As of Monday, healthcare suppliers had already reported greater than 330 information breaches to HHS’ civil rights workplace this yr. The variety of sufferers affected by these breaches in 2023 is sort of 41.5 million, a quantity quickly approaching 52 million folks— the whole reported for the whole thing of final yr.
Simply this month, HCA Healthcare — the biggest for-profit well being system within the nation — suffered an information breach that impacted 1,038 hospitals and doctor clinics throughout 20 states. To stop the proliferation of information safety incidents like this, healthcare organizations should study their use of legacy methods in addition to their reliance on third events, in accordance with a report launched Thursday by cybersecurity agency Trustwave.
“The healthcare trade is characterised by extremely particular challenges — like heavy utilization of customized functions, quite a few third events and an unwavering dedication to affected person care — that give rise to a singular cybersecurity threat profile,” mentioned Karl Sigler, senior safety analysis supervisor at Trustwave, in a current interview.
He added that the character of health-related information makes it extremely useful and engaging to cybercriminals. They exploit this info by promoting it in underground markets or utilizing it to extort cash out of sufferers and suppliers, he mentioned.
The report identified that many suppliers proceed to make use of legacy methods which might be now not supported by distributors or are laborious to patch and replace, corresponding to outdated IT methods or medical gadgets that depend on outdated variations of software program. Since these methods pose heightened vulnerability to cyberattacks, healthcare organizations ought to undertake further safeguards, Sigler declared.
“It’s a double-edged sword as a result of whereas healthcare suppliers ought to at all times prioritize affected person security and avoiding sudden disruptions, it’s those self same components that lead healthcare organizations to be extra cautious about adopting software program patches or making modifications that could be important from a cybersecurity standpoint,” he defined.
The Trustwave staff tracked how lengthy it takes its healthcare shoppers to treatment points reported to them after a cybersecurity evaluation, and it discovered that it takes them two months to take action, Sigler mentioned. This lag exposes a safety lapse that hackers “will at all times take the chance to use,” he famous.
This drawback is particularly prevalent amongst medical gadgets and {hardware}. Medical system {hardware} usually stays energetic for 10-30 years, however suppliers don’t at all times keep in mind that they should replace the software program utilized in these gadgets each couple months or so, Sigler mentioned.
Third-party reliance can be a serious concern that healthcare organizations have to probe. It’s extremely frequent for suppliers to do enterprise with quite a few third events, however it does create an elevated assault floor, Sigler identified.
“Sadly, cybercriminals usually goal these third events as a strategic maneuver — in the event that they efficiently breach a third-party vendor, they acquire entry to some or all of that third-party vendor’s buyer base. This poses a major menace to healthcare organizations since many of those distributors lack sturdy cybersecurity measures and information breach safety,” he defined.
Working with third events is often unavoidable for suppliers, so Sigler really helpful they examine their companions’ cybersecurity measures extra carefully. He mentioned healthcare organizations fail to evaluate their exterior distributors’ information safety protections “far too usually.”
Taking a better look into third-party partnerships and using legacy methods not solely yields advantages in safeguarding sufferers’ privateness, but in addition proves vital for maintaining prices down — the report revealed that the common price of a healthcare information breach is $10.1 million.
Given the delicate nature of healthcare information and the stringent regulatory obligations to which suppliers should adhere, the monetary repercussions of an information breach inside the healthcare trade “far surpasses” these confronted by different sectors, Sigler declared.
“Healthcare faces a lot stricter rules like HIPAA that require them to not solely shield private well being info, but in addition report information breaches to shoppers in addition to the federal government. The added pressure of these processes and the ensuing fines add to the general price,” he mentioned.
Cyberattacks additionally typically trigger downtime at hospitals, resulting in much more cash loss, Sigler identified. Scripps Well being’s 2021 information breach is an instance of this — the San Diego-based well being system not solely paid $3.5 million to the victims of the breach, however it additionally reported a $113 million income loss as a result of a month-long system outage.
Photograph: da-kuk, Getty Photographs