When a patient chooses a healthcare organization, they aren’t just trusting them with their physical health; they’re also trusting that healthcare organization with their most sensitive personal information. However, that trust can be undermined if a security breach compromises their data.
Unfortunately, cyber attacks against healthcare are on the rise. Over the past decade, theft of electronic Protected Health Information (ePHI) in the United States has increased steadily, resulting in healthcare organizations incurring both reputational and financial costs.
Impact of cyber attacks on healthcare and patient confidence
The potential fallout of a cyber attack is immense and should never be underestimated. In mere moments, what begins as a cyber incident can rapidly intensify into a life-threatening emergency.
Physical harm
During a cyber attack, a hospital may be locked out of its systems, leaving the staff to provide patient care without full access to essential data and equipment. This situation poses a serious threat as an attack can disrupt connected medical devices like IV infusion pumps or ventilators that patients rely on for their care, potentially leading to fatal outcomes.
A hospital may have to go on diversion, resulting in an ambulance carrying a critical patient being unable to reach the closest hospital. In an emergency medical situation, seconds and minutes are vital, especially for a patient experiencing a stroke or heart attack.
A study by McGlave, Neprash, and Nikpay at the University of Minnesota School of Public Health underscores the dire effects of ransomware attacks in healthcare. They discovered in-hospital mortality significantly increased during such attacks as well as a 17%-25% drop in hospital admissions. Alarmingly, between 2016 and 2021, these incidents may have contributed to the deaths of 42 to 67 patients.
Identity damage
Cyber attacks represent a significant threat beyond the initial incident, particularly for patients. Threat actors often target valuable data, including electronic medical records, insurance details, and financial information. Once stolen, this information can lead to fraudulent insurance claims, unauthorized prescription access, or unwarranted medical procedures.
Consequently, patients may be erroneously billed for services they never received, face alterations in their health records, or have their sensitive medical information misused. A patient cannot cancel their electronic medical record or social security number like they can a credit card.
Reputational repercussions
Patients expect their healthcare providers to take every measure to protect their sensitive data. While the healthcare industry works hard to gain patients’ confidence, an attack can erode this trust.
81% of consumers judge a company based on how it treats their personal data. If they don’t like the way their information is being handled, they’ll make a change. In fact, 44% of consumers surveyed reported switching to another company to keep their data safer.
In healthcare, patients are the clients. If their personal health information is exposed due to an incident or a breach, then they may well turn to another facility for care.
Resistance to seeking care
Due to the nature of healthcare, the decline in patient trust has profound implications. When patients lose faith in their healthcare system, they are less inclined to seek care when they need it, putting not only their well-being at risk but also potentially endangering the health and safety of others. Some cyber incidents last for weeks or even months, resulting in patients potentially delaying needed care due to the disruption at the healthcare facility.
Exacerbating issues
The healthcare industry is under enormous pressure without the threat of cyber attacks or the resulting loss of patient trust. Most hospitals are still recovering from the COVID-19 pandemic, which strained the U.S. healthcare system, and patients are coming into hospitals sicker and staying longer.
In addition, supply chain challenges and inflation have driven up costs for everything from drugs to equipment to nearly twice Medicare’s reimbursement rates.
According to the American Hospital Association’s (AHA) “Cost of Caring” report,” more than half of hospitals in the U.S. ended 2022 at a financial loss. This trend continued throughout 2023 with the highest number of hospitals defaulting on their bonds in more than a decade.
This dire financial situation has meant budget cuts, layoffs, and even facility closures, making it even more challenging for IT leaders to gain support from the C-suite to increase the cybersecurity budget. The paradox is that while these budget constraints are bona fide, cyber attacks on healthcare organizations will only increase. Ultimately, the patients are the ones who suffer the most from this vicious cycle.
Paradoxically, despite these undeniable budgetary constraints, the frequency and severity of cyberattacks targeting healthcare organizations continue to escalate. Ultimately, it is the patients who suffer the most from this relentless cycle of financial strain and cybersecurity vulnerability.
How to protect patient data
Many of the steps to keeping patient data safe involve good cybersecurity hygiene, including:
Knowing your surface area: Inventory your digital assets, including all systems, devices, applications, and even third-party vendors.
Patching and updating your software: Threat actors rely on unpatched vulnerabilities in software and will time their attacks accordingly. Install updates as soon as possible to reduce their window of opportunity.
Backing up data: Backing up information might not prevent a ransomware incident, but it can help you recover if you are attacked. Ensure backups are air-gapped and restore procedures are tested regularly.
Augmenting your security staff: It’s not uncommon for IT professionals to leave the healthcare industry for other positions that are deemed more lucrative and less stressful. By outsourcing some core cybersecurity support areas, healthcare organizations can continue strengthening their cybersecurity posture, even when budgets, resources, and internal skill sets are limited.
Teaching your team to spot warning signs: Many attackers rely on social engineering to trick an insider into clicking a malicious link or downloading malware. Training staff to recognize phishing scams and observe basic cyber hygiene practices goes a long way in minimizing the chances of a cyber attack.
Maintain patient trust with strong cybersecurity
Safeguarding patient data is equally important to providing safe, high-quality care. And the most effective way for healthcare organizations to protect their patients’ information is to make cybersecurity a top priority.
There’s never been a more important time for healthcare IT leaders to communicate and engage their C-suite and board around these issues. For insights into how to do this effectively, watch our on-demand webinar, Getting the C-suite on Your Team.