The Real Costs of Cyber Attacks on Healthcare Organizations

In my previous post , I explained 6 key reasons why healthcare organizations are particularly vulnerable to cyber attacks. Today, let’s explore exactly what these attacks are designed to do, and how they affect the target organizations and their patients.

What attackers want

Cyber attacks come in many forms, depending on what the criminals behind them want to achieve:

  • Steal valuable data — The traditional attack vector is to steal electronic health records (EHR), which command a very high price on the black market: hundreds or even thousands of dollars each. As I noted in an earlier blog post, attackers are stealing entire databases with data on thousands of patients and putting them up for sale on the dark web. This type of attack is still a serious threat; one analysis of the U.S. Health and Human Services breach database notes that there were 268 data breaches in 2015 but 328 in 2016 — a 22 percent increase.
  • Make a quick buck — Not all attackers have the skill and patience to infiltrate a corporate network and exfiltrate sensitive data. Instead of looking for a few big payoffs, they turn to ransomware for many smaller ones. With far less effort, they can encrypt at least some of a healthcare company’s critical files and demand a ransom (in untraceable cryptocurrency) for the decryption key. They know that healthcare organizations often have little choice but to pay up, given the vital nature of the data and the general lack of proper data security and data protection practices in the industry. They are careful to keep the ransom low enough that most providers quickly calculate that paying the hackers is actually cheaper than the alternatives.

This type of attack is becoming so common and so reliable that it’s now often referred to as a “business model.” One survey of hospital decision makers conducted by Healthcare IT News and HIMSS Analytics found that around half of respondents said they'd been hit by ransomware in the past year, and an additional 25 percent admitted they might have been.

  • Do damage — Some attacks seem designed to damage the target organization, rather than directly benefit the cyber criminal. For example, some attacks exploit vulnerabilities in the outdated operating systems on medical devices like CT scanners and MRI machines, rendering them useless for diagnostic and analysis tasks. Other attacks prevent the use of standard communication tools, such as phone systems and email, that doctors, nurses and other healthcare professionals rely on.

The impact on patients

Whatever the motives and goals of the cyber criminals, the consequences of an attack can be devastating for both healthcare organizations and their patients. Let’s consider the patients first. Any disruption to the normal functioning of IT systems, medical devices and healthcare data can trigger life-or-death consequences for patients. In the WannaCry ransomware attack in 2017, for example, hospitals across the United Kingdom had to divert incoming patients onboard ambulances to other hospitals, cancel surgeries that were within minutes of starting, and revert to tedious manual processes for critical-care situations — causing delays and opening the door to errors that could have grave consequences. Even basic processes like admitting patients and printing wrist bands were compromised.

Patients also suffer when their health records are improperly disclosed or sold on the black market. These records contain so much data that they can be used to commit identity theft, financial fraud, medical fraud and insurance fraud. And since these records include facts that can’t be changed, like Social Security number and date of birth, a data breach can haunt the affected individuals for years.

The impact on healthcare organizations

Healthcare organizations that fall victim to a cyber attack face consequences of their own. First, there are the legal and financial ones. As I explained in an earlier blog post, healthcare organizations are subject to a wide variety of regulations and requirements, many of which impose fines and other penalties for non-compliance. For instance, failure to comply with HIPAA can result in both fines of $50,000 per violation and imprisonment for up to 10 years. Organizations that violate the EU’s new General Data Protection Regulation face significantly steeper fines: up to 4 percent of their annual global turnover or €20 million, whichever is greater.

Organizations incur significant additional costs associated with investigating the attack, remediating any direct damage, and notifying affected individuals. For example, according to a report from seven state insurance commissioners, health insurer Anthem paid $2.5 million to engage expert consultants; $115 million to implement security improvements; $31 million to provide initial notification to the public and affected individuals; and $112 million to provide credit protection to consumers impacted by the breach.

But that’s not all; there are often also civil lawsuits. Anthem, for instance, paid an additional $115 million to settle several class-action lawsuits. And additional legal liability can arise from any mistakes in care that are made because data was encrypted data or IT systems were unavailable, such as a patient being given the wrong medication or procedure.

On top of the legal and financial consequences, healthcare organizations can also suffer brand and reputation due to a cyber attack. The Hollywood Presbyterian Medical Center was infected with ransomware in early 2016, and ultimately paid nearly $17,000 in bitcoin to regain access to its own systems. That attack still appears on the first page of results in a Google search of the hospital’s name, possibly turning potential patients and others away. Brand damage can also impact partnership agreements and merger and acquisition decisions.

Given all this, the outlook for healthcare organizations might seem quite dire. But I promise you, it’s not! In my next post, I’ll explore the key steps healthcare organizations can take to strengthen their cybersecurity defenses.

In the meantime, be sure to read our white paper, “Protecting Data in the Healthcare Industry,” to learn more about:

  • The various regulations and requirements that healthcare firms must comply with
  • The realities and trends that are increasing the risk for healthcare organizations
  • How data breaches impact healthcare organizations
  • Best practices for cyber security defenses

Download the White Paper

Anonymous