cybersecurity threats. Others include:
- Electronic prescribing systems (e-prescribing)
- Practice management support systems
- Clinical decision support systems
- Radiology information systems
- Computerized physician order entry systems
- Remote patient monitoring device
There are also “smart” medical devices and mechanical systems including elevators; heating, ventilation, and air conditioning systems; infusion pumps; and others. Their ubiquity in the healthcare environment (in and outside of the physical health system) requires collaboration between patients, providers, support staff, healthcare administrators, and vendors/market suppliers. Everyone plays a role in sustaining a robust cybersecurity effort that ultimately protects health information, mitigates operational disruptions, and ensures patient safety.
What are the biggest cybersecurity problems in healthcare?
There are several areas in cybersecurity to watch, particularly those involving third-party data breaches. For example, a hacker might target a healthcare data storage company, a medical device company, or medical billing company that has access to hospital information.
Unauthorized email access is another major problem. Hackers use phishing emails in an attempt to fool users into disclosing sensitive information, click on a malicious link, or open a malicious attachment. Once users provide information or inadvertently give unauthorized access to one or more systems, hackers can download data, infect computer systems with malware, and more.
Physical security is another vulnerability. For example, unauthorized physical access to a computer device may lead to a data breach. This can happen if someone leaves a laptop unattended while traveling or while working in another location. Another example is an “evil maid” attack, where a hacker can physically access a device multiple times without a user’s knowledge, even if the device is password protected. The hacker gains ongoing access by installing a keylogger to record sensitive information (e.g., credentials) that they can use at a later time.
SaaS and cybersecurity
Another common cybersecurity vulnerability occurs when legacy systems are no longer afforded the security and support they need. Often, they lack security patches and other updates, making them prime targets for hackers. Software-as-a-Service (SaaS) solutions are a preferred alternative to on-premises data hosting, and offer advanced security by ensuring:
- All data are encrypted during transport (via Transport Layer Security, or TLS)
- All data are encrypted at rest in the database
- An audit log of all activities is carried out on the data
- Redundant disk storage is employed
- Encrypted transaction log and differential backups occur throughout the day, with full, daily backups being rotated regularly and stored off-site
What to look for in a SaaS host
To ensure not only optimal security but also scalability, availability, and performance, look for a cloud computing hosted environment with a redundant server farm and replicated storage area network, a disaster recovery (DR) model that includes replicating production virtual servers and database servers to a backup/DR data center, performance monitoring software to continuously assess the health of the platform, and support that responds quickly and accurately to every customer, including monitoring of customer email with prompt service for critical items.
Look for software that follows a standardized security development lifecycle that includes strong baseline security requirements, privacy impact assessments, security risk assessments, threat modeling, and penetration testing. This includes security awareness, developer education, secure coding techniques, and test methodologies designed to mitigate common vulnerabilities such as those identified by OWASP.
Application security is also mandatory today. For example, by implementing strong application security practices such as encryption-in-transit, encryption-at-rest, robust authentication and authorization mechanisms, and defense-in-depth controls at the operational level, symplr is committed to protecting the privacy and security of customers’ data at all times.
Why do hackers target healthcare providers, and why do hospitals need cybersecurity?
Hackers typically target healthcare organizations for two main reasons. First, they do it to monetize protected health information (PHI) and sell it on the dark web. PHI typically includes both clinical and financial information (e.g., credit card numbers, bank account numbers, and Social Security numbers), and thus is lucrative for thieves. According to some estimates, hackers can garner between $10 and $1,000 per stolen medical record, depending on the amount of data within the record.
Second, they do it to prevent health systems from being able to deliver patient care unless they pay a ransom. The combination of a broad attack surface and strong financial incentives make healthcare organizations an appealing hacker target. A cybersecurity program proactively identifies and addresses these threats.
How do cyberattacks threaten patient safety?
When a cyberattack renders healthcare providers unable to access medical records and lifesaving medical devices, patient safety is immediately compromised. Hackers who gain access to sensitive data can steal it or alter the data (either intentionally or unintentionally), causing serious negative consequences for patients. Unfortunately there are plenty of examples reflecting such scenarios. Consider National Health Service hospitals in England and Scotland. During the WannaCry ransomware attack in May 2017, up to 70,000 devices—including computers, MRI scanners, and blood-storage refrigerators—ultimately may have been affected.
The cyberattack targeted computers worldwide running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency.
Another example: In 2015, cybercriminals attacked MedStar Health in Washington, D.C., demanding approximately $19,000 to restore the system’s data. It isn’t hard to imagine how these attacks can prevent access and render providers unable to ensure the provision of safe and effective care.
In other cases, cyberattacks may have directly led to actual patient deaths. Consider the recent ransomware attack that likely caused a German woman to lose her life. During this cyberattack, systems gradually crashed and the hospital couldn’t access data. As a result, emergency patients, including the woman who died, were taken elsewhere. The woman died from an aortic aneurysm while being transported to a facility approximately 20 miles away.
How do cyberattacks threaten patient privacy?
Cyberattacks threaten patient privacy in many ways. That’s because gaps in critical infrastructure allows hackers to access patient health information and other sensitive information. Once they have this data, they can use it for a multitude of nefarious purposes—to blackmail someone, ruin someone’s reputation or cause them harm in some other way, sell the information on the dark web, and more.
Why are healthcare cybersecurity attacks on the rise?
Unfortunately, most experts predict an increase in cyber attacks. Chief among the reasons for the rise in incidents is that healthcare providers have access to more digital health information and connected medical devices than ever before. This means the attack “surface” is growing by leaps and bounds. In addition, hackers are developing more sophisticated tools and techniques to access this larger surface of potential vulnerabilities.
Second, there has been a steady increase in the use of telehealth, particularly during the COVID-19 pandemic. During telehealth sessions, at least one of these types of cyberattacks can occur:
- Theft of personal identifying information, data exfiltration, and credential harvesting
- Exploitation of financial transaction systems and manipulation of clinical data
- Installation of ransomware and denial of service
Almost a third of clinicians have had their patients’ data compromised when conducting remote telehealth sessions, according to a recent survey.
Third, the healthcare sector has been slow to respond to cyberattacks. Recent research found that the average healthcare organization spends only about 5% of its IT budget on cybersecurity. This occurs even despite studies demonstrating that proactive cybersecurity investments pay off, leading to long-term savings.
IBM’s 2021 Cost of a Data Breach Report found that the healthcare industry had the highest cost of a data breach for the eleventh year in a row, with an average cost of $9.23 million in 2021. By not investing in critical infrastructure to secure sensitive information, healthcare organizations leave themselves exposed to a variety of new and emerging cybersecurity threats.
How can we improve cybersecurity in the healthcare sector?
Fortunately, healthcare organizations can promote cybersecurity and mitigate the risk of data breaches, but only when executive leaders instill a patient safety-focused culture of cybersecurity. When staff members view themselves as proactive defenders of patients and their data, organizations can have a tremendous impact on thwarting potential hackers and data breaches. These health systems become high reliability organizations, increasing their ability to successfully avoid catastrophe despite a high level of operational risk and complexity. They set themselves apart from others by delivering high-quality, safe patient care over time. They know that cybersecurity risks are everywhere, but they view the risks as challenges that they must overcome. Their providers and staff collectively adopt a mindset that succumbing to or ignoring the risks is simply not an option. And a key component of such a patient safety-focused culture of cybersecurity is ongoing staff training.
In addition to ensuring your IT department use a firewall and installs and maintains anti-virus software, this guide from HHS suggests steps that any healthcare software user in your organization can participate in to strengthen cybersecurity:
- Protect mobile devices
- Maintain good computer habits
- Use strong passwords and change them regularly
- Adhere to protocols that help ensure role-based access/control
These measures can help organizations focus on cybersecurity in healthcare, thereby elevating their patient safety efforts to a new level.
Another important step is to control physical access to the organization. Facility access management is critical, and software can help. With healthcare industry vendor credentialing software, organizations can easily manage their vendors across the entire health system or within a single facility. This includes determining best practice credentials, policies, and training sessions for each level of access needed. Organizations can leverage built-in background checks and easily account for all vendor activity.
Equally as important is healthcare visitor management software that enables fast visitor check-ins, typically in fewer than 30 seconds, and collects vital information that lets you know who's on-site at a glance, at any time. Organizations can also use this software to flag and deny access to visitors who pose a threat, set passwords for sensitive departments, set visitor number limits on departments, and easily access reports to understand who was in a certain department at a certain time.
Another step is to limit network access, when possible. Focusing on business associates is critical because many data breaches occur through external third parties. Organizations must establish a comprehensive risk management program that classifies each business associate by level of risk based on the type of data it can access. Organizations should also vet all third parties before granting them access to the data to ensure they follow privacy and security best practices.
Implementing and adhering to all of these steps take time and resources, which is why it’s important for organizations to ultimately increase their budget for cybersecurity. Having sufficient resources enables healthcare leaders to answer this critical question: What are the top five healthcare industry cybersecurity threats facing my organization, and how can I implement best practices for cyber hygiene?
In the healthcare sector, patient safety is directly tied to cybersecurity. Healthcare organizations that take the time and invest the resources in preventing cyberattacks simultaneously improve the quality of care that patients receive. It’s all about mitigating risk for data breaches that can compromise sensitive information, medical devices, and more. Cybersecurity must be a priority for all healthcare organizations, particularly during an age of digital health information, telehealth, and patient-generated data.