Cyberattacks: Compromising patient privacy, health outcomes and hospital wealth
Cybercrime is a global challenge, affecting large corporations and individuals alike. But, the healthcare sector seems to be a favourite target.
In the USA alone, more than 22.5 million data breach cases were under investigation as of July 2022. These breaches not only result in financial losses but also pose a danger to patients' health outcomes.
Take, for example, the case of Scripps Health. A cyberattack in May 2021 cost the healthcare organisation $112.7 million, forcing it to take a part of its IT system offline for several weeks. Medical professionals had to resort to pen and paper, significantly disrupting care.
In a more recent incident closer home, the All-India Institute of Medical Sciences (AIIMS) fell victim to a ransomware attack on November 23, 2022. With servers knocked out, operations had to be done manually. Ransom demands allegedly total Rs. 200 crores in cryptocurrency.
What makes healthcare vulnerable?
Healthcare systems are rich data sources and easy to hack, which makes them attractive targets for cybercriminals.
Personal Health Information (PHI) is a much pricier commodity on the black market (at $60 per record) compared to others (tops $5 per record). This has fuelled the desire to exploit the system to its fullest. Here's how that happens.
- Medical facilities deal with copious volumes of patient data and a vast network of connected medical devices. This risks an entire network even if one device is compromised.
- Medical data needs to be accessible for online use and remote consumption from multiple devices — a necessity, given the urgent nature of the job. The risk is that not all devices are secure.
- Instances of unauthorised disclosure of patient information, perceivably unintentionally, are not uncommon. Overstretched medical professionals don’t have the time to prioritise cybersecurity best practices.
- Underinvestment in information technology (IT) infrastructure (1-2% of annual budget vs. 4-10% in other industries) is the grim reality. Many systems in the healthcare industry still run on obsolete platforms that don’t have the latest security updates.
Wounds that cyberattacks inflict
- Leaves hospitals’ resources high and dry
- Endangers patient privacy and clinical outcomes
A cyberattack on electronic health records or other medical systems grants hackers access to PHI and other sensitive information. In the USA, a failure to keep patient records private could jeopardise your organisation's reputation, and attract severe penalties under Health Insurance Portability and Accountability Act's (HIPAA) Privacy and Security Rules.
Furthermore, the average data breach cost in the sector is an eye-popping $10.1 million today.
Cybercrimes not only drain hospitals’ resources, but also severely affect patient safety and quality of care.
Loss of access to medical records and crucial medical devices (such as when a ransomware virus holds them captive), cripples the medical facility and impacts the standard of care given to patients.
Hackers with access to sensitive patient data can alter it too. This is dangerous since it affects patients' health outcomes significantly.
These are many with each competing to be more malicious than the other. The following are just a sample:
- Data Breaches
- Ransom DDoS
- Insider Threats
- Business Email Compromise, the Billion Dollar Scam
These can happen in many ways: Credential-stealing malware, an insider leaking patient data, or misplaced laptops and other devices.
Criminals can exploit PHI to take advantage of the victim's medical issues or victim settlements; to generate bogus insurance claims, enable the purchase and resale of medical equipment; or to gain unauthorised access to medicines for personal use or resale.
Distributed denial of service (DDoS) attacks hold systems and files hostage until a ransom is paid. In this technique, the network is stressed until it becomes useless. This is a serious concern as it hampers critical processes, patient care and communication with associates.
Organisations are often blind to the dangers existing within their walls because they are too busy fighting external adversaries.
Consider these: (a) Legitimate access to proprietary systems exempts insiders from cybersecurity checks. (b) Insiders are better placed than any other party to gain knowledge (if they don’t already have it) of the network setup and vulnerabilities. This gives an insider with criminal intentions a real advantage.
Amongst their types are the merely reckless ones who accidentally click on a malicious link that compromises the network or those misplace a work device carrying sensitive data.
However, the nefarious types, who intend to profit out of selling valuable medical information, exist too.
Business Email Compromise (BEC) criminals utilise a fake email or compromised account to deceive employees into initiating a money transfer to an alternate (fraudulent) account. Scammers almost always pose as someone in a position of influence inside the firm, such as the CEO or CFO. The trickster generally researches their targets first and knows how to sound like the individual they are impersonating. The email is then sent to a select few (generally those who handle finances), bypassing basic security strategies such as email filtering.
Something to chew on: Would you make a transaction if you received an email (apparently) from your CEO asking for a wire transfer or a purchase of goods?
Nobody is safe! Be on guard always
The threat to health care is increasing at an exponential rate, as is the sophistication of the attacks. Your clinic might be next. Here are a few safety recommendations that might be useful:
- Properly secure networks, systems, data and the end user.
- Keep your anti-virus current, implement proper email filtering, and maintain up-to-date back-ups and store them offline.
- Ensure that third parties and vendors with access to healthcare networks or databases are properly handling patient data.
- Report lost devices or accidental disclosure immediately.
- Train the staff to recognise and report a threat.
- Be wary of abrupt changes to previously established corporate practices.
Awareness and understanding are the two key ways to prevent becoming a victim of these scams.
“One needs only a single match to start a fire.” ― Melissa Grey
*For organizations on the digital transformation journey, agility is key in responding to a rapidly changing technology and business landscape. Now more than ever, it is crucial to deliver and exceed on organizational expectations with a robust digital mindset backed by innovation. Enabling businesses to sense, learn, respond, and evolve like a living organism, will be imperative for business excellence going forward. A comprehensive, yet modular suite of services is doing exactly that. Equipping organizations with intuitive decision-making automatically at scale, actionable insights based on real-time solutions, anytime/anywhere experience, and in-depth data visibility across functions leading to hyper-productivity, Live Enterprise is building connected organizations that are innovating collaboratively for the future.