Health care enterprises today are plagued by evolving and increasingly sophisticated cyberattacks. The rise of remote care, complex IT environments and connected health care devices is opening up new attack vectors for cybercriminals to exploit.
Bad actors are eager to exploit vulnerabilities in any and all of these areas to access lucrative patient data such as Social Security numbers, driver’s license numbers, financial information, health data and insurance information.
To combat evolving and increasingly damaging cyberthreats, health care organizations must proactively operationalize key risk mitigation strategies aimed at effectively shoring up their cyber defenses.
Unyielding attacks
Threat actors are targeting the health care sector with a barrage of different attacks. Some of the most common types of attacks include hacking, ransomware, phishing and supply chain attacks.
The HIPAA Journal reported that 2023 saw a record 725 large health care security breaches reported to the U.S. Department of Health and Human Services Office for Civil Rights, beating the record of 720 health care security breaches set the previous year. As a result of these breaches, an average of 373,788 health care records were breached every day in 2023.
Research by the Ponemon Institute last year found that 88% of health care organizations surveyed had at least one cyberattack over the past 12 months and Check Point Software Technologies data revealed that the global health care sector experienced an average of 1,613 cyberattacks per week, reflecting a significant year-over-year increase of 11%.
Critical consequences
The cyberattacks targetting health care are persistent and damaging.
One of the most recent attacks in this sector impacted Change Healthcare (part of Optum, a UnitedHealth Group company). In late February, the company reported that it was experiencing a cybersecurity issue that made some systems unavailable. The attack impacted the company’s pharmacy, medical claims and payment systems. According to news reports, the outage left some doctors unable to check patients’ eligibility for treatment or prevented them from filling prescriptions electronically. Fallout from the attack also extended to financial disruption for providers that were unable to receive reimbursements from insurers.
It is an unfortunate reality that no health care organization is immune from cyberattacks. These attacks can lead to lengthy care disruptions, patient diversions to other facilities and delayed medical procedures, all of which can jeopardize patient safety and put lives at risk.
Cyberattacks in this sector also negatively impact public trust and can inflict lasting damage on the reputation of health care organizations.
Moreover, the operational disruption of cyberattacks can lead to significant financial losses. The costs of health care data breaches are soaring. IBM’s 2023 Cost of a Data Breach report found that the average cost of a health care data breach reached nearly $11 million in 2023, increasing by 53% since 2020.
Fines for violating the Health Insurance Portability and Accountability Act of 1996 (HIPAA) are another financial risk associated with cyberattacks on health care organizations. The civil monetary penalty for knowingly violating HIPAA falls within the range of $13,785 to $68,928 per violation.
Best practice risk mitigation strategies
To combat pervasive cyber threats, it is essential for health care organizations to proactively adopt robust risk mitigation strategies. The following strategies can help health care enterprises prevent cyberthreats and strengthen their overall cybersecurity posture.
Implement multifactor authentication
Implementing multifactor authentication ensures only authorized users gain access to protected health information (PHI). Multifactor authentication requires a user to present a combination of two or more credentials to verify identity for login. With this layered approach to securing data and applications, if one credential becomes compromised, unauthorized users will be unable to meet the second authentication requirement and will not be granted access.
Use encryption
Encryption is an essential data protection measure for health care organizations. Encrypting PHI in transit and at rest guards against unauthorized access to sensitive data. This technology changes plain text into cypher text that cannot be read or used without the proper encryption key, ensuring that even if this data is intercepted, unauthorized individuals will not be able to read it.
Encryption is also a vital security practice for helping health care enterprises adhere to data protection and privacy regulatory requirements such as HIPAA.
Provide cybersecurity training
A majority of data breaches –– 74% –– involve human error. That is not surprising considering cyber criminals are targeting employees with a barrage of malware, phishing and password attacks. Research by Fortinet found that 81% of these attacks were targeted at employees.
Providing ongoing cybersecurity training is critical for making employees the strongest link in the chain of cybersecurity instead of the weakest link. This training should reinforce the fact that everyone plays a critical role in keeping the organization cyber secure and safeguarding patient data.
Regular training sessions should equip employees with the tools and knowledge they need to spot and combat cyberthreats. This includes understanding how to identify suspicious links and attachments, the importance of creating strong passwords and promptly reporting security incidents, and adhering to security policies.
Employees should also be educated on HIPAA policies and procedures as well as other applicable government privacy regulations.
Vet solution providers
As health care organizations are becoming digital workplaces powered by technology from third-party solution providers, it is critical to vet the security and data practices of these providers. Before selecting digital technology, health care enterprises should vet this technology to ensure the security and privacy practices meet or exceed the standards of their organization.
Adopt secure, compliant mobile messaging technology
Mobile messaging and collaboration platforms are an essential technology for keeping health care teams connected, productive and engaged. To build the most secure digital workplace, health care organizations need to adopt secure mobile messaging platforms that are private by design. That means a cloud-powered mobile messaging solution that features end-to-end encryption, full IT control, guaranteed compliance and no data collection ever.
Cyberattacks in the health care industry are evolving, increasing in frequency and severity. To protect patients and prevent operational disruptions, health care organizations should proactively adopt the best practice risk mitigation strategies outlined above.
Medical Economics | April 29, 2024