Medical service providers and healthcare organizations can be justifiably proud of their abilities to help patients. However, that sense of pride carrying over into the cybersecurity systems that protect their data networks can be dangerous. More than a third of all healthcare providers, for example, profess to be completely ready to defend against a cyberattack. The reality is that most of those providers are underprepared or wholly unprepared for a potential attack.
Consider the ransomware attack that was launched against the United Kingdom’s National Health Service in 2017. The Service had to shut down more than 16 of its hospitals. Why? Because employees were unable to access data and information that had been frozen by the “WannaCry” ransomware attack. U.S. hospitals are similarly vulnerable to ransomware shutdowns, although few openly acknowledge this risk.
Why Is Healthcare Susceptible to a Cyberattack?
Hospitals and healthcare centers are attractive targets for hackers and data thieves. A number of features that are unique to the healthcare industry contribute to this:
- Modern healthcare relies extensively on Internet-enabled technology that is vulnerable to hacking. As the Internet of Things (IoT) gets bigger, hackers have more opportunity.
- Medical organizations collect and store volumes of patient information that hackers can use for identity theft and medical fraud.
- Notwithstanding their beliefs to the contrary, hospitals generally have weak cybersecurity systems. Cybersecurity may be a budgetary afterthought relegated to a small information technology department.
- Medical information that is stored digitally will be more susceptible to data breach losses than physical files. Government incentives are pushing all medical records onto accessible electronic platforms.
Improving the Healthcare Cybersecurity Environment
A 2017 taskforce coordinated by the U.S. Department of Health and Human Services identified six areas for healthcare providers to address:
- Medical device security
- Workforce expertise and capacity
- Readiness and responsiveness to cyber attacks
- Protection of R&D and intellectual property
- Industry cyber risk data-sharing
Cybersecurity experts also regularly recommend making financial provisions to recover losses following an attack. These include planning how you’ll cover first- and third-party damages, as they can be very expensive. Getting cyber insurance coverage ahead of time is one major step toward a well-rounded healthcare cybersecurity.
Cyber insurance provides reimbursement for direct losses, third-party liabilities, regulatory fines, and other expenses organizations might face following a cyber attack. A healthcare provider’s aggregate losses and expenses from a cyber attack can be devastating. Following a data theft that compromised personal and medical records, Advocate Health Care paid a regulatory fine of $5.6 million. This was in addition to its direct losses and expenses for data theft protection that it provided to its patients.
Widespread improvements in healthcare cybersecurity will likely take years to implement. Until then, hospitals and medical centers will remain exposed to cyber attacks and data thefts. However, a combination of education, preventative measures, and cyber insurance will help organizations stay on top of cybersecurity. That way, they can devote more time to their patients and less time to addressing costly hacks and data breaches.