Cyber attacks on hospitals, clinics, and private practices are surging as the healthcare sector continues to grapple with the global COVID-19 pandemic.
Prior to the pandemic, IT professionals in healthcare were already struggling to stay on top of growing cyber attacks, with 96% reporting it was a struggle to keep pace with evolving threats. In fact, 83% of US physicians had experienced a cyber attack well before the pandemic began.
The pandemic brought with it new opportunities for attack and introduced new vulnerabilities as more organizations adopted remote work policies out of concern for health and safety.
In the face of these growing threats, it’s critical for the healthcare industry to stay informed about the cyber risks that could impact them so they can ensure they’re protected.
Here are the top five healthcare cyber security concerns to be aware of in 2021 and beyond.
1. Health records are extremely valuable to hackers
Private patient information and data sell for a steep price on the dark web. One report found that, on average, a single protected health information (PHI) record can sell for as much as $250 — and considering the average practice has over 10,000 PHIs, that means big money for a cyber criminal.
But medical records aren’t the only prize at hand.
Research hospitals may hold intellectual property (IP) that’s highly valued by state-sponsored hackers, cyber criminals backed by foreign governments. Alternatively, this type of sensitive data could be extremely useful for a criminal looking to stage a ransomware attack. Once encrypted, hackers could use this data as leverage to extort a higher ransom payout from a victim organization.
That said, healthcare organizations also hold a wide variety of personally identifiable information (PII) for their patients, including full names, addresses, social security numbers, financial details, and more. Attackers could use this data to commit identity theft or insurance fraud, causing serious harm to patients and their families.
Because any downtime could lead to a life-or-death situation, healthcare organizations are more inclined to meet these demands and cooperate with hackers in an effort to protect patient health.
2. Cyber attacks have devastating financial impacts
In May 2021, California-based non-profit healthcare provider Scripps Health was hit with a ransomware attack. Three months later, costs stemming from the attack already totaled $113 million. But only $20 million of that was spent on incident response and recovery — the vast majority of those costs, an estimated $90 million, came from lost revenue.
Recovery costs alone may be overwhelming. Following a successful cyber attack, organizations will want to repair or replace affected IT infrastructure to ensure attackers can’t exploit the same vulnerabilities. This could prove extremely difficult for smaller practices that don’t have access to the same resources as larger organizations.
The expenses stemming from the Scripps Health attack may be shocking, but they’re nonetheless in line with industry trends. On average, healthcare data breaches cost organizations $9.42 million, regardless of size.
- $250 and $985,000 for business email compromise (BEC)
- $148 and $1,600,000 for a data breach
- $70 and $1,200,000 for a ransomware attack
Put simply, a single security incident can have a significant effect on an organization.
3. Healthcare organizations are heavily regulated
Because they manage such a variety of confidential data, healthcare organizations must adhere to a number of cyber security and privacy regulations and controls
Some of the more common regulations affecting the healthcare sector include:
- The General Data Privacy Regulation (GDPR)
- The Personal Information Protection and Electronic Documents Act (PIPEDA)
- The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
These regulations work to protect individual privacy, and as such, a data breach could lead to regulatory enforcement or legal action.
For example, in the United Kingdom, healthcare institutions are subject to a national process that evaluates their cyber readiness, offering support and resources to get them up to speed and improve their resiliency. Organizations that have not kept pace with national standards could face severe penalties and legal consequences.
4. Cyber incidents can increase legal risk
In addition to regulatory enforcement, healthcare organizations could face greater legal risk if patient data is compromised in a cyber attack.
On top of their already significant financial losses, Scripps Health is also facing several class-action lawsuits citing “negligence in safeguarding” patient medical records. One plaintiff is demanding the healthcare provider pay $1,000 per violation alongside additional punitive damages.
These suits are simply the latest in a string of patient data breach lawsuits. In 2020 alone, there were 13 high-profile lawsuits filed against US-based healthcare organizations that allegedly mishandled sensitive patient data.
5. A cyber attack inevitably leads to reputation damage
Many healthcare organizations remain reluctant to openly disclose news of an incident or attack despite regulations to do so. It‘s understandable — no matter how diligent your defence, an attack can severely damage your reputation.
Even the most careful and dedicated organizations may face skeptical clients following a hack. This could cause valuable patients to search for other private clinics and practices for their needs. This also makes it harder for affected practices to attract new clients, too.
Unfortunately, cyber attacks continue to be seen as an IT concern, but given that a recent attack forced a patient’s ambulance to redirect to another clinic, it’s clear that cyber security should be a major concern for patient health as well.
These cyber threats can have major effects for healthcare organizations, no matter their size and experience. No medical provider flies under the radar of a hacker.
How to improve cyber security and minimize risk
It’s more important than ever that these institutions take a proactive approach to their cyber security, actively working to find and eliminate potential cyber threats. With a view of your organization’s entire IT environment you can better protect your patients, staff, and sensitive data.
But this is easier said than done — you need the right tools and skills to understand and prioritize the cyber threats you face.
That’s where we come in.
With Field Effect’s Covalence, you get a complete cyber security solution. Purpose-built for small and mid-size businesses, Covalence allows you to identify threats across your full infrastructure, plus gain a team of experts offering 24/7 support.
Stay up to date on cyber security risks and tips, webinar invites, and more by signing up for our newsletter below.