The nation’s medical systems are increasingly being targeted by hackers, cybercriminals and hostile nation states attracted by the wealth of patient information and medical intellectual property stored in hospital and health system information technology databases.
According to the U.S. Department of Health and Human Services Office for Civil Rights (OCR), the number of data breaches at American health care organizations has dramatically increased from 199 in 2010 to 154 in just the first six months of 2018.
The trend clearly has providers worried. A 2017 survey of health care executives across the country conducted by the Society for Healthcare Strategy & Market Development (SHSMD) of the American Hospital Association found that 83 percent of respondents believe it is at least somewhat likely that a hospital or health system in their area will experience a cyberattack in the next five years involving the theft of patient data from a cloud services provider. Another 52 percent predict that by 2023 there will be a cybersecurity breach in their service area that interferes with critical medical systems and prevents effective delivery of care to at least one patient, according to the survey, which was conducted by SHSMD as part of the development Futurescan 2018-2023, a highly-respected report on health care trends and implications.
What makes the health care field so susceptible to cyber threats?
- Providers collect and maintain databases containing personal health information, personally identifiable information, payment information and intellectual property related to medical research and innovation. These data sets individually are extremely valuable. When combined, as they are in the health care field, the data becomes exponentially valuable to cyber thieves, including sophisticated international criminal organizations and nation states.
- Some hospitals and health systems use legacy technology systems, products and medical devices that are not well protected, accounted for, or encrypted.
- Many organizations lack the resources and expertise to implement efficient and effective cybersecurity safeguards.
- The use of a wide variety of internet-connected devices by clinical and non-clinical staff puts confidential data at risk.
The SHSMD survey, conducted in collaboration with the American College of Healthcare Executives, shows health care leaders are aware of the growing threat and taking action. Seventy-two percent indicated that over the next five years they are very likely to increase their investment in advanced cybersecurity defense technology capable of detecting and preventing attacks without human intervention. An additional 23 percent said they are somewhat likely to do so.
Stricter government regulations are also driving health care organizations to improve defenses against cyber threats. The OCR, Food and Drug Administration, and Department of Justice are increasing their oversight and enforcement actions related to cybersecurity and holding providers to greater levels of accountability.
To be prepared for the growing threat of cyberattacks now and in the future, hospital and health system executives should develop a plan consisting of the following key elements:
- Creation of a top-down culture of cybersecurity through the implementation of an organization-wide training program based on employees’ roles and responsibilities and industry best practices.
- Development of systems and processes to identify and address vulnerabilities, such as conducting frequent scans and penetration tests combined with an effective patch management program. If an organization lacks the internal resources and capabilities to implement these safeguards, an alternate option is to hire a reputable cybersecurity firm specializing in health care. According to the Futurescan survey, 70 percent of health care leaders say they are at least somewhat likely to take this step in the next five years.
- Acquisition of effective threat monitoring and analytics tools to quickly detect an attack. When breaches do occur, time is of the essence to prevent widespread data loss and network disruption. Providers also need pre-arranged investigative and digital forensic capabilities to assess and understand what went wrong, and contain and remediate the damage.
- Creation of a multidisciplinary incident response team comprised of senior managers and staff assigned specific roles to address the information technology, clinical, operational, financial and other impacts of a cyberattack.
- Formulation of a crisis communications plan to guide internal and external communications when a breach occurs.
- Implementation of a cyber insurance coverage review to ensure there is adequate:
- Identification of digital assets.
- Coverage for full breach remediation costs.
- Coverage for losses related to a disruption to continuity of operations.
- Victim notification.
- Legal and regulatory exposure.
These are among the many possible components of cyber insurance, which may require hiring outside expertise to fully evaluate. The Futurescan survey indicates that 81 percent of respondents are at least somewhat likely to purchase additional insurance for this purpose by 2023.
In today’s heightened cyber threat environment, it is imperative that providers proactively take steps to increase cybersecurity. The magnitude and severity of the threat requires constant vigilance by hospital and health system leaders to protect their organizations—and, much more importantly, the safety and care of their patients.
For more information about the AHA cybersecurity resources and services available to members, visit www.aha.org/cybersecurity.
This article was written by John Riggi, the AHA’s senior advisor for cybersecurity and risk. Riggi spent nearly 30 years with the FBI in numerous roles and is a nationally recognized expert for health care cybersecurity. He is available to assist hospitals, health systems, and other health care organizations in mitigating cyber threats and risks. He provides strategic cybersecurity advisory services, including assessing an organization’s strategic cyber risk profile, leadership education, incident response advisory services and training and law enforcement and national security relations services. You can contact Riggi at firstname.lastname@example.org or 202-626-2272. He also is available after hours should your organization need urgent assistance or guidance as the result of a cybersecurity risk or incident.