The headlines are scary about a lot of things these days—and now we can add cybersecurity to the list, especially when it comes to healthcare.
We’ve all heard the reports: “Ransomware attacks on the rise!” and “Healthcare organizations under siege!” Unfortunately, it’s not fake news.
Healthcare providers have enormous cause for concern—for the security of their systems, for the privacy and safety of their patients, and for their liability. The expansion of telehealth during the pandemic and beyond increases vulnerabilities as healthcare delivery and technology become increasingly intertwined, and as visits take place outside clinic walls.
However, there are some practical steps providers can take to protect themselves from cyber-attacks and their repercussions.
According to a recent report from the Ponemon Institute, 67 percent of healthcare organizations have experienced ransomware attacks, and a third of those say they’ve had two or more. (The Ponemon Institute, a research center focused on data protection, surveyed IT professionals at nearly 600 healthcare organizations—including health systems, physician groups, and payers—that provide clinical care and rely on third-party security contractors.)
The problem is escalating. The healthcare sector accounted for 79 percent of all reported data breaches in 2020, with the rate of attacks ramping up significantly into 2021. That’s more than twice the rate seen in other industries, according to reports from Check Point and Fortified Health Security.
Last year, healthcare data breaches were caused primarily by hacking and IT incidents, which accounted for 69 percent of all breaches. Unauthorized access was the second top cause, representing 20 percent of breaches. Network server attacks were also on the rise.
Why are attackers targeting healthcare more than other sectors? For starters, healthcare organizations hold a treasure trove of sensitive, valuable information. Second, healthcare organizations have been upended by COVID on many fronts—increased patient-care demands, staffing challenges, shifts to remote work, and finally, new telehealth systems—and attackers are trying to take advantage of the disruptions. Third, attackers believe healthcare providers are more likely to pay ransom demands because lives are at stake.
Ransomware attacks do more than breach systems and hold data hostage—they actually impact patient care and increase mortality rates, according to the Ponemon Institute report. The same report found that following ransomware attacks, nearly a quarter of healthcare providers reported increased mortality rates, and more than 70 percent of providers reported longer stays or procedural delays that led to poor outcomes. More than half of organizations also reported an increase in patient transfers, and more than a third reported increased complications from medical procedures.
They’re also expensive. Ransomware attacks cost healthcare organizations $20.8 billion in downtime in 2020, double the amount they cost in 2019, according to a Comparitech report. An IBM report found that data breaches in the healthcare industry cost an average of $9.23 million each.
While expanding telehealth is part of the disruptive change that hackers thrive on, most attacks haven’t been specific to telehealth, says Joe Gellatly, CEO and cofounder of Medcurity. Most telehealth is delivered through third-party vendors, which are technology companies that should have greater expertise in cybersecurity.
Telehealth does create potential risk, Gellatly cautions, with care being delivered online, anywhere, on unsecured devices. The risk, though—at least on the patient-interaction level—is primarily the vendor’s. “Patient devices aren’t gaining any access to protected health information on your network,” Gellatly says. But it’s important for providers to protect themselves from liability caused by breaches at this level through Business Associate Agreements.
Medcurity is a cloud-based tool that helps providers meet the security and privacy rules of HIPAA (the Health Insurance Portability and Accountability Act). The company guides clinics and hospitals and their business associates through their annual HIPAA Security Risk Analysis, with recommended remedial actions and action-item tracking via dashboards. The Medcurity platform also provides customizable policies and procedures, as well as Business Associate Agreement management through electronic signature.
The federal government waived enforcement of HIPAA penalties for good-faith use of telehealth during the nationwide COVID-19 public health emergency. But this grace period, which is renewed every 90 days (and was last renewed July 20, 2021), will eventually come to an end—likely soon—and then telehealth offerings must be HIPAA-compliant or face penalties.
The risk to the provider isn’t so much in the patient-vendor connection, but rather in the vendor-provider connection. According to the Ponemon Institute report, less than half of respondents completed a risk assessment of their third-party security vendor before contracting with them. Healthcare providers need to ensure that they secure their internal networks from third-party vendors by making sure those vendors have been risk-assessed—using a tool such as Medcurity—as thoroughly as the provider’s own internal network.
“The vendor is where your risk starts, so make sure you’re working with a great vendor,” Gellatly says. “If you rushed into an arrangement to accommodate telehealth, now is the time to go back and evaluate. Remember, there’s more than liability risk—there’s also risk to your reputation. Your patient doesn’t have a relationship with your vendor—your patient has a relationship with you.”