In my previous post , I explained 6 key reasons why healthcare organizations are particularly vulnerable to cyber attacks. Today, let’s explore exactly what these attacks are designed to do, and how they affect the target organizations and their patients.
Cyber attacks come in many forms, depending on what the criminals behind them want to achieve:
This type of attack is becoming so common and so reliable that it’s now often referred to as a “business model.” One survey of hospital decision makers conducted by Healthcare IT News and HIMSS Analytics found that around half of respondents said they'd been hit by ransomware in the past year, and an additional 25 percent admitted they might have been.
Whatever the motives and goals of the cyber criminals, the consequences of an attack can be devastating for both healthcare organizations and their patients. Let’s consider the patients first. Any disruption to the normal functioning of IT systems, medical devices and healthcare data can trigger life-or-death consequences for patients. In the WannaCry ransomware attack in 2017, for example, hospitals across the United Kingdom had to divert incoming patients onboard ambulances to other hospitals, cancel surgeries that were within minutes of starting, and revert to tedious manual processes for critical-care situations — causing delays and opening the door to errors that could have grave consequences. Even basic processes like admitting patients and printing wrist bands were compromised.
Patients also suffer when their health records are improperly disclosed or sold on the black market. These records contain so much data that they can be used to commit identity theft, financial fraud, medical fraud and insurance fraud. And since these records include facts that can’t be changed, like Social Security number and date of birth, a data breach can haunt the affected individuals for years.
Healthcare organizations that fall victim to a cyber attack face consequences of their own. First, there are the legal and financial ones. As I explained in an earlier blog post, healthcare organizations are subject to a wide variety of regulations and requirements, many of which impose fines and other penalties for non-compliance. For instance, failure to comply with HIPAA can result in both fines of $50,000 per violation and imprisonment for up to 10 years. Organizations that violate the EU’s new General Data Protection Regulation face significantly steeper fines: up to 4 percent of their annual global turnover or €20 million, whichever is greater.
Organizations incur significant additional costs associated with investigating the attack, remediating any direct damage, and notifying affected individuals. For example, according to a report from seven state insurance commissioners, health insurer Anthem paid $2.5 million to engage expert consultants; $115 million to implement security improvements; $31 million to provide initial notification to the public and affected individuals; and $112 million to provide credit protection to consumers impacted by the breach.
But that’s not all; there are often also civil lawsuits. Anthem, for instance, paid an additional $115 million to settle several class-action lawsuits. And additional legal liability can arise from any mistakes in care that are made because data was encrypted data or IT systems were unavailable, such as a patient being given the wrong medication or procedure.
On top of the legal and financial consequences, healthcare organizations can also suffer brand and reputation due to a cyber attack. The Hollywood Presbyterian Medical Center was infected with ransomware in early 2016, and ultimately paid nearly $17,000 in bitcoin to regain access to its own systems. That attack still appears on the first page of results in a Google search of the hospital’s name, possibly turning potential patients and others away. Brand damage can also impact partnership agreements and merger and acquisition decisions.
Given all this, the outlook for healthcare organizations might seem quite dire. But I promise you, it’s not! In my next post, I’ll explore the key steps healthcare organizations can take to strengthen their cybersecurity defenses.
In the meantime, be sure to read our white paper, “Protecting Data in the Healthcare Industry,” to learn more about:
Download the White Paper