The typical breach costs several million dollars. Attackers have realized hospitals are prime targets, so healthcare leaders need to make protecting their systems a top priority.
Healthcare organizations have been inundated with cyber attacks, and they can expect more to come in 2022.
Hospitals and other healthcare organizations remain ripe targets for cyber attacks, said Mac McMillan, founder, CEO and president of CynergisTek, a cybersecurity consulting firm.
“I think the bad guys have figured out healthcare is a lucrative target. It’s a target that’s more susceptible to disruption because they haven’t made the investments others have made,” McMillan said.
Several cyberattacks have already been reported in 2022. Earlier this month, Broward Health in Florida said it had suffered a breach that may have affected more than 1.3 million people.
The U.S. Department of Health and Human Services keeps track of cyberattacks and breaches at healthcare providers. In 2021, there were 618 breaches and attacks affecting at least 500 people, according to the department. Last fall, federal authorities issued a warning that cyber attackers backed by the Iranian government were targeting critical infrastructure, including the healthcare industry.
Cybersecurity experts such as McMillan say healthcare providers must devote more resources to preventing cybersecurity attacks. They say that having to deal with attacks can be far more expensive.
Scripps Health said a cyber attack last year cost the system $112 million in lost revenue, according to media reports. The California-based system was forced to take down its electronic health record system for nearly a month.
The cost of a typical healthcare breach rose to an average of $9.4 million in 2021, an increase of $2 million over the previous year, according to a report by IBM. The average ransomware attack on healthcare cost $4.6 million per incident.
“I would much rather invest in being better prepared than paying that money after the fact,” McMillan said.
Many attackers aren’t necessarily demonstrating highly sophisticated schemes. They’re simply exploiting weaknesses that healthcare organizations haven’t addressed.
“They’re taking advantage of our inability to do the basics really well,” McMillan said.
Leon Lerman, co-founder and CEO of Cynerio, a cybersecurity firm, said the cyber attacks last year provided plenty of disruption, but he projects it’ll be worse this year.
“As we head into 2022, it is likely we will see an increase in both the sheer number of attacks on hospitals as well as severity,” Lerman said. “It will be critical for hospitals to have proactive response strategies in place to prevent attacks and ensure continuity of care in the event of an attack.”
He also said more government intervention is needed “to ensure hospitals are prepared with the tools they need to address the evolving threat landscape in healthcare. It could be the difference between life or death.”
Disruption and data
Attackers are going after two primary objectives: disruption and data.
First, attackers are looking to disrupt healthcare operations. Healthcare providers aren’t like other businesses that can take their time if a system is compromised. If a hospital can’t access its records or its ability to serve patients is compromised, that’s a giant problem.
While many attackers are chiefly concerned with disrupting services, some are going after the data in healthcare systems.
In some breaches, attackers have taken the data first, and then deployed the ransomware into the organization. In such cases, attackers tell the healthcare organization to pay a ransom and they can get the data back, and if they don’t pay, they’ll detonate the ransomware and lock up their computer systems.
“I think the long and short of it is we’re going to continue to see more ransomware attacks,” McMillan said. “They’re going to get more complex and harder to deal with. It looks like it will involve threats to your information and threats to your organization from a disruption perspective.”
Cybersecurity attacks aren’t just costly to healthcare systems. They’re hurting patient care.
In November 2020, a Healthcare Information and Management Systems Society survey shed more light on the toll cyberattacks are taking on healthcare. Most of those surveyed (61%) indicated that a cyberattack disrupted non-emergency clinical care. And 28% of respondents reported those attacks disrupted emergency services.
Who’s at risk
Matt Georgy, chief technology officer of [redacted], a cloud security company based in San Francisco, said he sees smaller and even mid-size hospital systems as increasingly vulnerable to cyberattacks.
In a November interview with Chief Healthcare Executive, Georgy said smaller hospitals and healthcare systems typically have fewer resources to defend critical systems.
“It’s not going to take a lot of time for malicious actors to realize targeting smaller hospitals is more profitable to them,” Georgy said.
In McMillan’s eyes, all hospitals and healthcare systems are at risk.
Smaller systems usually have smaller staffs and budgets to defend against cyberattacks. On the flip side, larger hospitals and health networks offer many more entry points for attackers to find vulnerabilities.
“Those larger organizations, they have an attack footprint that is massive,” McMillan said.
Some hospitals have multiple incidents throughout a single year.
“You’re going to get attacked on a regular basis,” McMillan said.
Healthcare organizations aren’t investing enough in bolstering their defenses against cyberattacks, critics say.
Some sectors are putting 10-15% of their information technology budgets toward cybersecurity. In healthcare, organizations typically spend 6% of their IT budgets or less on cybersecurity, according to the HIMSS survey.
“We’re not spending as much in cybersecurity as other people are,” McMillan said.
Cybersecurity is increasingly on the radar of healthcare leaders, said Chris Chamberlain, vice president of emergency management for the Hospital and Healthsystem Association of Pennsylvania.
“Unlike other hazards, a lot of healthcare executives might not be experts in IT security,” Chamberlain said. “It’s starting to come to the surface.”
McMillan said healthcare systems need to be doing more than annual risk assessments and the occasional test. “Frankly, that’s not enough in today’s environment,” he said.
Cybersecurity experts say hospitals can improve their defenses with some simple measures, including training staff to make sure all employees understand the gravity of breaches to healthcare systems.
Other steps such as using two-factor authentication to access systems can help. Georgy, of [redacted], stressed the importance of policies instructing workers to frequently change passwords and use passwords which aren’t easy to guess.
“If every company using a computer just applied common-sense security practices, you’d see a significant decline in attacks,” Georgy told Chief Healthcare Executive in November.
Cybersecurity experts have said hospitals need to come up with response plans in the event of a breach. Key players need to know who needs to be contacted immediately, including law enforcement and local, state or federal agencies.
As hospitals increasingly move toward interoperability, with providers exchanging more information, healthcare organizations need to keep security in mind.
Healthcare systems are developing more application programing interfaces (APIs), the tools needed to exchange records and data. If you go online to make a reservation at a hotel or restaurant, you’re using an API to check availability.
McMillan said APIs should be thoroughly tested before they are put into the healthcare systems. “In most cases, it’s just as easy to develop them securely as it is to develop them insecurely,” he said.
Hospitals can still move toward interoperability without increasing their vulnerability to cyberattacks, McMillan said. It just requires planning, McMillan said.
“People think greater interoperability means you can’t have the same level of security,” McMillan said. “That’s just not true. You can have interoperability and still have good security.”
Healthcare systems can allow systems to talk to each other but still have some security measures. In other words, System A can talk to System B, but can’t access other systems. “You’ve still limited where the threat can go,” McMillan said.
Hospital systems need to invest in defenses such as privileged access management tools to limit the ability of attackers to gain access to passwords or other sensitive data.
As hospitals invest in more security systems, they also need to have someone tracking those systems. In some cases, McMillan said healthcare systems install monitoring systems to detect breaches but they don’t have personnel actively watching those systems. “It’s great that you have it but no one is listening,” he said.
Cybersecurity experts also stress the need for keeping some segmentation in their systems, so a breach can be contained.
While the average person often considers healthcare systems to be on the cutting edge of technology, some hospitals are using the same computers and tools they have employed for years.
“Smaller systems, some of their technology, some of their capital technology, may be of an older generation,” Chamberlain said. “They may have equipment that’s a few generations old. They may not be updatable.”
Hospitals need to replace those systems and technologies that are no longer supported, experts say. If certain systems can’t be immediately replaced due to costs, then hospitals should at least be planning and budgeting for replacements in the next couple of years.
Hospitals are going to have to engage in more planning and, in all likelihood, prepare to spend more to defend against cyberattacks.
Cyberattacks aren’t likely to diminish in the near future.
“At the end of the day, we have to do a better job of avoiding these things,” McMillan said. “The money we’re spending on responding, reacting, and recovering is not productive.”