A baby was born with complications in 2019 in Mobile, Alabama and then died during a ransomware attack on the hospital. Clinicians were unable to access electronic health records and patient monitoring systems – and this may have contributed to the death.
The costs of cybersecurity incidents, including ransomware, are well documented: EHR downtime, delayed treatments, investigation costs and loss of reputation, but so far, reports of fatalities are rare. That may be changing as ransomware intensifies. A study released in 2019 anticipated rising fatalities caused by cybersecurity attacks, and we now may be seeing the predictions come true.
A medical malpractice lawsuit has been filed alleging that the Alabama hospital’s inability to access critical fetal monitoring data was malpractice. The child’s family believes the hospital was negligent because it didn’t have stronger defenses against cybercrime. Whether that’s true, and whether the death was caused by the systems being down needs to be proven in court.
Regardless of the final outcome, this is a wake-up call for healthcare providers to do more when it comes to cybersecurity.
Medical Care is Critical Infrastructure
Cybersecurity in healthcare is reaching crisis levels. Even before the pandemic, criminal hacking, medical identity theft and ransomware were on the rise, but all of it got worse as healthcare organizations strained under the pandemic.
Last month the Cybersecurity and Infrastructure Security Agency issued a new report outlining the risks facing healthcare, with guidance and support to help increase cyber preparedness and resilience.
The report states:
Although there are no deaths directly attributed to hospital cyberattacks, statistical analysis of an affected hospital’s relative performance indicates reduced capacity and worsened health outcomes, which can be measured in the time of the COVID-19 pandemic in excess deaths.
Note, this was written before the allegation in the Alabama case described above.
Other experts also believe that patient outcomes are negatively affected by cybersecurity incidents. A recent study from research firm Ponemon Institute and Censinet, an IT risk management firm found that 22% of respondents, who are all IT and security professionals at healthcare organizations experiencing ransomware attacks, believe the incidents resulted in an increase in patient mortality.
HIPAA is a Blueprint for Defense Against Ransomware
The HIPAA Security Rule contains all the right requirements to help healthcare providers strengthen their defenses.
Strengthening cybersecurity does not have to be expensive or complicated. A good HIPAA Risk Analysis – Risk Management plan will uncover the risks, threats and vulnerabilities an organization has, and will provide a roadmap with action steps to reduce those risks.
The Security Rule Checklist in The HIPAA E-Tool® contains every requirement addressing the standards and specifications from the Security Rule. Some call it a security risk assessment. It’s not complicated, but it is essential to address each requirement and create a plan to manage the risks uncovered.
Beyond that, the basics are:
- Follow fundamentals, like access controls, password management and multi-factor authentication
- Train workforce to follow security policies and procedures
- Be alert for Phishing and Spear Phishing
- Update and patch systems
- Dispose of unused or legacy systems
- Document and follow your HIPAA Risk Management plan
Strong HIPAA compliance is essential for quality healthcare. If you need help, or are curious whether you have done enough, let us answer your questions. It could mean life or death.