Not if, but when: Cyberattacks threaten hospital systems

This week, Chief Healthcare Executive is publishing a series of stories on cybersecurity and what healthcare organizations should be doing to protect themselves. Today, we look at why hospitals should expect a breach.

Hundreds of healthcare organizations have been hit with cyberattacks in recent years, and experts say most hospitals should expect a breach in the near future.

In fact, hospitals should count on it, said Lee Kim, the director of privacy and security for the Health Information and Management Systems Society (HIMSS).

“The question of a cyberattack is not simply a question of if, but when,” Kim said.

“The name of the game nowadays is not 100% prevention," she said. "There’s just so much cyber activity that’s happening.”

Since some breaches are likely inevitable, healthcare organizations need to be sure they can contain attackers and keep malware from spreading widely through their systems.

“Attackers will get into your system so it’s a question of how good your instant response team is," Kim said. "Can you block and tackle quickly enough? It’s like a football game, right? How good is your defense?”

The U.S. Department of Health and Human Services requires health systems to report any cyberattack or breach that affects more than 500 people. In the first quarter of 2022, 125 organizations reported such breaches, affecting millions of people. The largest, involving Broward Health in Florida, has affected more than 1.3 million people, according to the health department.

With Russia’s invasion of Ukraine, federal authorities have warned healthcare organizations - and all segments of corporate America - to bolster their cybersecurity defenses.

Cybersecurity attacks carry enormous financial costs to hospitals, which they surely don’t need with the COVID-19 pandemic.

The average cost of a breach rose to $9.4 million in 2021, an increase of $2 million over the previous year, according to a report by IBM. Healthcare breaches were the most expensive of any industry by far. The average breach across all business sectors cost about $4.2 million.

In addition to the costs, cybersecurity attacks threaten the health of patients. If hospitals have to divert patients because critical systems are down or they can’t access electronic health records, lives are being put in jeopardy, experts say.

Many attacks are geared at larger hospital systems, which have more employees and more access points to be exploited. However, experts say smaller hospital systems also make inviting targets for attack.

Two out of three healthcare IT professonals (67%) said their organizations had a significant cybersecurity incident in the past 12 months, according to the HIMSS 2021 cybersecurity survey.

Some systems are 'underprepared'

At the HIMSS 2022 Global Health Conference & Exhibition last month, cybersecurity emerged as one of the biggest topics, with a host of different sessions on topics ranging from protecting data to patient safety.

At one cybersecurity forum at the conference, Kim said there was an informal poll and those in attendance were asked to raise their hands if they had a sufficient budget for cybersecurity, and she said no one did. "Absolutely no one," she said.

Kim noted only 78% of healthcare organizations are implementing firewalls, so 1 in 5 aren’t taking that fairly basic step. There are other concerning signs regarding healthcare and cybersecurity in 2022, she said.

“We don’t have everyone implementing anti-virus across the board,” Kim said. “We don't have nearly enough encryption.”

John Riggi is the American Hospital Association’s national adviser for cybersecurity and risk, and a former top executive in the FBI’s cybersecurity division. Riggi said some health systems in the past couple of years have made admirable strides in addressing the security of their systems.

But he said others still aren’t doing enough.

“We have some that are underprepared and some that are very well prepared,” Riggi said in a phone interview with Chief Healthcare Executive.

To date, Riggi said he hasn’t seen evidence of cyberattacks reaching American healthcare institutions due to Russia’s war with Ukraine.

“We don’t think the Russian government at this point would target hospitals and health systems in the U.S.,” Riggi said. If Russian-backed hackers were to target American institutions, Riggi said it is more likely they would go after the financial sector.

However, it’s certainly plausible that Russia is planning to launch cyberattacks aimed at Ukraine’s institutions, and the malware could eventually make its way here. “We’re most concerned about the collateral damage effect,” Riggi said.

Healthcare systems have been investing more in cybersecurity. Roughly three out of five healthcare organizations (59%) said they increased spending on cybersecurity defenses, according to a HIMSS survey in February.

However, many hospitals aren’t spending much money on cybersecurity. Forty percent of hospitals participating in the HIMSS survey said 6% or less of their information technology budgets were directed to cybersecurity. Roughly a quarter of the hospitals surveyed (24%) said they have no allocation in their budgets for cybersecurity.

Healthcare organizations are prime targets for attacks, particularly ransomware attacks, because of the sheer volume of data they are handling, said Srinivas Loke, senior director of product management at Ordr, a cybersecurity firm. “I don’t think any other industry carries the same level of data,” Loke said at a cybersecurity session at the HIMSS conference.

Breaches in healthcare can be extraordinarily disruptive because of the number of people that can be affected.

Part of the reason so many are affected is because a breach isn’t usually discovered for weeks or months. Loke said breaches are often discovered 180 days after they have occurred. The IBM report said the average breach across all sectors occurs more than 210 days before it’s detected.

Get better at basics

Experts stressed the importance of taking steps such as multi-factor authentication and blocking emails from Russia and Ukraine to minimize exposure to threats.

Beyond technical steps, health systems are urged to stress the danger of cybersecurity to employees. Workers need to understand the importance of looking at emails carefully and to avoid clicking on suspicious links, said Kevin Tambascio, manager of cybersecurity for the Cleveland Clinic.

“It really is, a lot of times, about the basics,” Tambascio said.

Hospitals also need to talk more about cybersecurity both inside their organizations and with other healthcare systems, Kim said. They need to understand where hospitals have been exposed and learn about best practices.

“Nothing will replace peer to peer human intelligence,” Kim said.

Unless hospitals talk to others outside of organization, she said, “They will truly have tunnel vision when it comes to cyber. They won’t learn. They won’t grow.”

In addition to fortifying their cybersecurity defenses, healthcare organizations also must develop response plans for breaches, which are most likely going to occur at some point.

Hospitals need to consider everything from compiling lists of the key players to call, including inside the organization and law enforcement. Health systems also need to have backup of key systems and lists of important assets and a plan to contact vendors and others about the breach.

Experts stress that healthcare leaders must focus on cybersecurity and devote whatever resources are available to protect patients, their finances and their data. They should reach out to federal authorities for guidance and best practices. They also need to sell the importance of cybersecurity to everyone in the organization.

“The leadership has to make it a priority,” Riggi said.

Coming tomorrow: Why smaller systems are at great risk of cyberattacks, and lessons from a rural hospital that improved its security without adding staff.

Read more from our cybersecurity series

How a rural health system bolstered its cybersecurity

Cybersecurity measures advance in Washington