The Deadly Consequences of Healthcare Cyber Attacks
Healthcare cyber attacks? According to the Blackberry Cylance 2020 Threat Report, 9% of all ransomware attacks targeted the healthcare industry–a trend with life and death consequences for patients.
The breach of financial records tends to get the majority of media attention, but the silent threat of healthcare data attacks has emerged as a catastrophe waiting to happen. While customer financial records are valuable to cybercriminals, the records are quickly and easily changed once the breach is identified. Credit card and account numbers are canceled. New passwords are installed. But health records never expire. They are for life. That’s why medical records sell for 10 times more on the dark web than credit cards.
In fact, it is almost three times more expensive to remediate a healthcare data breach than other industries, averaging $408 per stolen health care record versus $148 per stolen non-health record. In the context of a whole data breach, this can quickly add up to tens or hundreds of thousands of dollars for a mid-sized medical practice.
More importantly, the medical nature of the industry poses a unique threat when electronic records are attacked, modified, or held ransom in health care settings. The health needs of patients can be immediately impacted, sometimes with disastrous consequences.
This week saw the largest medical cyberattack in United States history when Universal Health Services, with more than 400 locations across the country, was infected with what appears to be ransomware that shut down all networked computers. In the middle of a COVID-19 pandemic and with almost all records and processes moved online over the past few years, the hospitals were thrown into chaos as medication dispensing, medical histories, and lab tests were suddenly all in jeopardy or completely eliminated. The truth is, the full effects of the attack will only be known in the weeks to come as patient outcomes are revealed.
This wasn’t the first time the healthcare industry has been attacked by cyber thieves. In 2017, a WannaCry ransomware attack hit computer systems in 150 countries, including the United Kingdom’s National Health Service. This led to ambulances being rerouted, surgeries were canceled, and patient outcomes were gravely impacted. In fact, in early September, we saw what may be the first known death from a ransomware attack when a patient died in Germany after having to be moved to another hospital because the hospital was affected by a cyber attack.
And the large healthcare companies are not the only targets: 83% of doctors reported experiencing a cyberattack at their own practice, according to the American Medical Association.
So, why do cybercriminals want to steal your medical records anyway? While most patients may think of doctor’s questionnaires and hospital forms as a boring chore to be trudged through before they can see their physician, the reality is that those forms contain a treasure trove of information for criminals willing to exploit our most vulnerable data. Our medical records include everything from payment information to biographical data to health history. That type of information can then be used for identity theft, healthcare fraud, and fake claims, or even treatment manipulation to harm patient targets.
In order to protect your own medical practice, you should perform a complete information technology (IT) security assessment of your office that includes all networked computers (particularly including connected medical devices which provide an easy entry point for hackers), record backups, and employee training in security risks and how to revert to paper and pen record-keeping in the aftermath of an attack.
For a personalized quote on cyber liability insurance for your medical office, click here.