Cybersecurity has gained the attention of health-care entities. According to the ECRI Institute, cybersecurity topped the non-profit organization’s Top 10 Health Technology Hazards list for 2022. The dangers of a cybersecurity occurrence will have multiple impacts on a health-care entity.
Cyberattacks can cause an interruption of business activities from scheduling appointments and check-ins to online payments. Cyberattacks can also endanger network-connected medical devices and data networks utilized in the delivery of health care to patients, leading to cancellations of patient appointments, procedures, and even surgeries; diversion of EMT vehicles; or closure of patient care locations.
In 2021, the Identity Theft Resource Center reported 1,862 data breaches, a 23 percent increase over the previous record set in 2017. This included 1,603 cyberattacks. Ransomware attacks doubled between 2019 and 2021.
When Ransomware Infected Hollywood Presbyterian Hospital
On February 5, 2016, Hollywood Presbyterian Hospital became the first health-care facility hit by ransomware. While other health-care entities had been breached before the Hollywood Presbyterian Hospital event, those incidents involved accessing patient health records without ransom demands.
It appears that the perpetrators used Locky ransomware malware, which is often disguised as a Microsoft Word document, but contains malicious macros. An employee clicked on the email attachment, and employees began informing their supervisors that they could not access the network. The ransomware demanded 40 Bitcoins (about $17,000 at that time).
Hospital management declared an internal emergency and took their computer system offline. The radiation oncology department and several other departments were advised to not even turn on their computers. Physicians and nurses were unable to access patient records and were unable to share radiology and medical test results. The hospital paid the ransom before they reported the incident to law enforcement.
What You Should Know About the Escalating Price of Ransomware Settlements
A 2021 survey by Sophos revealed that the average ransom paid by a medium-sized business was $170,404 in 2020. The ransom paid, however, is just the tip of the iceberg. The average cost to resolve a ransomware attack was $1.85 million. This included downtime, employee costs, device, and network costs, and lost revenue. At present, the average cost to a business of ransomware attacks continues to escalate precipitously.
Protecting Patient Information and Privacy
We must understand that any cybersecurity attack and breach will severely impact an organization’s ability to deliver care and protect patient privacy, adversely affect our financial position, and possibly damage our reputation.
Protected health information (PHI) and personally identifiable information (PII) encompass key elements of the Health Insurance Portability and Accountability Act (HIPAA). The U.S. Department of Health and Human Services (HHS) defines PHI as “individually identifiable health information transmitted or maintained in any form or medium by a Covered Entity or its Business Associate.” Personally identifiable information is any information that can be linked back to a person’s identity, including Social Security numbers, driver’s license numbers, email addresses, or any other information that could be traced back to a specific individual.
With the HIPAA Privacy Rule,HHS has strict requirements when it comes to privacy matters for health-care professionals (HCPs). These individuals must:
• ensure the confidentiality, integrity, and availability of all electronic protected health information (e-PHI) they create, receive, maintain or transmit;
• identify and protect against reasonably anticipated threats to the security or integrity of the information in order to avoid disclosure of said information;
• protect against reasonably anticipated, impermissible uses or disclosures; and
• ensure compliance by the workforce.
Recognizing The Critical Nature of Cybersecurity for Health-Care Entities
Cybersecurity should not be thought of as “just an IT issue.” Like a stool, cybersecurity rests on three legs: the IT department, workforce, and senior leadership. By working together with a shared goal, they can protect the future viability of that business.
Yes, cybersecurity is critical to the survival of every business, but most especially to the survival of health-care entities. A cybersecurity breach can affect all of the following areas for health-care facilities.
- Confidence. Both patients and the health-care facilities you serve may lose confidence in you if they perceive that you are unwilling or unable to provide adequate cybersecurity.
- Reliability. Ransomware attacks may force you to take your radiology practice offline, in essence crippling your ability to work. Will you be able to perform CT scans, MRIs, and ultrasounds without your network? Is there a paper-based backup system in place?
- Revenue. Make no mistake. Your practice will lose revenue. Just how much depends on your planning and preparation. Do you have sufficient resources and insurance to carry you through the aftermath of a cyberattack?
- Erosion of current patient base. Patients may be reluctant to continue using your facility and your services if they believe there was a failure to take adequate cybersecurity precautions.
- Failure to attract and maintain new patients. Negative media news remains online for a significant period. When new patients do an internet search for a new provider, some potential new patients may be reluctant to select your practice.
Practical Steps to Take Now
A robust IT department is every health-care facility’s best defense against cyberattacks, including ransomware. Now is a good time to review IT operating practices in radiology practices.
- Employ a virtual private network (VPN). With more and more employees working remotely, data needs to stay secure. Audit networked radiology equipment, paying special attention to susceptible software, USB ports, and older equipment CD drives.
- Implement anti-virus protection. Of course, anti-virus protection should be imposed on employee computers. Do not forget to ensure that medical devices are defended by virus and malware protection.
- Raise firewalls to their highest levels. Elevating firewalls to their highest levels will mitigate the ransomware risk by diverting external emails to a quarantine holding area.
- System separation is key.Separate medical devices from office devices as much as possible because office elements and systems are more vulnerable to wider attacks.
- Initiate two-factor authentication. Utilize two-factor authentication wherever possible. Without such authentication, breaches and data thefts by unauthorized interlopers are significant sources of exposure.
- Start using encryption software. Encryption is essential when transmitting PHI, PII, and other data between entities and devices, whether internally or to external parties.
- Update all software. This is especially true for legacy software, which may be difficult to protect and allow patient information to be more vulnerable.
- Establish a protocol for patches. Implement a modus operandi that is rigorously followed when it comes to patches. Be sure to include patch updates for everything in your network. Beyond the obvious ones like the operating system, browsers, application software, and firmware, one should also address firewalls, anti-virus software, and networked medical devices. Stay abreast of new patch announcements, prioritize patch application and apply patches according to set priorities.
- Institute routine anti-phishing campaigns. Without a regular anti-phishing campaign, employees become complacent. Anti-phishing campaigns help identify employees who may need additional training on recognizing and reporting a threat. Keep in mind that shorter, more frequent trainings are more easily assimilated by employees.
- No personal emails on work devices. Many companies have allowed or looked the other way regarding personal emails on work devices in the past. However, the last five years of increased cyberattacks, including ransomware, necessitate a policy change. This policy change might get some pushback from employees at first. Clear communication with employees about the risks for the company’s viability and their job is essential when implementing a “no personal email” policy.
No longer is IT simply technical support for employees and keeping the network up and running. IT crafts the shield that protects patient records, networked medical devices, and the company’s future viability.
Mr. Silva has more than 15 years of health-care compliance experience with both large and small entities. He is a member of the Health Care Compliance Association and the National Association of Healthcare Quality.