With the continued digitization of the healthcare industry, the risk of cyberattacks has increased dramatically as healthcare data breaches hit an all-time high last year. A new report found 45 million individuals were affected by healthcare breaches in 2021 alone, up from 34 million in 2020 and triple the 14 million impacted in 2018.
The threat to hospital and health systems continues to grow and is currently heightened amid the war in Ukraine. As the U.S. implements sanctions against Russia, the Cybersecurity & Infrastructure Security Agency (CISA) is warning all organizations, including those in the healthcare industry, to be extra vigilant against cyberthreats.
In order to safeguard our healthcare data systems, data security must immediately become a strategic agenda item for healthcare executives. Now, more than ever, it’s critical hospitals and health systems have proper cybersecurity measures in place that allow them to quickly identify, respond to and report any intrusions—not only to limit operational disruptions but to protect patients’ health and safety.
The Impact Of Healthcare Data Breaches
Clinical data is the most sought-after data in the world for good reason. The valuable insights within the data are used to inform patient care and hospital best practices, so when it becomes compromised, there’s potential for serious consequences.
A 2021 report from IBM shows the healthcare industry takes the biggest financial hit from data breaches of any industry, with an average cost of $9.23 million per incident. This figure is an increase of $2 million from 2020, and that cost will continue to climb as breaches become larger and more frequent. What’s more, the report also found that the average time it took to identify and contain a data breach was 287 days (212 days to detect the intrusion and 75 days to contain).
This has lasting implications not only for hospital operations but also for patient trust in the delivery of quality care. 2021 research from CISA found a direct correlation between cyberattacks and mortality due to the series of events following a breach. Hospitals that experienced a cyber event were more likely to experience IT network failure that impacts the ability to access electronic health records and diagnostic technology; ambulance diversion that can cause a delay in treatment and lower quality of care; hospital strain measured by ICU bed utilization, which then contributes to worse health outcomes; and ultimately, increased mortality.
As cyberattacks become easier to perform with tools such as botnets, malware as a service (MaaS) and distributed denial of service (DDoS), it’s impossible to be 100% protected, but with the adoption of modern cybersecurity measures, hospitals and health systems can improve speed of detection, containment and remediation.
Cybersecurity Strategies To Implement Internally
One of the first things to consider is the hospital IT system. With the ongoing healthcare labor shortage, which has only been exacerbated by the pandemic, data security has remained a low priority for many healthcare executives. As a result, there has been a lack of investment in modern technology, and hospitals and health systems continue operating on outdated systems that are easy for hackers to penetrate.
By adopting modern IT infrastructure that supports more sophisticated cybersecurity programs and features, hospitals and health systems can minimize resulting damages from a cyberattack. This includes encryption for all healthcare data stored and transmitted, data recovery and backup mechanisms, and two-factor login authentication for anyone permitted to access information systems. Additional measures to take include workforce security training and creating a full security incident response plan with steps to identify, stop, evaluate and contain a cyberattack, as well as prevent similar incidents in the future.
Considerations For Third-Party Organizations
In addition to upgrading internal cybersecurity measures, hospital and health systems need to ensure that any third-party partners also have protective measures in place against cyberthreats. Every external organization with access to clinical data serves as an additional path of entry for hackers. As the healthcare ecosystem continues to expand, so does the need for innovation that third-party partnerships offer. However, healthcare executives should not be forced to choose between innovation or data security.
There are existing guidelines and assessments available for third-party healthcare organizations that, once completed, provide healthcare executives with confidence that partners will safeguard data. First and foremost, all partners should be fully compliant with HIPAA and HITRUST laws, which establish provisions for safeguarding medical information. Partners should also be encouraged to further mitigate risks through trusted programs such as System and Organization Controls (SOC) and Health Information Trust Alliance (HITRUST).
However, for a more reliable assessment, partners should look into the combined assurance program, SOC 2 + HITRUST, which is a collaboration between HITRUST and the American Institute of CPAs (AICPA). The integration between HITRUST CSF and AICPA’s Trust Services Criteria ensures the security, integrity, confidentiality and privacy of the data possessed by compliant organizations.
Ensuring all partners are aligned on a cybersecurity strategy is integral to the protection of patient data at all potential entryways.
Treat Hospitals As Information Technology Companies
In today’s increasingly digital world where cyberthreats perpetually exist, hospitals and health systems must take proper steps to improve their security posture internally and externally. Prioritizing data security will not only be beneficial to hospital performance overall but is key in the continued delivery of quality care and positive patient outcomes. These facilities can no longer be viewed as patient-care centers only but instead as information technology companies that require cutting-edge processes, structure and innovation.