Healthcare organizations have become a prime target for malicious cyberattacks which have surged in recent years and only show signs of increasing. The motivations behind these attacks range from extortion to espionage and even cyber warfare. While government officials, technology professionals, and security officers have sounded the alarm for years, dire warnings are increasingly coming from organizations like the Joint Commission, ECRI, and the FBI, which in 2022 ranked the healthcare sector No. 1 out of 16 critical infrastructure sectors for ransomware attacks.
Cyberattacks impact clinics, large health systems, rural hospitals, insurers, and third-party vendors. Vulnerabilities run the gamut. Security of medical devices and ransomware top the list of concerns for healthcare IT security professionals, according to a Ponemon Institute survey. In fact, 41% of respondents said their organization averaged three or more ransomware attacks in the past two years. That is consistent with data we are seeing elsewhere across the industry, including a JAMA Network study showing that the annual number of ransomware attacks on US healthcare providers more than doubled over a five-year period.
The threat landscape cuts across patient data and privacy, operations, medical research, and more. Below are three real-world examples spotlighting the crippling impact of cyberattacks. Critically, we lay out three actions organizations can take now to improve their cyber hygiene.
Compromising patient data and privacy
Healthcare providers store vast amounts of sensitive patient data. This data is often shared through interconnected and interoperable systems across a wide spectrum of third-party vendors, with co-mingled technology that is old and new. Given all this, the vulnerability aperture or attack space is growing exponentially. A successful cyberattack can lead to data theft, exposing patients to identity theft, financial fraud, and even blackmail. For a healthcare organization, the financial impact alone of a breach can be immense. The average cost of a healthcare data breach hit $11 million in 2023, a 53% increase from 2020. Moreover, the loss of trust resulting from such breaches can discourage patients from seeking medical attention, thereby endangering their health.
Disrupting operations, both clinical and administrative
With the advent of more interoperable capabilities and Internet of Things devices, healthcare facilities rely heavily on digital systems for workforce planning, appointment scheduling, end-to-end patient care, recordkeeping, and medical equipment management. Cyberattacks targeting these systems and the associated data can disrupt normal operations, leading to delayed treatments, canceled surgeries, and a general breakdown in the delivery of healthcare services. These incidents serve as stark reminders of how vulnerable health services in the real world are to cyber threats.
Stifling medical research and innovation
Healthcare organizations contribute significantly to medical research and innovation. Cyberattacks targeting research institutions can result in the theft, destruction, or tampering of valuable research data, potentially setting back advancements in medical science. This not only affects the current state of healthcare but also impedes the development of future treatments and therapies.
In recent years, cyber espionage campaigns have targeted pharmaceutical companies and medical research institutions. They aim to steal intellectual property related to drugs, including vaccines — with a notable spike during the pandemic — and medical technologies. The US Department of Justice in 2020 indicted two prolific hackers for allegedly infiltrating the computer systems at hundreds of organizations over several years and making off with terabytes of data worth hundreds of millions of dollars. Among the targets were medical device makers, biotech firms, and pharmaceutical companies. The theft of such vital information not only hampers progress but also threatens public health, especially during global health crises.
Time to take action
The seriousness of cyberattacks on health services cannot be ignored. From an organization’s own technology, through its staff, to third parties, preparedness is muti-layered with each layer potentially having holes or vulnerabilities. Just 17% of healthcare delivery organizations update software on a regular basis and only 20% educate employees about ransomware risks, according to a recent Ponemon Institute survey. Additionally, there was a 7% drop in the number of healthcare delivery organizations that budgeted for third-party risk management.
Executives and boards must ask one major question: How vulnerable is their organization?
We’ve outlined three practical actions healthcare organizations can take today to assess their risk:
1. Conduct comprehensive exams
Healthcare organizations should conduct a preventative, comprehensive cyber exam at least annually. Such an assessment includes identifying potential weaknesses across applications, networks, and systems. The assessment should especially extend to the full workforce, gauging their level of cybersecurity awareness and training since so many attacks start with social engineering methods such as phishing.
As a result of a comprehensive assessment, organizations will be able to surface insufficient or incomplete deployment of essential defenses or incident response abilities. An assessment may unearth areas of deficiency, all too common, in multi-factor authentication, encryption, access privileges, email filtering, and offline backups, among others. Equipped with that knowledge, leaders can direct finite resources to shoring up the most likely routes of an attack. That said, vulnerabilities that they cannot easily address will remain. Conveying lingering risks related to HIPAA violations and other applicable regulations to the legal department is an important step, and organizations should consider insurance.
2. Practice the emergency response plan
Once a comprehensive assessment is done, organizations should strategically prepare their response to defend against an attack and minimize the potential damage should one occur. This involves establishing or updating a cyber incident response plan that clearly commits responsibilities to specific individuals or teams before, during, and after an incident. Organizations must have clear communication protocols both to notify and engage stakeholders, including clinical staff, non-clinical staff, leadership, and legal authorities.
But planning isn’t enough — organizations must practice. They should run a simulation that emulates sufficiently the effects of the attack on patient care, staff productivity, and hospital operations. For example, providers must test the ability of staff to isolate the propagation of malware, shut down devices that cannot be disconnected, operate with downtime procedures, appropriately prioritize recovery according to agreed-upon criticality, and communicate relevant information in a timely fashion throughout. Afterward, exercise leaders should consolidate findings into a report that will be used to improve the organization’s posture, preparedness, and responsiveness. Such a thorough exercise will bring a healthcare provider much closer to cyber readiness and resiliency, akin to the muscle memory that makes running a high-energy emergency room second nature.
3. Secure backdoors by vetting third parties and apps
As healthcare providers increase collaboration with and reliance upon multiple digital tech solutions, interoperability is a must, as well as addressing the critical vulnerabilities created by such connectivity. Every interface a healthcare provider shares with another entity creates a potential inroad to even the most secure digital environments. Providers must vet the maturity of each partner or vendor’s digital environment to mitigate risk to their own patients and workforce.
When evaluating healthcare partners and technology vendors, providers should add requirements for cyber-risk management to their due diligence – ensuring third parties know their posture and preparedness. Providers should insist that their third-party partners complete regular comprehensive exams just like they now do, that vendors routinely update their products with the latest security patches, and that all third parties report incidents and breaches as soon as possible. Providers can use the contract as an opportunity to clarify in advance the liability for any breach that does happen. Then, when onboarding and working with new partners and vendors, providers can ensure data is appropriately limited to the necessary use and that controls are distributed rather than monopolized. Protecting a healthcare provider’s data and IT systems — and therefore the lives and well-being of its patients and care teams — must be the work of both the provider and its upstream and downstream partners.
Health and Human Services recently released public tools for healthcare organizations to leverage. We urge leaders to take advantage of these tools and reach out with any questions about where to get started.
Supporting research by Scott Bartley, Research Analyst, Oliver Wyman