In a previous blog post, we discussed the importance of ensuring your IT systems are secure and in compliance with regulatory requirements. With this post, we want to further explore the challenges that healthcare organizations – hospitals, group practices, clinics, labs – are facing when it comes to cyber-security, provide some examples of what can happen if your systems are breached, and recommend what you can do to overcome the challenges of cyber-security.
First – some statistics to demonstrate the size of the problem: how many health data breaches have occurred and what it can cost your organization!
- The Department of Health and Human Services’ Office for Civil Rights (OCR) was notified of 365 data breaches of 500 or more healthcare records in 2018. Those breaches have resulted in the exposure of 13,236,569 records in 2018, more than twice as many exposed healthcare records in 2017.
- OCR’s data breach statistics clearly show there has been an upward trend in data breaches over the past 9 years, with 2018 seeing more data breaches reported than any other year since records first started being published (See Figure 1).
- Healthcare data breaches cost $408 per patient record to recover – the highest of any sector. This is almost twice as high as financial services data breaches, which cost an average of $206 per record and came in second place.
- The increased costs are associated with fixing the breach, along with protecting patients from future harm, fines and class-action lawsuits, and advertising. A recent study found that hospitals spend 64 percent more on advertising after a data breach.
- The Department of Health and Human Services estimated that it takes a breached organization a full year to recover.
Size Doesn’t Matter When It Comes to Cyber-Security
A 2017 report issued by the Health Care Industry Cybersecurity Task Force states:
“A common, yet flawed, perception is that only large organizations are the target of cyber attackers due to the volume of sensitive, confidential, or proprietary information they possess. In reality, healthcare organizations of all sizes are targets due to the interconnected nature of the industry and all organizations face resource constraints.”
According to Verizon’s Protected Health Information Data Breach Report, 47 percent of data breaches happen to organizations with less than 1,000 employees.
“It isn’t just large, complex organizations that are vulnerable to data breaches. Small organizations such as doctor-owned clinics are also disclosing losses of PHI.”
If your organization is a smaller HCO, don’t be fooled into thinking that data breaches only happen to large hospitals and health networks. Smaller HCOs are impacted as well.
For example:
- This year, Michigan-based Brookside ENT and Hearing Center suffered a ransomware attack and had their entire IT system wiped after refusing to pay the $6500 ransomware demand. The Center now plans to shut down operations.
- In 2018, Colorado-based Central Colorado Dermatology reported that attackers had penetrated its network, launched ransomware that encrypted certain files, and may have gained access to certain information on its server, including access to Protect Health Information (PHI) of over 4,000 individuals.
- In 2018, Holland Eye Laser Surgery, a five-provider group practice, suffered a data breach which compromised the records of 42,000 patients.
- In 2018, an internal security audit discovered that Tillamook Chiropractic Clinic suffered a major network breach. Malware was installed in 2016 on the billing system, which allowed hackerss to collect PHI, potentially compromising 4,058 patient records.
PHI Offers More Value to Cyber-Criminals
While cyber-criminals sell stolen credit card and bank account numbers, banks can quickly detect the fraudulent activity and cancel the account. Problem solved.
But medical history is different. It has long-term value and the usefulness of medical information is perpetual. For example, a patient can be blackmailed many years later to keep sensitive health information private. And to make the situation worse, medical fraud schemes can go on for years before being discovered. This is why medical records are more expensive on the black market – 10 times, even 60 times more costly than stolen credit cards.
Your Action Item
Don’t chance a cyber-security attack. If your HCO doesn’t have the IT staff and/or security expertise to ensure your IT systems and the data they contain are secure, look to an IT managed services provider for assistance. Doing nothing will not make your security problems disappear, nor will it help the patients whose PHI is compromised.
For more information on how Logically can help, go to our website.
