Russell Branzell
President and CEO, College of Information Management Executives (CHIME)
Last spring, cybercriminals hacked a Michigan-based medical practice’s computer system and then demanded a ransom payment to decrypt patient medical records. The breach made headlines but not because it was a rare occurrence.
In 2019, the U.S. Department of Health and Human Services’ Office of Civil Rights (OCR) received on average one healthcare data breach report a day, with more than 38 million healthcare records exposed by November 2019. What differed in this case was the outcome: The physician owners closed their practice after hackers, denied their ransomware demands, wiped out all patient records.
A growing problem
Attempted cyberattacks on healthcare organizations have grown exponentially in the past several years, fueled by opportunity and greed. As the healthcare sector has become increasingly digital, it has also become more vulnerable to cyberattacks.
The data patients entrust to their healthcare organizations is an attractive commodity on the black market and dark web. While a stolen social security number may be worth $1, a full electronic medical record may fetch up to $1,000, according to Experian.
It’s difficult for health organizations to keep up with sophisticated cybercriminals who can work in bands and be sponsored by nation states. Their strategies change over time, too. Some have shifted from theft to ransomware, with devastating effects. The global WannaCry ransomware attack in 2017 spread to more than 150 countries, infected hundreds of thousands of computers, and reportedly cost $4 billion.
Healthcare was not spared. A total of 45 organizations and 37 trusts in the UK’s National Health Service were compromised, forcing hospitals to shut down their electronic systems and switch to paper, divert emergency care patients, and cancel elective surgeries and appointments. Some health systems and business associates in the United States were also affected.
At risk
Breaches are not mere nuisances for patients — they pose a significant safety threat. Missing and compromised data puts patients at risk of real harm, and malicious actors can manipulate infected medical devices to deny lifesaving care.
According to an analysis of the College of Healthcare Information Management Executives’ Most Wired survey data, only 30 percent of respondents had a comprehensive security program in 2019. The analysis showed most organizations are taking some, but rarely all, recommended steps to mitigate risk and minimize the damage when a breach occurs.
This is both promising and concerning. The healthcare sector is making progress but is it fast enough? For one now-defunct medical practice, the answer is no.