A study released in early 2022 revealed that 89 percent of healthcare organizations had been the target of a cyberattack in the previous 12 months, and another prominent example of the dangers facing such systems occurred just a few months later, when Chicago-based CommonSpirit Health experienced a ransomware attack, compromising the private information of its patients.
Such attacks highlight concerns for patient confidentiality, and they show the dire need for a strategy to combat the problem.
First, it is important to understand that there are several types of cyberattacks that target healthcare. Ransomware, cloud violations, supply chain interruptions, and business email compromise are a few ways hackers can cause chaos for a medical institution.
If a healthcare organization is crippled by a cyberattack, patients who need immediate care may not be able to get it. When coupled with the global shortage of medical workers, a cyberattack can mean patients will have to wait weeks or months before getting medical attention.
Then there is the financial toll. Each of the organizations participating in the above survey had an average of 43 attacks, and the average cost for each organization was $4.4 million. That included cash outlays, labor, overhead, and lost business opportunities. The high price of cyberattacks is generally due to idle time, system performance delays, and downtime. The result is usually massive disruption to regular healthcare operations, damage to infrastructure, and more.
THE ISSUES AT HAND
Sharing data, though risky, has value for more informed care, better outcomes, and scientific breakthroughs.
Data sharing also helps protect the culture of informed consent. The HIPAA law, instated in 1996, protects the privacy of countless patients in the United States. Each presidential administration has since tweaked these regulations to prevent discrimination.
Despite these positives of data sharing, the public is not clear on the issues that affect them the most. They know the importance of privacy but often wear devices that track their data and send it to mysterious sources. They fill out forms with personal information while being told to keep that information secure.
Financial issues make cybersecurity a low priority for most medical organizations. Surveyed IT professionals working in healthcare showed that just 6% of IT budgets get allocated to cybersecurity.
The challenge is to strike a balance between privacy and openness. What are healthcare organizations doing to help bridge this divide? Not enough.
Increasing cybersecurity for healthcare seems like the obvious solution, but only to a point.
What’s needed most right now:
- Healthcare leadership can address the problem like the retail industry has – with the expectation that cyberattacks and their prevention will be part of everyday life and regular business costs.
- The US needs to catch up with the security standards of other countries.
- Healthcare organizations should be prepared and aware of threats, particularly within their walls. Of those surveyed, only half of the healthcare organizations say they include prevention and response as part of a larger security strategy. Less than half say they’ve documented steps to prevent and respond to attacks. Training on these protocols and employee monitoring is crucial to reducing insider risk.
Given the vulnerabilities of cloud systems in healthcare, it is no surprise the industry is vulnerable to rising cyberattacks. Organizations can defend the healthcare they provide by thinking of cybersecurity as a business investment rather than an unwelcome expense. Only by protecting privacy can American healthcare maintain its bottom line and save lives.