The latest April headline announced that 200,000 individuals’ data was stolen from CareFirst BlueCross in the District of Columbia (formerly Total Health Care). Every week over the past several years though, the headlines have been eerily similar, as hundreds of healthcare organizations suffered data breaches. The causes include cyberattacks from the outside and insider theft (and error). While paper records are still lost and stolen, the vast troves of data lost in healthcare breaches today are mostly in electronic form.
Even though the news is bleak, there are things one can do to tighten security and prevent data breaches. Too many breaches have occurred because basic measures weren’t in place, unpatched software was still operating, or the workforce hadn’t received cybersecurity awareness training. In healthcare, HIPAA requires these risks be identified and managed. The worst outcomes are not inevitable, with care and planning.
Cybersecurity Risks are Everywhere
No industry is safe from cybercrime. A year ago, in March 2020, the U.S. Department of Health and Human Services (HHS) website was hacked – a nation state attacker is suspected, and it may have been an effort to slow the pandemic response or spread public misinformation – the hack was thwarted before damage spread. Financial services, education, manufacturing, government and entertainment, among others, all face cybersecurity risks. Organizations of all sizes are targeted – bigger does not equal safer, and smaller does not equal less visible, to internet criminals.
The Pandemic is a Double Whammy
We wrote about the rise in ransomware during COVID-19 last summer. Attackers exploited vulnerabilities that opened up during the pandemic, like people working from home on less secure networks, or healthcare staff trying to purchase scarce supplies. Criminals used fear tactics to pressure email recipients to open links, or provide credentials.
In October 2020, the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and HHS warned of “an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.”
The COVID-19 crisis has had a devastating impact on the financial health of hospitals and health systems, especially smaller or financially weaker ones, according to the American Hospital Association. Last year the hospital sector in the U.S. lost $323 billion in revenue, and predicts losses up to $122 billion this year. Many smaller hospitals are facing bankruptcy. Healthcare institutions of all sizes, already stretched thin from providing care to COVID patients, struggle to manage cybersecurity response.
Healthcare Data Breaches are Rising and Getting More Expensive
Experts who study breaches confirm that 2020 was a bad year. Hacking incidents in healthcare were up 42% in 2020 over 2019 according to the 2021 Breach Barometer from Protenus, Inc. in collaboration with DataBreaches.net. In fact hacking has increased every year for the past five years, and ransomware in particular is rising.
Insider-related incidents also increased in 2020, after a four year decline since 2016. Over 8.5 million patient records were breached due to insider incidents, some caused by wrongdoing and some by error.
One report estimates that the average cost of a data breach in the healthcare industry is a whopping $7.13 million, the highest cost among the seventeen industries studied, and almost twice the average total cost across industries ($3.86 million). See IBM’s Cost of a Data Breach Report 2020.
Breaches are expensive for lots of reasons. There is the cost of a forensic investigation to determine exactly what happened, what data was stolen and whether it can be recovered. HIPAA requires the breach to be reported to HHS and to the affected patients, and larger breaches must be reported to the media. Legal help may needed to navigate regulatory requirements under both HIPAA and state law. Crisis management and communications responsibilities ramp up. Business disruption is common and patient care can suffer. Loss of reputation and goodwill is difficult to recover if the public perceives security was lax. Finally, if the Office for Civil Rights (OCR) investigates, that takes time and money and could result in fines. Private lawsuits are also more common in the wake of these larger breaches, if patients or a partner organization believes the breach was caused by negligence or breach of contract.
Penny Wise and Pound (Dollar) Foolish
How does a stressed healthcare organization stand up to cybercrime?
HIPAA requires a Risk Analysis to identify threats and risks, and manage them. As the 2021 Breach Barometer report notes:
While the pandemic persists in 2021, the only way the industry will be able to reverse course will be by leveraging cost-effective strategies that quickly identify risky behavior without taking resources away from patient care. Healthcare organizations need to leverage technology that allows organizations to maintain compliance priorities in a resource-constrained environment. Hospitals can’t afford the costs often associated with these incidents, as more than three dozen hospitals have filed bankruptcy over the last several months. Non-compliance is not an option.
The best way to defend against cybersecurity threats is through strong HIPAA compliance. Compliance is affordable. Basic cybersecurity awareness training for staff is affordable. Managing risks in advance of a threat is affordable. Waiting until something bad happens can be very, very expensive.