• Cyber attacks
• Healthcare consumer expectations
• HIPAA Compliance
• Ransomware
• Security risk

Cybersecurity risks can decimate provider budgets, crater consumer confidence

Cybersecurity has been a concern for healthcare organizations for more than a decade. But the rise in attacks and ransom incidents have become a crisis for the industry, with disruptions in care and finances becoming critical. 

Protecting data and system integrity looms as a growing crisis for the industry in the coming years, particularly as hackers grow in the sophistication of their attacks and incorporate artificial intelligence and social engineering in exploiting trust and vulnerabilities. 

The growing crisis 

Final data for 2024 is not yet tabulated, but 2023 was a bad year for data breaches. Worldwide, some 389 claimed ransomware attacks occurred in healthcare, up 74 percent. In the U.S., attacks were up 128 percent in 2023 from the previous year, according to the U.S. Cyber Threat Intelligence Integration Center of the Office of the Director of National Intelligence.  

The impact on care is obvious, the agency says. “U.S. hospitals have delayed medical procedures, disrupted patient care because of multi-week outages, diverted patients to other facilities, rescheduled medical appointments and strained acute-care provisioning and capacity,” it notes. “Healthcare facilities’ dependency on Internet-connected systems, large amounts of sensitive personally identifiable information (PII) and personal health information (PHI) data, and the facilities’ critical need for continuity of operations render this sector highly vulnerable.” 

Just in terms of ransomware, according to a Microsoft Threat Intelligence report, the average ransom payment by healthcare organizations in 2024 was $4.4 million. Other findings from the report include that 53 percent of healthcare organizations paid a ransom; 65 percent of ransom demands were for $1 million or more; 35 percent of ransom demands were for $5 million or more; and the median payment was $1.5 million. Additionally, the cost of recovery from a ransomware attack in healthcare has also increased, with the mean cost in 2024 being $2.57 million. 

There’s also disruption and overload experienced by hospitals that are in proximity to facilities that have been attacked, Microsoft notes. These include a 35.2 percent increase in emergency services arrivals, a 47.6 percent increase in waiting room time and twice as many confirmed strokes and cardiac arrest cases. 

More broadly, IT executives realize the high cost of cyberattacks. Cyberattacks on electronic health record and other systems pose a risk to patient privacy because hackers access PHI and other sensitive information, notes John Riggi, senior advisor for cybersecurity and risk at the American Hospital Association. “By failing to keep patient records private, your organization could face substantial penalties under HIPAA’s Privacy and Security Rules, as well as potential harm to its reputation within your community. Most importantly, patient safety and care delivery may also be jeopardized,” he writes. 

The industry response 

Organizations realize the threat, and discussions about cyberthreats have risen to the C-suite. 

A just-released report from KLAS Research highlights the risk from organizations’ use of interconnected solutions. “To combat these rising threats, organizations continue to invest technologically and culturally in robust cybersecurity programs, but amid staffing and budget constraints, they must invest strategically,” concludes the KLAS report, which based its findings on interviews with 70 healthcare organizations about their top cybersecurity priorities and challenges. 

But even as they consider ways to blunt threats, the attack vector is expanding, with risks rising from third parties and distributed infrastructures. “Provider priorities are fragmented, though, as respondents mention the need to shore up increasing risks from multiple sources (and) angles, including threats to stolen data, employee credentials and connected devices,” KLAS researchers note. 

The risks are huge. As previously reported by Health Data Management, cyberattacks are increasingly having an impact on patient care, delaying treatments and affecting safety. “That reality is becoming increasingly apparent as the industry is battered by spates of high-profile attacks that are interrupting services, resulting in significant disruptions and cost.” 

Sufficient response? 

Ensuring continuity of healthcare services, minimizing disruption and unnecessary costs, and fortifying consumers’ confidence and trust are increasingly top of mind for the industry and government agencies. 

Specifically, the Office for Civil Rights (OCR) this month is releasing a proposed rule that seeks to improve cybersecurity and better protect the healthcare system from cyberattacks. The proposed rule would modify the Health Insurance Portability and Accountability Act of 1996 security rule to require HIPAA-covered entities and their business associates to strengthen cybersecurity measures for protected health information against both external and internal threats. 

The modifications would clarify and provide more specific instruction regarding what covered entities and their business associates must do to protect the security of electronic PHI, according to an analysis by WEDI. “The proposal also would require that policies and procedures be in writing, reviewed, tested and updated on a regular basis. Additionally, it seeks to align the Security Rule with modern best practices in cybersecurity,” the organization notes. The proposed rule, published in the Federal Register, can be accessed here. 

The war against cyberattacks is expected to grow in difficulty, as artificial intelligence tools are expected to increase hackers’ capacity to mount more realistic and focused attacks. “While AI tools can be used to thwart cyberattacks, they can also be used to penetrate defenses, especially if healthcare organizations aren’t completely on top of their relationships between their internal systems and those of their business associates,” notes Jennifer Bresnick writing for DHI Insights, a publication of CHIME. 

Surmounting the growing challenges of cyberattacks remains critical in maintaining continuity of care and ensuring protection of sensitive patient health information.