This year has been a tough one when it comes to organizations protecting their data — across all industries, not just healthcare. And experts predict that 2023 likely won’t be any better.
Cybersecurity incidents involving patient data hit an all time high in 2021 — more than 50.4 million patient records were breached. As 2022 comes to a close, it looks like the record might get broken again. A closer review of the breaches affords some clues as to how they can be avoided although health systems need to continue to invest in cybersecurity protocols, experts said.
In 2021, healthcare organizations reported a total of 714 incidents in which 500 or more patient records were breached. Between January 1 and October 31 of this year, 594 data breaches like this have been reported, with an average of 60 data breaches being reported each month.
Just like last year, most of this year’s largest healthcare data breaches were associated with third-party vendors.
For example, Advocate Aurora Health, a health system based in Wisconsin and Illinois, announced a data breach that affected 3 million people in October. Advocate Aurora said the data breach involved Meta Pixel, a third-party analytics software it had installed on its website and patient portal. North Carolina-based Novant Health and Indiana-based Community Health Network also reported data breaches this year that stemmed from their use of Meta Pixel — both incidents compromised the information of more than a million patients.
Institutions such as HHS and ECRI have issued alerts this year warning providers about the cybersecurity risks associated with the use of third-party analytics tools. Tools like Meta Pixel, Google Analytics and Adobe Analytics are usually free and can give providers insight into the way consumers use their websites, but the tech companies who provide this software can also use patient data to profile Internet users as they browse.
A Deep-dive Into Specialty Pharma
A specialty drug is a class of prescription medications used to treat complex, chronic or rare medical conditions. Although this classification was originally intended to define the treatment of rare, also termed “orphan” diseases, affecting fewer than 200,000 people in the US, more recently, specialty drugs have emerged as the cornerstone of treatment for chronic and complex diseases such as cancer, autoimmune conditions, diabetes, hepatitis C, and HIV/AIDS.
This exposed patient data may be misused to tailor advertisements based on consumers’ medical conditions. These inappropriately targeted advertisements could push unproven treatments and lead patients away from seeking appropriate care. Additionally, exposing patients’ sensitive information could also result in fines, legal action and patient distrust of providers, according to HHS and ECRI’s reports.
Data breaches also have a direct impact on patient lives, said Mike Hoey, founder of healthcare software company Source Meridian.
“Research points out how cyberattacks against healthcare organizations caused more than 20% to experience an increase in mortality rates,” Hoey said. “In one instance, Broward Health reported a breach that affected more than 1.3 million people — and according to the health system, the incident took place on account of someone gaining access through a third-party medical provider.”
While third-party data breaches and ransomware have been the most common threats to the healthcare sector, medical device security is a growing concern, Hoey declared.
As more medical devices become connected to the internet, healthcare providers will continue to see an uptick in hacks, according to research from software review and selection platform Capterra. The company found that healthcare organizations with more than 70% of their devices connected to the internet are 24% more likely to experience a cyberattack than organizations with 50% or fewer connected devices.
It’s important to remember that data breaches can be incredibly costly for health systems. Research shows that a single data breach costs a healthcare organization an average of $4.3 million.
Zach Capers, Capterra’s senior security analyst, said his company has conducted extensive research this year to prove that downtime is the biggest impact of a ransomware attack.
“Far more money goes into the downtime than the actual payment for the ransomware,” he said. “You’re looking at lost patient care, disruption of schedules, and moving patients from critical care. In this situation, every minute counts, and it’s actually impacting people’s safety from a healthcare standpoint.”
The safety standpoint Capers brought up is another critical consideration to remember. For example, CommonSpirit Health suffered a ransomware cyberattack in October. Due to the downtime, a 3-year-old in Iowa was given an improper dose of pain medication that almost killed him.
Healthcare providers are not doing enough to protect themselves against these compromising situations, Capers declared. His research shows that 57% of providers don’t always change the default username and password for each new connected medical device they put into use, and 68% don’t always update their connected devices when a protective cybersecurity patch is available.
And in the coming year, cybersecurity leaders aren’t very confident in their ability to fend off threats, according to a recent survey from software firm Ivanti. One in five cybersecurity leaders said they wouldn’t wager a candy bar on their organization’s ability to protect against a data breach in 2023.
Ransomware attacks, cloud attacks and weak medical device security will all persist and increase next year, Hoey predicted. In his view, the healthcare sector’s lack of cybersecurity expertise is a key reason these threats will continue to proliferate.
“In my opinion, the most powerful resource a healthcare provider can acquire is training for its employees to defend against cyberattacks. Historically, the healthcare industry has been slower to adopt and implement emerging technologies, and training can play an important role here,” Hoey said.
Since cyber threats only seem to be getting worse, healthcare executives as a whole are planning on increasing their cybersecurity budgets for increased training and infrastructure, according to Ivanti’s research. The report predicted cybersecurity budgets to increase by 11% in 2023, which is well above projected inflation.
Even though providers are facing strong economic headwinds, a robust cybersecurity budget will be a necessity next year, said Chris Bowen, CISO and founder at healthcare cybersecurity company ClearDATA.
“With the introduction of every new healthcare app or technology, the attack surface multiplies, and the need increases to secure the environment. Patients will demand it, attorneys general and the Office for Civil Rights will investigate it, and class action lawyers will continue to profit from it. To meet these demands, healthcare organizations will increase cybersecurity budgets – in some cases by more than 15% compared to 2022,” Bowen declared.
Photo: roshi11, Getty Images
