Cybercriminals didn’t take a break during the height of the COVID-19 pandemic. There were nearly 792,000 reported cybercrime complaints in 2020, an increase of 300,000 from the previous year. It’s estimated that the monetary loss from cybercrime in 2020 was approximately $945 billion, a more than 50% increase in 2 years.
Healthcare is the 2nd most cyber-attacked industry. It costs an average of $7 million for each data breach within the industry, and it cost victims approximately $30 million in 2020. Let’s take a look at some statistics that flesh out the sheer impact of this:
- One report estimated that the healthcare industry will encounter 2 to 3 times more cyberattacks in 2021 than the average numbers for other industries.
- More than 29 million healthcare records were breached in 2020, including 642 reported data breaches of 500 or more records.
- One-third of all data breaches in the United States occur in hospitals, with the average incidence affecting 25,575 records.
- Roughly 80 percent of physician practices surveyed already have experienced a cyberattack.
Why are numbers of cybercrime incidents so high for an industry focused on patient care? Some of it is attributable to outdated IT systems, fewer cybersecurity protocols and qualified IT experts, the value of the data, and the pressing need for medical practices and hospitals to regain data, which means ransom is often paid.
Common HIPAA violations and the cost of cybercrime
Healthcare providers deal with numerous challenges in complying with the Health Insurance Portability and Accountability Act (HIPAA), including:
- keeping communication secure
- protecting mobile devices
- addressing outside threats
- staying aware of a changing regulatory environment
The healthcare industry is also targeted by cyberattacks because they possess so much information of high monetary and intelligence value to cyber thieves. This includes protected health information (PHI), financial information like credit card and bank account numbers, personally identifying information (PII) such as Social Security numbers, and intellectual property related to medical research and innovation.
A majority of the cybercrime affecting the healthcare industry occurs through data breaches, which transpire through incidents such as stolen devices, hacking, human error and negligence, and cyberattacks. Phishing and computer viruses are the most common types of cyberattacks on physician practices. The Healthcare Information and Management Systems Society (HIMSS) notes that phishing emails are highly effective because they typically fool the recipient into taking a desired action, such as disclosing sensitive or proprietary information, clicking on a malicious link, or opening a malicious attachment.
In addition to malicious attacks, healthcare providers may encounter accidents or errors that could lead to a HIPAA violation. These could be mistakes by employees, vendors or contractors or a lack of plans and procedures to combat cybercrime. Ten of the most common HIPAA violations are:
- snooping on healthcare records
- failing to perform an organization-side risk analysis
- failing to manage security risks
- denying patients access to health records
- failing to enter into a HIPAA-compliant business associate agreement (BAA)
- lacking in ePHI (protected health information) access controls
- failing to use encryption or an equivalent measure to safeguard ePHI on portable devices
- exceeding the 60-day deadline for issuing breach notifications
- having impermissible disclosures of PHI
- not properly disposing of PHI
Stolen protected health information (PHI) can be a dozen times more valuable on the black market than credit card information. Ransomware attacks cost the industry $20.8 billion in downtime alone in 2020, double the amount from 2019. Lack of compliance cost healthcare providers an average of $14.82 million and can lead to civil or criminal penalties for HIPAA violations.
Maintaining a culture of cybersecurity
Patient safety isn’t only the responsibility of clinicians. Employees in non-clinical roles must actively attempt to prevent cybercrime. However, although networked medical devices and other mobile health (mHealth) technologies can help improve patient care, they also may expose patients and healthcare provider organizations to safety and security risks.
It’s essential for providers to maintain the confidentiality of patient data to prevent medical identity theft and assure patients that they can safely share sensitive health information. Ransomware attacks can lead to loss of lifesaving medical devices or important patient records, making it difficult to provide adequate care to the patients. Similarly, hackers who gain access to patient records can cause damage by altering or deleting data, leading to adverse outcomes and serious effects on patient health.
Prioritizing cybersecurity improves patient safety. According to the senior advisor for cybersecurity and risk for the American Hospital Association (AHA), the most important defense is to instill a patient safety-focused culture of cybersecurity. The AHA recommends the following 6 actions to manage hospital cybersecurity risk:
- establish procedures and a core cybersecurity team to identify and mitigate risks, including board involvement as appropriate;
- develop a cybersecurity investigation and incident response plan that is mindful of the Cybersecurity Framework being drafted by the National Institute of Standards and Technology;
- investigate the medical devices used by the hospital in accordance with the June 2013 Food and Drug Administration guidance to ensure that the devices include intrusion detection and prevention assistance and are not currently infected with malware;
- review, test, evaluate and modify, as appropriate, the hospital’s incident response plans and data breach plans to ensure that the plans remain as current as possible in the changing cyber threat environment;
- consider engaging in regional or national information-sharing organizations to learn more about the cybersecurity risks faced by hospitals; and
- review the hospital’s insurance coverage to determine whether the current coverage is adequate and appropriate given cybersecurity risks.
Securing your organization’s cyber success
At Harmony Healthcare, we know that cybercrime prevention is not the sole responsibility of IT departments and must be treated as a system-wide responsibility. That’s why we recently partnered with Todd Renner, FBI Supervisory Special Agent and 20+ year cyber expert, and hosted healthcare executives during a 1-hour digital event focused on specific ways to combat evolving cyber risks.
Secure your spot for our upcoming webinars focusing on the latest in cybersecurity and health information technology:
Join Team Harmony as our latest health information technology expert: