Cybersecurity attacks are the top tech threat in healthcare, according to an ECRI Institute report, and they don’t seem to be letting up any time soon.
More than 700 healthcare organizations reported a breach of more than 500 patient records to the Department of Health & Human Services (HHS) Office for Civil Rights in 2021, and providers made up 72% of those breaches, according to a report by Fortified Health Security.
Those breaches resulted in a record amount of patient protected health information (PHI) being exposed: 44.91 million individuals were impacted by breaches reported in 2021, up from 34 million in 2020 and 42.37 million in 2019, as noted in Critical Insights’ analysis of the breach data.
A Feb. 15, 2022, MGMA Stat poll found that 16% of medical practices encountered a cyberattack or ransomware in 2021. The poll had 828 applicable responses.
Recent findings from the 2021 HIMSS Healthcare Cybersecurity Report point to aging computing platforms and lack of investment in security as areas where cyberattacks — typically with financial information as a main target — will develop in the near future, in addition to significant ongoing security threats from phishing and ransomware.
A report from cybersecurity company Cynerio suggests more than half of internet-connected devices in hospitals — including infusion pumps, patient monitors and ultrasounds — could have vulnerabilities. Specifically, almost three in four (73%) IV pumps — the most common internet-of-things (IoT) device in healthcare — have a vulnerability that could be exploited by a cyberattacker.
Healthcare organizations also should be vigilant around platform vulnerabilities as vendors offer patches/updates for platforms or discontinue support for certain software altogether. As noted in a Jan. 20 HHS Cybersecurity Program presentation, vulnerabilities in LogJ4 — a Java-based logging tool used for collecting and storing events and messages in numerous applications — were discovered in November 2021. While updates are available, healthcare and other industries remain “highly vulnerable” because updating can be very time consuming and tedious.
Keys to stopping major cyberattacks in your practice
Lee Holmes, MHA/MBA, FACHE, FACMPE, chief executive officer, Intensive Specialty Hospital, joined the MGMA Insights podcast last year to explain what practices can do to improve preparedness, enhance defensive positioning and mitigate financial risk.
“Most people don't fully understand the threat they're facing,” Holmes said, but major attacks — such as the May 1, 2021, attack against San Diego-based Scripps Health, which cost the organization almost $113 million in lost revenue through June — make the reality painfully clear to others. “If an organization with the resources and the complexity and the capability of Scripps can be taken down, anybody in the country can be taken down.”
The majority of cyberattacks are formulated by organized crime operations, often from outside the United States and even sometimes by adversarial nation-states (e.g., North Korea, Russia) in “a structured approach to weaken the United States,” Holmes explained.
While attempts to obtain financial information, such as credit card numbers, have prompted sophisticated methods of detecting fraudulent activity in the banking and financial industries, the window of opportunity to misuse a stolen credit card number is usually brief. However, the spectrum of information at risk within healthcare provider organizations is much broader and not as easy to curtail as a single credit card number: Patient’s names, relatives, addresses, dates of birth and other identifiers can give attackers access to a person’s entire identity. “Our data essentially has an unlimited shelf life,” Holmes added, as such information can be sold for 20 or 30 times more than data stolen from a retail merchant.
It's also important for practice leaders to understand that bigger targets assuredly get more attention from would-be cyberattackers, and that many organized attackers begin with a minimum financial goal.
When Holmes’ organization was attacked in 2020, the average cyberattack cost for a small business would be $25,000 to $30,000, but the attackers knew this was a larger organization. “They weren’t even willing to talk to us about any number smaller than $100,000,” Holmes said, eventually quoting a $200,000 ransom.
“The ransom, if you choose to pay it, is the beginning of your financial expenses,” Holmes said, who noted that about 20% of incidents in which ransom is paid don’t result in full restoration of data. When computer systems go down and it interferes with order entry, it’s likely you can lose anywhere from 50% to 100% of daily revenue depending on how well your downtime procedures allow you to operate without computers.
The real question of how costly an attack will be depends on how far it goes. Losing access to just an EHR can be costly in its own regard, but penetrating other servers to take down your internet access or email can prevent care in areas such as imaging or pathology, where all the clinical systems are computerized.
On top of all those areas for potential lost revenue and expenses to restore your systems and data are the costs of compliance. [HIPAA-covered entities have until March 1 to report breaches of unsecured PHI from 2021 that involve fewer than 500 individuals. Visit HHS.gov for more information on submitting notice of a breach.]
When there is a presumed breach, covered entities are required to notify every affected individual by first-class mail. “Just the cost of mailing your patients, depending on the size of your organization, becomes costly,” Holmes said. “My database had 350,000 patients in it — multiply 350,000 patients times the cost of printing letters and first-class postage, and it ends up being almost $1 per patient.”
Preparation and projecting confidence
Holmes said developing preparedness for incidents such as cyberattacks is needed throughout the organization. When he worked at what is now Baylor Scott & White Health, the Level I trauma center in Central Texas had major incident response drills every six months. “That lends a lot of ability to fall back on muscle memory and be able to remain focused and productive and an effective leader in a time of crisis,” Holmes said. “Part of that preparation is practicing what you've prepared for — so that when it hits … you're ready to fall back on what you've practiced.”
In addition to that preparedness, Holmes also approaches crisis with “a philosophy of hope and confidence” in his abilities and those of his team. Holmes said he ensures that he reiterates the idea that there’s nothing the team can’t overcome, to be “the voice of calm” and help give self-confidence to younger team members who may not have the same background.
“If you've hired the right people, and you're training them, and you've given them the right tools, then you will be prepared,” he added. “If you're panicking, if you're approaching it [as] doom and gloom, that definitely will affect people negatively. And it will impact your ability to successfully overcome whatever challenge you're dealing with.”
Holmes noted that he sees practice leaders playing a proactive role in bringing in the right expertise to “instill improvement” in the organization, such as an IT vendor that will do a full risk assessment and identify weaknesses in hardware and software to be improved.
JOIN MGMA STAT
Our ability at MGMA to provide great resources, education and advocacy depends on a strong feedback loop with healthcare leaders. To be part of this effort, sign up for MGMA Stat and make your voice heard in our weekly polls. Sign up by texting “STAT” to 33550 or visit mgma.com/stat. Polls will be sent to your phone via text message.
Additional resources
- Download: MGMA's Cybersecurity Action Steps
- Podcast: “Protect your medical practice against ransomware and other cybersecurity threats”
- Advocacy resource: “Maintaining Cybersecurity While Working Remotely”
- Member tool: “Cybersecurity checklist”
