In recent years, the health care industry has become susceptible to cyberattacks and lags behind other industries when it comes to cybersecurity. The shift from paper records to electronic records has left the industry with a difficult challenge: improving patient experience with online charts and quick turnaround of results, while simultaneously protecting all patient information. In order to understand the magnitude of the risk of insecure patient records, health care providers need to recall the vulnerable information they retain from patients, including social security numbers and credit card information. Due to the vast amount of valuable information available, it is no surprise that when broken down by industry, health care was the second-most attacked industry. Cyber breaches alone cost the health care sector $6.2 billion each year. For most industries, negative financial consequences is the worst case scenario. In the healthcare industry, however, there is much more at stake: a patient’s health.
What’s the prognosis?
On the brink of a cyberattack, concern is quickly focused on the patient. There is little argument that this is exponentially important, but the long-term financial consequences must also be considered. For example, a ransomware attack could cause healthcare providers to jump to the first solution without considering the lasting effects. Ransomware is a form of malware in which your access to systems or data is held hostage until a “ransom” is paid. In 2018, almost half of the ransomware incidents reported involved health care companies. Ransomware attacks are practically dangerous for the health care industry since loss of control of systems or loss of access to data can put a patient’s life at risk. If the ransom is paid in order to regain control of software systems, the financial consequences can have a lasting effect. Following any form of data breach, health care professionals are likely to be distracted from patient care and funds that could be used towards patient care may have to be used to restore systems. The average health care organization had to spend $1.4 million to recover from a cyberattack. In order to fix some of the damage to public image following a security breach, a health care system may have to spend almost three times more on advertising than it would normally spend, adding another financial burden. In addition to the financial consequences, the intangible consequences must also be considered. According to a study, 54 percent of patients said they would be likely to change providers after a security breach. Since health care runs on trust, it is critical that providers are able to maintain the trust of their patients. Patients are more likely to limit communication with their doctors if they feel they cannot trust that their information is secure, and without a full picture from a patient, providers are restricted in their ability to treat patients. Data suggests that more than 2,100 patient deaths annually could be attributed to hospital data breaches. Researchers explained that a data breach both diverts funds from patient care and distracts physicians for years after the attack.
Prevention is key
The health care industry is very susceptible to cyberattacks and the aftermath could be detrimental. Follow these tips to prevent a cyberattack: • Take the time to identify potential inefficiencies in cybersecurity. The US National Institute of Standards and Technology offers guidance on assessment and improvement in an organization’s ability to prevent, detect, and respond to cyberattacks. The five key functions outlined in the framework are (1) identify, (2) protect, (3) detect, (4) respond, and (5) recover. • Ensure employees are properly trained: Human error is the leading cause of data breaches today. Employers need to educate employees on the basics of cybersecurity. Additionally, employees need to be informed that cybersecurity is the responsibility of all employees. If employees are trained to spot suspicious communications (such as phishing emails) and are able to report it to IT in a timely manner, the threat can be diverted before it is too late. Employee training programs also help create a culture that is focused on security. • Limit accesss: Access to information should only be granted to those that need to use or view the data. Physical access should be controlled as well. Computers and other electronics that contain protected information should be physically locked to an area. • Make sure systems are regularly backed up and that the backups are secured and easily accessible. Taking immediate action when faced with a cyberattack is the first step to recovery. The more prepared an organization is, the sooner it will be able to identify and respond to an incident. UHY Advisors has an experienced cybersecurity team to arm your employees and your practice against cyber attacks.