Healthcare organizations’ number one priority is patient care. They’re in the business of helping patients, so most of their time, energy, and resources are allocated there. However, cybersecurity is becoming an increasingly important topic for healthcare organizations. Each organization could contain hundreds of third parties accessing their network, plus on average, an organization has 2.5 million EMR accesses daily. Those EMR files are highly sought after by external hackers and those in the ransomware business, so it’s no surprise that healthcare organizations are at risk for insider threats or a major attack.
It’s time healthcare organizations start treating their cybersecurity with the same urgency and seriousness as they do patient care.
Why Healthcare Organizations are a Target For Data Breaches
Healthcare organizations are unique in that they are vulnerable to cyberattacks or data breaches from multiple avenues. Each avenue is serious and should be considered as such.
The vast amount of daily EMR accesses
Doctors are checking the medical histories of patients before prescribing medicine, billing is looking at charts to code the right procedures to insurance companies, an ER nurse is checking a patient’s allergies to diagnose a condition, and the list goes on and on. All these accesses are critical — some are even a matter of life and death — but all carry with them a risk. That sheer volume increases the risk of an external hacker gaining access, an accidental breach, an inadvertent HIPAA violation, or something more malicious. The cost of a HIPAA violation, be it unintentional or malicious, can add up to tens of thousands of dollars — that’s a high price tag for an accident.
Those internal users that have access to EMR systems — for role-specific and often live-saving purposes — are the same users that could be causing a breach. As mentioned above, EMR data is highly valued on the black market (fetching about $250 per file), and it’s not far-fetched for a bad actor to ask an employee to become an insider threat and leak that data for financial gain. Not to mention the termination gap: where a user who was recently terminated still has access and leaks valuable, private information. In addition to the malicious motivations, sometimes employees are just careless. They leave systems open, leave their password on a sticky note, or snoop on EMR data, not knowing they could get caught and slapped with a fine.
A healthcare organization is not an island. Whether it’s a technician accessing the software for an MRI machine, an IT contractor working on internal logging systems, or a myriad of other examples, third parties are everywhere in an organization’s system. However, the point of access for a third party is the riskiest point for any organization. There’s no HR system for third parties to implement role-based access controls, and many organizations (63% to be exact) lack visibility into the users accessing their critical systems. That’s a whole lot of risk for an industry as important as healthcare.
How Patient Data Affects Patient Care
Here’s a scary scenario. A hacking group decides to hold a healthcare organization for ransom. They breach the IT systems, effectively shutting them down and holding them for ransom. Without IT systems, this organization can’t admit patients, control surgical software, and more. So they have no choice but to cancel surgeries. That really happened, and it wasn’t just at one location. It happened to Memorial Health Systems, which owns 64 hospitals. In fact, 38 cyberattacks caused disruption of services to 963 healthcare locations in 2021.
That’s more than just HIPAA violations and lost data. That’s patients and doctors who suffer. That’s the difference, in some cases, between life and death. In the same way that a hospital makes sure it has enough physical supplies (masks, blood, syringes) to give patients the best care possible, it needs to make sure its cyber systems are operating at a hundred percent, which means investing in cybersecurity.
How to Protect Healthcare Organizations
These threats are real, but the solutions are simple to implement. From educating staff on HIPAA compliance and offering continuous training to investing in access monitoring software to making sure fine-grained access controls are in place for third parties, there are a variety of methods a healthcare organization can employ to safeguard their systems and their patients. After all, with the average cost of a healthcare hack reaching $9.42 million in 2021, healthcare organizations can’t afford to avoid investing in cybersecurity.
This post originally appeared in HealthIT Security.