From the earliest idea of electronically maintaining patient data in the 1960s, through the development of the first electronic medical record in 1972, to today’s connected devices and web-based systems, the digital practice has evolved to provide increased convenience, improved patient care, and lower costs to medical practices. But this electronic access to medical records also brings with it additional risks and obligations to practices.
Before the EHR, the biggest threats to securing medical records were likely fires, water damage, or an unauthorized person getting the keys to the records room. With the growth of the digital practice, the threat is both more varied and more difficult to defend against. Cyberattacks have put sensitive patient data at risk of exposure and your practice at risk of violating state and federal regulatory and privacy laws. Worse, a cyberattack can also put patient care and safety at risk.1
Any device or system that is connected to the internet is vulnerable to attack and compromise by a determined and knowledgeable attacker. This vulnerability can put healthcare business revenue, patient privacy, and even patient safety at risk. A few recent examples:
In early May 2024, attackers staged a ransomware attack on Ascension after an employee unknowingly downloaded a malicious file, enabling the attackers to block access to patient medical records, forcing staff to rely on paper and manual processes to order medical procedures, communicate across separate departments, and keep track of hospital patients’ evolving conditions.
These attacks are not rare and often come from unexpected sources. The employee at UVM who unwittingly launched a ransomware attack, for example, is not alone. The Verizon Business 2024 Data Breach Investigations Report (DBIR) revealed that 70% of threat actors in healthcare data breaches are internal staff, contractors, and support personnel—the highest percentage of the ten industries studied. A bit of comfort can be taken to know that approximately half of all healthcare breaches were miscellaneous errors, not malicious intent. That means a strong employee cybersecurity awareness campaign in a healthcare organization could dramatically reduce the incidence of successful attacks.
When thinking of ways that a cyberattack could affect a healthcare organization, ransomware attacks and data theft likely come immediately to mind for most people because they make headlines. While these are among the most prevalent cyber risks in the healthcare industry, another critical risk is hiding in plain sight: connected medical devices. These ubiquitous IV pumps, blood pressure monitors, EKG machines, and other devices are connected to a practice’s network and often to the internet to store and back up data to cloud services. The statistics are troubling:
“Think of IT security as a chronic illness, a condition that requires ongoing treatment, testing, and re-evaluations. With security, the goal is not an outright cure but a lessening of symptoms, a lowering of risk.”2
In the first half of 2024, the breaches reported to the U.S. Department of Health & Human Services, Office of Civil Rights, affected 45.5 million individuals.* That number already eclipses the total for all of 2020 by 30% and (on a prorated basis) will eclipse three of the previous four years. Furthermore, a 2023 study revealed that healthcare organizations experienced an average of 40 cyberattacks in the prior twelve months—88% had at least one.1 The same study revealed that 77% of supply chain attacks, 69% of email/spoofing phishing attacks, 68% of ransomware attacks, 49% of cloud service compromise, and 43% of data loss or exfiltration incidents impacted patient safety and care.1 Despite these threats to patient safety and the $10.93 million average cost of healthcare cyberattacks, only 51% of organizations plan to increase investments in cybersecurity after a breach.
Cyberattacks that block access to patient records, paralyze critical medical devices, and impact patient care are not just an “IT problem” best left to tech experts, they are a patient safety issue. The good news is—because about half of all healthcare data breaches are caused by employee errors—there is an opportunity for your practice to build a pervasive “culture of cybersecurity” and prevent data breaches with a strong program of employee training and awareness. You work hard at building a “culture of patient safety” in your practice. Applying that same diligence to building a “culture of cybersecurity” can help employees become aware of their role in guarding against inadvertent cybersecurity incidents and mitigate cyberattacks in general.
* The HIPAA Breach Notification Rule requires covered entities to report data breaches of unsecured protected health information affecting 500 or more individuals. Data accessed July 10, 2024.
1. Ponemon Institute. Cyber Insecurity in Healthcare: The Cost and Impact on Patient Safety and Care 2023. Data cited from the full report.
2. Daniel Berger, President and CEO Cybersecurity consultancy Redspin. Quoted in Diana Manos. “5 ways to avoid health data breaches.” Healthcare IT News. February 19, 2014.