Healthcare Data Privacy and Cyberattacks

Many healthcare organizations are learning it the hard way: A health system is an extremely lucrative target for cybercriminals. Healthcare data breaches yield more sensitive personal information than even data breaches involving financial information. What's more, protected health information commands higher prices on the dark web than any other type of personal data. Not surprisingly, the number of healthcare cyberattacks has skyrocketed in recent years, despite advances in healthcare technology and security measures. And ransomware attacks are quickly becoming the preferred method of attacking healthcare providers.

The COVID-19 pandemic has made things worse by creating more opportunities for cyberattacks. The fact that many employees are working remotely and the increasing use of connected medical devices and cloud computing has made healthcare organizations more vulnerable than ever before.

Research shows that the average ransom paid for a ransomware attack is over $170,000. Each data breach costs an average of $1.9 million across industries, with the figure being considerably higher where remote work is a factor.

In this article, we'll discuss some of the key concerns regarding healthcare data privacy. We'll also talk about some of the steps you as healthcare professionals can take to protect yourselves against healthcare data breaches.

Why are healthcare cyber attacks surging?

Trends show that cyberattacks on healthcare professionals are skyrocketing. In 2020, cyberattacks on healthcare organizations and associates occurred at a rate of two every day. In 2022, the rate has escalated and shows no signs of abating.

Cybercriminals have essentially two goals - to extract hefty ransoms from healthcare systems and to gain access to protected health information and sell it on the dark web to the highest bidder. On average, a healthcare data breach at US health systems costs the targeted healthcare organization upwards of $9 million even without taking into account a ransom payment. Healthcare providers account for more than 75% of all healthcare cyberattacks, with health insurance companies and third-party business associates making up the other 25%.

The surge in healthcare data breaches in recent years is primarily due to one reason: The need for healthcare providers and patients to have increasing access to health information. As a result, the cost of securing patient information is soaring.

Why is healthcare vulnerable to cyber attacks and data breaches?

There are several reasons why the healthcare industry is the target of cyber attacks:

There is a growing need for healthcare information to be easily accessible and shareable.

Sensitive data and private patient information is worth a lot of money to cyber criminals, even more than financial data.

Medical devices are a vulnerable point of attack.

The increasing number of medical devices used by hospitals and healthcare providers is making it difficult to ensure security.

Staff members are insufficiently educated and trained in online risks and the use of cybersecurity measures, thus opening up more opportunities for healthcare cyberattacks.

There is a reluctance on the part of staff members to use new technologies recommended by security professionals because they disrupt well-established and convenient working practices.

Many healthcare organizations are using outdated technology and are unprepared for cyberattacks.

While larger healthcare systems often yield the biggest bounties for cybercriminals, smaller organizations are equally at risk because they are an easy target due to less robust security measures to protect sensitive information.

The cost of a healthcare data breach goes beyond fines

Worldwide, health care providers and organizations have to pay fines, penalties, and settlements due to data breaches, compromised credentials, and other violations. But that is not all. The real cost of a cyberattack extends well beyond fines when you take into account the cost of lost business, diminished reputation, network outage, system downtime, and expenses to reduce risk and prevent cyberattacks in the future. Moreover, ransomware attacks, which are the latest threats, also involve ransom payments. Last but not least, such attacks endanger patient safety because providers lose access to vital patient data.

Interestingly, many patients are increasingly aware of healthcare cyberattacks and are unwilling to share their health data with healthcare institutions due to security concerns. The one exception is mobile apps - research indicates that consumers are less concerned about personal health data shared over mobile health apps.

What are the key cyber threats for healthcare organizations?

Ransomware is the latest and biggest threat to healthcare institutions at the current time. Indeed, it is being sold as a subscription service by cyber criminals where buyers get the latest version of a program that allows them to plan and execute their own attacks.

How can healthcare prevent cyber attacks and keep patient data secure?

Cybersecurity strategies are shifting from a focus on perimeter protection to zero trust, i.e., using technology to continuously guard data and systems. IT professionals are increasing using AI to not only fight attacks, but to assume that malware is already inside the system. So, it is a proactive approach of threat intelligence and threat hunting in which detection is accomplished through monitoring network traffic, analyzing normal patterns, and spotting of suspicious behaviors.

Healthcare IT professionals worldwide say network monitoring is currently the most effective tactic available to prevent cyberattacks. Another strategy that is gaining traction is DevSecOps (development, security, operations) which involves integrating security at every stage of software development. Yet another critical security measure is multifactor authentication for access management.

Here are some more strategies that healthcare providers and organizations can employ to reduce the risk of cyber attacks:

Best Practices 

It's important to educate yourself on the best practices for cyber security for the healthcare industry. There are several organizations and experts that offer consultancy services for combating cyber attacks.

Cyber Hygiene 

Routine software updates, automatic software patching, keeping an inventory of all medical devices and checking them for vulnerabilities, and monitoring all downloads and searches on IT devices are some effective cyber hygiene measures you can employ.

‍Staff Training

Training your staff members in online risks and ways to prevent cyber attacks is critical. Many phishing attacks are traced to ill-informed personnel. Regular training on how to handle protected health information, updates on the latest security threats, and different ways that cyber attacks can manifest are some of the activities you can undertake to mitigate these threats.

Security Professionals

Hiring a cybersecurity expert or IT person with deep knowledge of cybersecurity may work out to be less expensive than you believe if this individual or individuals can help to ensure data security.

‍Cyber Insurance 

While it is more commonly used by financial organizations compared to the healthcare sector, cyber insurance is one way to get protection from cyber extortions and threats. ‍There is still a lot of ambiguity, however, in terms of covered entities - whether it is the patient or the healthcare system.

Third Party Business Associates

Hospitals and healthcare providers deal with multiple third party vendors. These vendors can make you vulnerable due to weak security systems. Consolidating vendors and cutting down on the number of third parties you're involved with is one way to enhance cybersecurity. Besides, it also improves operational efficiency. It's also important to perform due diligence before choosing vendors and to check each vendor or business associate for possible security vulnerabilities and risks periodically, on an ongoing basis. Security practices and protocols should be written into your contracts with partners so that they are contractually obligated to follow established security processes.

Key Takeaways

Healthcare providers are especially vulnerable to healthcare data breaches. Thanks to data protection requirements, the healthcare industry is generally ahead of other industries in cybersecurity efforts. However, the continuous threat of cyber attacks means providers must be constantly vigilant and committed to cybersecurity.

There are several advanced technologies and tools available to meet the ever-evolving threats to health systems. In general, a higher investment in cybersecurity technology will result in a lower cost should a patient data breach occur. Deploying technologies like AI and zero trust security can help to mitigate your expenses, but no system is completely safe.

Lastly, it is worth noting that while patients are victims of such attacks, they are also abettors because many patients will use unsecure mobile health apps without giving much thought to data vulnerability. Therefore, it is up to you as a healthcare provider to strike a balance between providing easy access to health data and protecting patient privacy.

The jury's still out on whether it is appropriate to give in to ransom demands from cyber criminals. Sometimes, it is the fastest and least expensive way of getting your systems up and running again. Yet, when a health system pays a ransom, there is no guarantee that the stolen data will be fully restored and it encourages cybercriminals to attack again.