From the earliest idea of electronically maintaining patient data in the 1960s, through the development of the first electronic medical record in 1972, to today’s connected devices and web-based systems, the digital practice has evolved to provide increased convenience, improved patient care, and lower costs to medical practices. But this electronic access to medical records also brings with it additional risks and obligations to practices.
Before the EHR, the biggest threats to securing medical records were likely fires, water damage, or an unauthorized person getting the keys to the records room. With the growth of the digital practice, the threat is both more varied and more difficult to defend against. Cyberattacks have put sensitive patient data at risk of exposure and your practice at risk of violating state and federal regulatory and privacy laws. Worse, a cyberattack can also put patient care and safety at risk.1
The Patient Safety Impact of Cyberattacks
Any device or system that is connected to the internet is vulnerable to attack and compromise by a determined and knowledgeable attacker. This vulnerability can put healthcare business revenue, patient privacy, and even patient safety at risk. A few recent examples:
- A large scale phishing attack in October 2020 affected six hospitals in the University of Vermont (UVM) Health System resulting in postponed appointments, scheduling problems, delayed chemotherapy and radiation treatments, and weeks-long delays to determine whether cancer biopsies were malignant. The attack began when an unwitting employee on vacation opened a personal email on his work laptop and opened an attachment. The email was from a legitimate local business that had been hacked. When the employee returned and logged into the hospital network the attackers launched the malware.
- In 2021, researchers at McAfee discovered five vulnerabilities in infusion pumps from B. Braun (one of the largest infusion pumps vendors) that could have enabled attackers to conduct remote network attacks or remotely deliver dangerous levels of medication to patients.
- In February 2024, attackers accessed an unsecured computer server used by Change Healthcare. The attack cut off providers from billions of dollars of revenue, disrupted service at pharmacies across the U.S., and may have compromised the personal data of a third of Americans.
In early May 2024, attackers staged a ransomware attack on Ascension after an employee unknowingly downloaded a malicious file, enabling the attackers to block access to patient medical records, forcing staff to rely on paper and manual processes to order medical procedures, communicate across separate departments, and keep track of hospital patients’ evolving conditions.
These attacks are not rare and often come from unexpected sources. The employee at UVM who unwittingly launched a ransomware attack, for example, is not alone. The Verizon Business 2024 Data Breach Investigations Report (DBIR) revealed that 70% of threat actors in healthcare data breaches are internal staff, contractors, and support personnel—the highest percentage of the ten industries studied. A bit of comfort can be taken to know that approximately half of all healthcare breaches were miscellaneous errors, not malicious intent. That means a strong employee cybersecurity awareness campaign in a healthcare organization could dramatically reduce the incidence of successful attacks.
Connected Medical Devices: Threats Hiding in Plain Sight
When thinking of ways that a cyberattack could affect a healthcare organization, ransomware attacks and data theft likely come immediately to mind for most people because they make headlines. While these are among the most prevalent cyber risks in the healthcare industry, another critical risk is hiding in plain sight: connected medical devices. These ubiquitous IV pumps, blood pressure monitors, EKG machines, and other devices are connected to a practice’s network and often to the internet to store and back up data to cloud services. The statistics are troubling:
- 79% of medical devices in hospitals are used regularly, making them difficult to update
- 53% of connected devices contain critical vulnerabilities that could jeopardize patient care, safety, or confidentiality
- 73% of IV pumps in hospitals contain critical vulnerabilities that could jeopardize patient care, safety, or confidentiality
Cyberattacks in Healthcare: Widespread and Costly
“Think of IT security as a chronic illness, a condition that requires ongoing treatment, testing, and re-evaluations. With security, the goal is not an outright cure but a lessening of symptoms, a lowering of risk.”2
In the first half of 2024, the breaches reported to the U.S. Department of Health & Human Services, Office of Civil Rights, affected 45.5 million individuals.* That number already eclipses the total for all of 2020 by 30% and (on a prorated basis) will eclipse three of the previous four years. Furthermore, a 2023 study revealed that healthcare organizations experienced an average of 40 cyberattacks in the prior twelve months—88% had at least one.1 The same study revealed that 77% of supply chain attacks, 69% of email/spoofing phishing attacks, 68% of ransomware attacks, 49% of cloud service compromise, and 43% of data loss or exfiltration incidents impacted patient safety and care.1 Despite these threats to patient safety and the $10.93 million average cost of healthcare cyberattacks, only 51% of organizations plan to increase investments in cybersecurity after a breach.
Cyberattacks that block access to patient records, paralyze critical medical devices, and impact patient care are not just an “IT problem” best left to tech experts, they are a patient safety issue. The good news is—because about half of all healthcare data breaches are caused by employee errors—there is an opportunity for your practice to build a pervasive “culture of cybersecurity” and prevent data breaches with a strong program of employee training and awareness. You work hard at building a “culture of patient safety” in your practice. Applying that same diligence to building a “culture of cybersecurity” can help employees become aware of their role in guarding against inadvertent cybersecurity incidents and mitigate cyberattacks in general.
* The HIPAA Breach Notification Rule requires covered entities to report data breaches of unsecured protected health information affecting 500 or more individuals. Data accessed July 10, 2024.
References
1. Ponemon Institute. Cyber Insecurity in Healthcare: The Cost and Impact on Patient Safety and Care 2023. Data cited from the full report.
2. Daniel Berger, President and CEO Cybersecurity consultancy Redspin. Quoted in Diana Manos. “5 ways to avoid health data breaches.” Healthcare IT News. February 19, 2014.