The Escalating Risk from Cybersecurity Incidents in Healthcare

Click here to listen to this article via the BreachRx Blogcast

The evolving cyber threat landscape, characterized by increasingly sophisticated attacks on healthcare providers, is exploiting fragmented hospital infrastructures, numerous health applications, and network-connected medical devices. The impact of these attacks not only negatively impacts patient care and business operations, it can expose sensitive health data, leading to reputational damage, customer churn, and loss of market value. 

A recent PwC article highlights that healthcare companies are particularly vulnerable to cyber attacks. This has made the sector a prime target for cyber criminals around the world, especially given the sensitive nature and high value of healthcare data on the black market. To that end, over 90% of cyber attacks on this sector are financially driven. Numerous recent reports and surveys also reflect this level of targeting. In Canada, for example, the healthcare sector was victim to 12% of all cyber attacks last year, putting it ahead of the highly-targeted government sector in the country. There is clearly an urgent need for robust cybersecurity measures and a renewed focus on protecting this critical sector. This need is further reinforced by the additional repercussions outlined below.

Given the healthcare sector is facing an increasing share of attacks that lead to major incidents and data breaches, businesses globally need to proactively dig in, understand their potential exposures, and invest in preparing to respond to attacks on their resources. With the inevitable incident just around the corner, it’s more important than ever for companies to have effective incident response programs in place that can 1) deal with the breadth of attacks, 2) integrate all parts of the business, and 3) rapidly mobilize to mitigate the myriad risks of cybersecurity incidents.

Cyber Attacks on Healthcare Sector Operations

The perils of cyber threats in the healthcare sector are escalating at an alarming pace. The gravity of the situation was recently brought into sharp focus when Johnson Memorial in Indiana was hit by a devastating cyberattack that threw its operations into chaos. The hackers demanded $3 million, crippling the hospital’s ability to function digitally and forcing the staff to revert to paper notes, with runners ferrying orders and lab results between different departments. It impacted their ability to use fetal monitors, communicate with non-English speaking patients, and divert ambulances to other hospitals for weeks.

The phenomenon is not isolated. The month of April saw a record 31 healthcare organizations fall prey to ransomware attacks, surpassing the previous high of 29 in December 2021. This marked increase from 23 victims in March and 13 in February underscores the accelerating threat landscape facing healthcare providers.

Even though, overall, ransomware attacks have decreased slightly, from 437 in March to 339 in April, the concentration of these attacks on healthcare organizations is evident and alarming.  Ransomware operators are now also capturing sensitive customer data as an additional lever for extorting ransom payments, and with great success given ransomware attacks in healthcare have escalated from one a month to more than one a day. Notably, victims include large organizations like Point32Health, a New England health insurance firm serving over two million people, and smaller operations like the Murfreesboro Medical Clinic & SurgiCenter in Tennessee, which had to temporarily close for almost two weeks following an attack.

Recently, PharMerica, a national pharmacy network, suffered a significant data breach in the first quarter of 2023, with nearly 6 million individuals and 5 terabytes of information stolen by attackers in just 48 hours. The exposed data included names, dates of birth, Social Security numbers, medication lists, allergies, a range of illnesses, and health insurance information, affecting a large number of individuals and potentially their descendants.

The scale of cyber risks in healthcare have far-reaching consequences that are more impactful than many other sectors. They jeopardize critical patient care, cause service disruptions, and significantly increase patient complications following an attack. The aftermath of such incidents leaves organizations grappling with increased staffing levels and budgetary constraints, with the added pressure of not being able to bill for services. Even with insurance coverage, hospitals can still be left to deal with millions in expenses.

As Johnson Memorial’s CEO pointed out, no organization is invincible – noting that if the Pentagon can be hacked, no healthcare organization can consider itself immune. Their attack and subsequent recovery process cost the hospital millions in operational costs, and it took a staggering six months to restore their systems. Even though it’s been two years since the incident, the financial repercussions continue to haunt the hospital, which is still waiting on its cyber insurance payout.

Financial Burdens from Incidents & Data Breaches

The escalating cyber threat landscape is underscored by disturbing data points. For example, according to the Ponemon Cost of a Data Breach report, 83% of companies they surveyed reported experiencing more than one data breach. According to a Thales EMEA report, 37% of companies surveyed had a data breach of some kind in the last 12 months, with 52% noting at least one in their company history.

The implications are stunning, with the average cost of a data breach involving 2,000 to 102,000 records standing at $4.35 million, per Ponemon.  This figure rises significantly if the organization doesn’t have tailored incident response plans or hasn’t conducted team training exercises, as these measures are critical to minimizing the damage and recovery time after a breach. Healthcare companies face an even-higher average incident cost of $10.1M, marking an increase of 41.6% in just two years. This is significantly higher than the average incident costs in the United States of $9.44M. And the worst case, mega breaches of 50 to 60 million records, lead to a massive average cost of $387M. Some breaches have even surpassed $1B in cost to the business impacted. It’s no surprise that 60% of breaches have led to price increases being passed on to customers.

The financial repercussions of a cyber incident can be devastating, both in the short and long term. Publicly traded companies witnessed an average decline of 7.5% in their stock values post a data breach, coupled with an average market cap loss of $5.4 billion. The recovery time for these stock prices to bounce back to pre-breach levels, if at all, was approximately 46 days. These incidents also induce a ripple effect, impacting the entire supply chain and potentially leading to losses up to 26 times greater for a company’s business ecosystem.

The impacts to businesses are clear, both operationally and financially. Over the past few years, however, especially given the continued volume of data breaches, regulations are now a critical aspect that carry their own unique set of challenges and considerations for healthcare companies.

Beyond HIPAA: the Complex Web of Regulations for Healthcare in Incident Response

There’s a reason the Association of Corporate Counsel (ACC) Chief Legal Officers survey reveals that three of the most important challenges for businesses today are cybersecurity, regulations, and compliance. Governments around the world are increasingly enacting and enforcing strict regulations on companies, particularly those processing sensitive data like protected health information (or PHI). While most are used to dealing with regulations like the Health Insurance Portability and Accountability Act (HIPAA) in the United States, many are less familiar with laws like the Australian Privacy Act (APA) and the EU General Data Protection Regulation (GDPR). 

Further, in many countries, a wide range of state and provincial regulations further enforce protecting patient and customer personal and health data. In Canada, for example, Ontario’s Personal Health Information Protection Act (PHIPA), Alberta’s Health Information Act (HIA), and British Columbia’s Personal Information Protection Act (PIPA) govern the collection and use of health information. In the United States, similarly, existing privacy laws are getting augmented with additional requirements on top of HIPAA’s, such as in Washington state’s recent My Health My Data Act (the MHMD Act), that have the same requirements, with new ones in multiple state legislatures at the moment.

Navigating this regulatory landscape is complex, and in data breach response, increasingly so given the cybersecurity, privacy, and breach notification laws piling up in over 120 countries worldwide, approaching covering two-thirds of the population. Businesses worldwide are facing tens to hundreds of millions of dollars of penalties, given the stack of regulatory fines they may face for a poor incident response. 

But regulators are now going further. They are targeting C-level executives and the board, those they feel responsible for ensuring security and data protection are top priorities for businesses. For example, late last year the US Federal Trade Commission (FTC) issued a directive that makes the CEO personally responsible for their company’s cybersecurity, and it follows them for a decade, regardless of their employment by the business. Regulators are also taking major actions against businesses’ operations themselves, such as revoking the ability to process personal data altogether. To that end, just this month regulators in Austria entirely revoked the ability for one global company to process its citizens personal data altogether due to GDPR violations.

This escalating problem calls for more than just standard protective measures and tired, antiquated approaches like paper incident response plans and policies that are never used nor effectively tested. 

Incident Response Readiness ≠ just an Incident Response Plan

In light of these alarming trends, healthcare organizations must look beyond mere compliance and strive for a robust approach to incident response to ensure meaningful risk reduction. Investments in robust cybersecurity infrastructure, frequent exercises and simulations, automated incident response, and data breach reporting and notification systems. 

A comprehensive study involving 5,882 U.S. hospitals highlighted the importance of deeply integrating cybersecurity into organizational processes and structures. Hospitals that did so were able to effectively mitigate 37.8% of data breaches. Readiness is critical. Ponemon highlights a $2.66M savings per incident for companies that have effectively exercised their incident response plans. Additionally, businesses with robust cybersecurity policies, including a dedicated Chief Information Security Officer (CISO) and regular audits, demonstrated quicker stock price recovery post-cyber incidents, averaging around seven days. In contrast, businesses lacking in these security measures experienced a significantly longer recovery period, averaging about 90 days.

These results reinforce why HIPAA includes a specific set of rules on incident response. By mandating that companies have policies and procedures in place to identify and respond to suspected and confirmed security incidents and minimize their impact, they force businesses reluctant to invest in proactive readiness to get prepared. Unfortunately, recent reports show alarming deficiencies in healthcare organizations’ risk management. The US Department of Health and Human Services HIPAA Audits Industry Report continues to find that lack of safeguards of protected health information and lack of administrative safeguards of electronic protected health information are two of the top five frequent security rule violations. Further, of the 554 HIPAA breach compliance investigations in 2021, over 84% resulted in corrective action.

To combat these issues and actions, healthcare organizations must adopt a proactive, comprehensive approach to incident response that transcends current measures. The only way for healthcare organizations to keep up is through the use of purpose-built incident notification and data breach response automation, to deal with the spectrum of potential attacks and associated legal requirements effectively. In addition to hastening the response time, automation reduces the risk of human error, diversifies response plans for the breadth of potential attacks, makes sure teams don’t miss response steps, automates exercises, and ensures compliance with relevant regulations while protecting legal privilege. The best automation is both scalable and easily customizable to meet the specific needs of each organization, regardless of its size.

The benefits of implementing such a system are directly quantifiable. Metrics like the average cost of a data breach, the average time to identify and contain a breach as well as respond to the full set of legal and regulatory requirements, including a reduction in spend on outside counsel, can be used to showcase the efficacy of an investment of this kind. It’s important for senior leadership to play a strategic role in defining business requirements for such an approach, despite the challenges of understanding cyber issues and reporting frequency. 

Overall, the healthcare sector is facing an escalating cybersecurity threat. The increasing frequency and cost of these attacks and the resulting impacts underscore the need for robust proactive measures, including the adoption of automated incident response and data breach notification systems and regular cyber exercises for likely attacks businesses face. With this approach, healthcare organizations can not only mitigate the financial, regulatory, and operational impact of these attacks but also safeguard the health and wellbeing of their patients. In the end, it’s not just about trying unrealistically to prevent the inevitable. It’s about mitigating impact, by effectively managing the situation when an incident or breach does occur.