This year was a hard when it comes to organizations protecting their data — across all industries, not just healthcare. And experts predict that 2023 is unlikely to be any better.
Cybersecurity incidents involving patient data hit an all-time high in 2021 — more than 50.4 million patient records were violated. As the end of 2022 approaches, it looks like the record could be broken again. A closer look at the breaches offers some clues as to how they can be avoided, although health systems should continue to invest in cybersecurity protocols, experts said.
In 2021, health organizations report total 714 incidents in which 500 or more patient records were breached. Between January 1 and October 31 of this year 594 data breaches as such have been reported, with an average of 60 data breaches reported each month.
Just like last year, most of this year’s biggest healthcare data breaches involved third-party vendors.
For example, Advocate Aurora Health, a health system based in Wisconsin and Illinois, announced a data breach that affected 3 million people in October. Advocate Aurora said the data breach involved Meta Pixel, a third-party analytics software it installed on its website and patient portal. Based in North Carolina Novant Health and based in Indiana Community Health Network also reported data breaches this year stemming from the use of Meta Pixel – both incidents compromising information on more than a million patients.
Institutions such as HHS and ACRES issued alerts this year warning vendors of the cybersecurity risks associated with using third-party analytics tools. Tools like Meta Pixel, Google Analytics, and Adobe Analytics are usually free and can give providers insight into how users use their websites, but technology companies that provide this software can also use patient data to profile internet users while surfing.
This disclosed patient data may be misused to personalize ads based on users’ medical conditions. These inappropriately targeted ads could push unproven treatments and lead patients not to seek appropriate care. Additionally, disclosure of sensitive patient information can also lead to fines, legal action, and patient mistrust of providers, according to the HHS and ECRI reports.
A data breach also has a direct impact on patients’ lives, said Mike Howey, founder of a healthcare software company Source Meridian.
“Research points out how cyberattacks against healthcare organizations have caused more than 20% to experience an increase in mortality,” said Howie. “In one case, Broward Health reported a breach that affected more than 1.3 million people — and the health system says the incident happened because someone gained access through a third-party medical service provider.
While third-party data breaches and ransomware are the most common threats to the healthcare industry, medical device security is a growing concern, Howe said.
As more medical devices connect to the Internet, healthcare providers will continue to see a rise in hacks, according to a study from software review and selection platform Capterra. The company found that healthcare organizations with more than 70% of their devices connected to the Internet are 24% more likely to experience a cyberattack than organizations with 50% or fewer devices connected.
It’s important to remember that data breaches can be incredibly costly to healthcare systems. Research shows that a single data breach costs a healthcare organization an average of $4.3 million.
Zach Cappers, Capterra’s senior security analyst, said his company conducted extensive research this year to prove that downtime is the biggest impact of a ransomware attack.
“A lot more money goes into downtime than actually paying for the ransomware,” he said. “You’re looking at lost patient care, disruption of schedules and moving patients out of intensive care. In this situation, every minute counts and it actually affects people’s safety from a health care perspective.
The safety point that Capers raised is another important consideration to remember. For example, Cheers to CommonSpirit suffered a ransomware cyber attack in October. Because of a layover, a 3-year-old in Iowa was given an inappropriate dose of pain reliever, which almost killed him.
Healthcare providers are not doing enough to protect themselves from these compromising situations, Capers said. His research shows that 57% of providers don’t always change the default username and password for every new connected medical device they deploy, and 68% don’t always update their connected devices when a cybersecurity patch is available.
And next year, cybersecurity leaders aren’t very confident in their ability to fend off threats, according to a recent survey by a software firm Ivanti. One in five cybersecurity leaders say that I wouldn’t bet on a piece of candy about their organization’s ability to protect against a data breach in 2023.
Ransomware attacks, cloud attacks and weak medical device security will continue and increase in the coming year, Howie predicted. According to him, the lack of cybersecurity expertise in the healthcare sector is a key reason why these threats continue to proliferate.
“In my opinion, the most powerful resource a healthcare provider can acquire is training their employees to defend against cyberattacks. Historically, the healthcare industry has been slower to adopt and implement emerging technologies, and training can play an important role here,” Howie said.
As cyberthreats only seem to get worse, healthcare leaders in general plan to increase their cybersecurity budgets for increased training and infrastructure, according to Ivanti’s research. The report projects that cybersecurity budgets will increase by 11% in 2023, well above projected inflation.
While providers face strong economic headwinds, a robust cybersecurity budget will be needed next year, said Chris Bowen, CISO and founder of a healthcare cybersecurity company ClearDATA.
“With the introduction of each new healthcare application or technology, the attack surface multiplies and the need to protect the environment grows. Patients will demand it, attorneys general and the Office for Civil Rights will investigate it, and class action lawyers will continue to profit from it. To meet these demands, healthcare organizations will increase cybersecurity budgets – in some cases by more than 15% compared to 2022,” said Bowen.
Photo: roshi11, Getty Images