Ubiquitous criminal access to the internet means that stolen proprietary and confidential data is routinely misappropriated. Healthcare organizations can suffer devastating consequences, occasionally with irreparable repercussions, from ransomware or malware infecting company computer systems, and it can take years of expensive litigation to rectify these losses.
In addition to the by-now familiar forms of cyberattack that threaten healthcare professionals and practices, organizations face the potential for sanctions and penalties related to attacks, as well as risks from novel forms of security breach through artificial intelligence (AI) applications. Healthcare organizations can mitigate these risks through a combination of advance planning and collaboration with trusted business partners.
Threats from abroad
Using Data to Help Healthcare Practices Succeed
A new report from Relatient, A Data-Driven Guide to Patient Access Succes, highlights how focusing on data accuracy and relevance can enhance the performance of healthcare practices.
Cybersecurity poses a unique challenge to the healthcare community, because substantial protected data can be disclosed when patient records are violated in large online assaults. These disruptions threaten the integrity of clinical practices and the delivery of medical treatment. Breaches in systems security also frequently interfere with everyday insurance authorizations and timely disbursement of payment for services already rendered, as well as undermining routine activities in the delivery of care, such as the filling of prescriptions. One example, as described by the Harvard Business Review, was the 2024 attack on Change Healthcare, which “brought medical billing in the United States to a standstill and propelled hundreds of financially strapped health systems and medical practices to the brink of bankruptcy.”
These attacks are not infrequently sponsored by foreign governments dedicated to undermining our financial, economic, and political stability. Governmental websites such as that of the Social Security Administration are also targeted for fraudulent attacks, with widespread potential consequences to a significant segment of the aging and vulnerable population. Software security assurance has been developed to limit the risk of violations and resulting catastrophic harm to the public.
Difficulties at home
Federal and state privacy laws create an added risk to clinicians from a regulatory and compliance perspective. Data breaches often lead to complaints initiated by government oversight and licensing agencies, including the Office for Civil Rights, with possible investigations subsequently resulting in fines, sanctions, and related administrative penalties. The White House itself initiated an investigation in spring 2024, following the attack on Change Healthcare that exposed the data of millions of Americans. An inadvertent disclosure may also create negative publicity on social media, which may damage the professional reputations of individual or institutional providers and thereby impair the clinicians’ ability to practice and even to earn a living.
Improving the Healthcare Financial Experience to Help Care Flow
Zelis CEO Amanda Eisel shares her perspective on how the company is solving the problems of a fragmented health financial system to benefit all.
Collateral — and often unexpected — harm may include limitations to, or a complete loss of, admitting and surgical privileges at a medical facility or possibly exclusion from third-party payer networks, including CMS. Without an advance strategy, resolving such dire fallout may take years of incremental adjustments, as well as substantial monetary expenditures.
AI for friends and foes
A wide variety of AI applications can improve administrative efficiency and identify potential staffing issues. That said, for now, tools designed to make clinical recommendations may be problematic, as unidentified biases or technical operational faults existing within the software may arise. And the rapidly evolving technologies of artificial intelligence, also referred to as augmented intelligence, further complicate the landscape of cybersecurity.
AI applications bring the potential for increase in healthcare’s cybersecurity risks from multiple directions:
- Risk of an AI application being hacked: Human control, supervision, and ongoing vigilance are vital to the integration of AI-powered tools into healthcare. The risk of outside security breaches only amplifies this concern, given the potential for bad actors to adversely impact the quality of care being delivered, thus increasing the risk of unfavorable outcomes. A security breach could also foster unpredictable degrees of civil liability for both practitioners and organizations. Alarmingly, AI tools can be easier to hack than other technologies, with stronger potential for attacks to go undetected.
- Risk of an AI application being used by hackers: Just as AI-powered tools can be used by healthcare, they can also be used to attack healthcare: ChatGPT, for instance, is more than capable of generating template phishing emails that are more convincing than many that cybercriminals have created themselves.
Preemptively embracing AI applications without careful evaluation and implementation may be perilous and create potentially dangerous unintended and unforeseen consequences that, in turn, may hinder or undermine optimum patient management. The healthcare community is strongly urged at every step in the process to carefully adopt and integrate the various protections afforded by all relevant facets of information technology and electronic security measures.
Strategies to mitigate cybersecurity risks
Healthcare organizations should work proactively with experts in the relevant domains to recognize and mitigate potential cybersecurity risks. Healthcare professionals can:
- Identify risky circumstances: Facility-loss and cybersecurity experts can identify the types of circumstances that may result in economic damage or other less-understood types of harm to the operation of the practice. The exact nature of these harms varies by business model, but potential negative events include those related to civil liability; contract violations; and administrative complaints to governmental oversight agencies, which can result in administrative investigations; along with highly detrimental and often defamatory social media postings, which can potentially injure the reputation and ongoing financial stability of the practice or institution.
- Coordinate with insurance professionals: Agents and brokers specializing in healthcare performance and cybersecurity issues can determine the types of protection necessary to address probable risks. Practitioners can coordinate with these insurance professionals to complete a risk evaluation to include assessments of exposure from numerous sources, such as medical malpractice claims, general premises liability, corporate errors and omissions, workers’ compensation, and cybersecurity. In addition, related coverages are designed to protect against complications that may impair a clinician’s ability to continue practicing medicine or dentistry unimpeded by administrative restrictions or monetary sanctions. Developing a comprehensive risk assessment before a crisis occurs is critical to ensure continuity of professional services and operational integrity in the event of an unforeseen adverse event.
- Coordinate with business partners: Healthcare providers, working closely with their insurance carriers, can coordinate with business partners to develop policies and procedures to evaluate and address risks. A proactive analysis can help the organization target its efforts to implement best practices while remaining consistent with prevailing community standards, which will evolve over time. Clinicians and their practice management teams should institute routine periodic audits of office policies to help ensure that practice protocols are being applied uniformly, are being updated at regular intervals to comply with evolving standards, and are properly and timely documented in administrative files. Such documentation ensures that the facility can prove with competent and convincing evidence that due diligence was exercised to protect patients and business associates in the event that a security breach results in civil or administrative proceedings that seek monetary damages or other institutional sanctions. Following such a strategy will decrease the likelihood of the enterprise suffering harm from either existing or yet unknown potential threats, while enhancing the quality of transactional efficiency.
Although the U.S. healthcare system is famously fragmented, entities are connected to one another. Where one organization is vulnerable, it may inadvertently open the door to attacks on others. Likewise, each entity that maintains strong cyber protections protects itself and each of its partner organizations, and by extension, the integrity of the entire U.S. healthcare system.
Photo: boonchai wedmakawand, Getty Images
Rich Cahill is currently Vice President and Associate General Counsel with The Doctors Company and provides legal support to the Claims and Patient Safety Departments, oversees company appellate litigation, and also lectures frequently on topics related to health care.
Mr. Cahill received his undergraduate degree (summa cum laude) from UCLA in 1975 and his Juris Doctorate from Notre Dame Law School. He served as a deputy district attorney in California at the outset of his career and was subsequently appointed as counsel on the Central Legal Staff of the Nevada Supreme Court before entering private practice in California.
Mr. Cahill has specialized in various facets of health care litigation for 39 years, including the defense of hospital and physician professional liability claims, managed care contract disputes, network privileges issues and related business torts. He has completed in excess of 185 trials and binding arbitrations with a combined win-rate of 92%. He has a preeminent rating with Martindale-Hubbell, the premiere peer-reviewed attorney rating service in the United States.
This post appears through the MedCity Influencers program. Anyone can publish their perspective on business and innovation in healthcare on MedCity News through MedCity Influencers. Click here to find out how.