Technology has sparked incredible advances in healthcare — but it hasn’t done so without risk. Cybersecurity has long been a hot-button issue for the healthcare sector. For many provider organizations, a major security breach constitutes a worst-case scenario, posing a significant threat to operations, patient trust, and confidential information alike.
Moreover, those in the healthcare sector have seen this threat manifest in real and dangerous ways. Consider the hack on Hollywood Presbyterian Medical Center in 2016; for over a week, hackers held the hospital’s internal computer system hostage while demanding a ransom of 9,000 bitcoin ($3.7 million). The hack stymied all digital operations, forcing the facility to divert 911 patients to other hospitals and use paper registration and medical records. In the end, the hospital paid $17,000 in bitcoin to buy the release of their online systems.
Not all hacks are as dramatic, but all are damaging. According to a 2017 study from Accenture, a full 26% of U.S. consumers have had their personal medical information stolen from a digital system. Researchers further reported that half of those impacted by a breach have become victims of medical identity theft and were made to pay an average of $2,500, on average, in out-of-pocket costs per instance.
While few Hollywood-scale disasters have occurred since 2016, the problem of security breaches and data-stealing is getting worse. One recent HIMSS report found that 82% of surveyed care organizations had seen a “significant security incident” in 2018. That same year, the healthcare sector experience 503 breaches and reported 15 million patient records as compromised. This number is three times the amount stated in 2017 — and indicates a troubling upward trend. Analysts anticipate as many as 25 million patient records to be compromised by the end of 2019.
While hospital breaches garner the most press, hacks are not exclusive to large facilities. Accenture notes that while 36% of reported breaches occurred in hospitals, urgent-care clinics (22%), pharmacies (22%), physician offices (21%), and health insurers (21%) also struggled to combat malicious hacks.
If recent research tells us anything, it would be that the issue of hacking isn’t going away — and that healthcare organizations need to be prepared when bad actors attempt to push past their digital doors.
As Sean Curran, West Monroe Partners’ senior director of its security and infrastructure practice, recently commented for Health IT Security: “Organizations need to accept that it’s going to happen and focus their attention on how to recover, how to minimize [the damage], and get back up and running as fast as possible: that’s the mindset of what’s more important to customer.”
Many are already putting similar approaches into action. The above report from HIMSS found that 72% of respondents adopted new or improved their security measures after undergoing a security risk assessment. 69% wrote, revised, or tested their policies and procedures, and 68% replaced or upgraded their security solutions.
This proactive work is promising — but there are still steps that those in the healthcare sector need take to bolster their security.
“Treat Cybersecurity risk in the same way you treat Patient Safety,” Cylera Chief Security Strategist Richard Staynings told Healthcare IT News, “because the two are inextricably linked in today’s connected digital healthcare environment. Many hospital CEOs, Boards of Directors, and Ministers of Health haven’t realized this yet.”
As we move into 2020, healthcare organizations need to allocate more resources, create more protocols, and conduct more training for cybersecurity. It is not enough to complacently comply with security mandates; instead, we have to proactively move beyond them. Bad actors will always attempt to break down healthcare’s digital doors — it is our responsibility to ensure that our defenses are strong enough to protect our patients, facilities, and providers from their abuses.
