Bob Chaput, NACD.DC

MA, CISSP, HCISPP, CRISC, CIPP/US, C|EH

NACD CERT Cyber Risk Oversight

Bob Chaput, NACD.DC

MA, CISSP, HCISPP, CRISC, CIPP/US, C|EH

NACD CERT Cyber Risk Oversight

Download CV Contact Me
Blog Post

Navigating Cyber Risks in Healthcare: A Critical Wake-Up Call

April 26, 2024 Attacks, Threats, New Technology and Increasing Attack Surface, Blog Educational Series - Stop the Cyber Bleeding | Putting ECRM into Action, Costs of Cyber Attacks and Data Breaches, Patient Harm, Patient Safety by Bob Chaput
Navigating Cyber Risks in Healthcare: A Critical Wake-Up Call

Navigating Cyber Risks in Healthcare: A Critical Wake-Up Call

“Plus ça change, plus c’est la même chose” 
(“The more things change, the more they stay the same.”)
–Jean-Baptiste Alphonse Karr

In our digital age, the healthcare sector remains the most vulnerable to cyber attacks.

So many attacks and breaches are reported that many of us suffer from ‘breach fatigue.’ In a recent @TN HIMSS panel discussion entitled Something Needs to Change: The Evolving Cybersecurity Landscape in Healthcare, @Baxter Lee, CFO at @Clearwater provided this summary to kick off the session:

  • Last year, over 135 million patient records were exposed through data breaches, which is more than double that of 2022; 135 million represents nearly 40% of the US population.
  • The US Healthcare industry is the most targeted in the world for a cyberattack and the costliest, at over $11 million per breach. Healthcare breaches in 2023 are estimated to cost the industry over $14 billion.
  • Ransomware attacks on healthcare doubled in 2023. Last year, over 140 hospitals were directly impacted by ransomware attacks, and countless physician practices and digital health companies were also affected.
  • The average ransomware payment in healthcare is over $1.5M, and global ransomware payments topped $1 billion in 2023.
  • Over the past five years, there has been a 256% increase in large breaches reported to OCR involving hacking and a 264% increase in ransomware. In 2023, hacking accounted for 79% of the significant breaches reported to OCR.
  • There is increasing vendor risk; of the large breaches in 2023, 38% of the events were associated with Business Associates; however, nearly 70% of the records breached came from third-party vendors.
  • Of course, cyberattacks have significant financial impacts, from lost revenue to regulatory fines and penalties to reputational harm.
  • Finally, numerous studies and research papers demonstrate increased mortality rates, decreased service levels, and lower overall patient care from organizations that have experienced cyberattacks.

Speaking of patient care, Chapter 1 of Stop The Cyber Bleeding: What Healthcare Executives and Board Members Must Know About Enterprise Cyber Risk Management vividly illustrates this ongoing threat through a fictional yet chillingly possible scenario: a cyber attack leads to the death of a patient due to manipulated medical images.

The chapter opens with a gripping story of Mrs. Smith, a politician who unknowingly becomes the victim of a cyber attack. Hackers infiltrate the hospital’s network and alter her CT scan results, erasing evidence of cancer. The undetected illness leads to her untimely death and a subsequent lawsuit against the hospital. This narrative isn’t far-fetched. Researchers in Israel have demonstrated the feasibility of such an attack, using simple devices available online to manipulate medical imaging.

This scenario is a stark reminder of the catastrophic consequences cyber attacks can have, not just on cybersecurity but on human lives. The healthcare industry’s reliance on digital technology and the voluminous data that hospitals and health systems create, receive, make, and transmit make it a prime target for such attacks. These attacks expose organizations to immense financial and reputational risks and, more alarmingly, jeopardize patient safety.

The chapter highlights the essential concept of Enterprise Cyber Risk Management (ECRM), urging that it’s not merely an IT issue but a broad organizational concern affecting every healthcare delivery aspect. It underscores the increasing legal and ethical liabilities that healthcare executives and board members face. Failure to adequately protect against cyber threats could lead to violations of HIPAA regulations and severe legal repercussions, including medical malpractice or negligence lawsuits.

The narrative serves as a call to action, emphasizing the urgent need for proactive engagement in cyber risk management. It outlines the duties of healthcare leaders under the concepts of duty of care and fiduciary responsibility, stressing that they are legally and morally obliged to safeguard their patients’ digital and physical well-being.

The chapter further discusses the implications of cybersecurity breaches through legal cases, such as the data breaches at Target and Yahoo, which led to significant financial settlements and highlighted the responsibilities of directors and officers in preventing such incidents.

Finally, it offers practical steps for integrating ECRM into the broader enterprise risk management framework, advocating for a robust, proactive approach to cybersecurity. Healthcare leaders are encouraged to identify and prioritize cyber risks, define their risk appetite, and implement effective strategies to manage and mitigate them.

In conclusion, the first chapter of Stop the Cyber Bleeding is a compelling introduction to the critical issues at the intersection of healthcare and cybersecurity. The entire book outlines the dire consequences of neglecting cyber risk management and provides a clear framework for action, helping healthcare executives understand and implement effective cyber risk management practices. As we move deeper into an era where data is as critical as the care provided, the need for an airtight ECRM program cannot be overstated—our patients’ lives may depend on it.

Taggs:
Copy link
CopyCopied
Powered by Social Snap