It’s been a month since Hollywood Presbyterian Medical Center joined the ranks of Premera Blue Cross, Anthem, CareFirst BCBS, and a considerable number of other healthcare institutions that have experienced recent hacks where personal patient data might have been exposed.
While it may have played out like the plot of a bad “cyber”-thriller movie, the nightmare is not long forgotten by Hollywood Presbyterian, who was forced to pay a $17,000 bitcoin ransom to regain control of its computer systems and digital medical records after a ransomware attack.
Unfortunately, that payment was just a tiny fraction of the total cost a breach like this would cost a healthcare organization.
While some institutions take more precautions to protect themselves than others, I believe there are three fundamental reasons healthcare organizations are at heightened risk:
They are oftentimes wealthy entities with large sums of money that are very worried about reputation damage.
The value of individual healthcare records is worth 10 times more than a credit card number on the black market.
A hospital system’s care delivery is centralized in the electronic medical record system (EMR) – a single point of failure if the system is compromised.
To get a better picture of the financial implications of a breach, consider the following:
Forensic investigation of IT systems
In order to resolve existing vulnerabilities and protect against future attacks, healthcare institutions must pinpoint the origin and method of the infiltration. Computer forensic investigators analyze the computer data across the institution to determine if those devices have been compromised by unauthorized access.
According to InfoSec Institute, the cost of a computer forensic investigation varies greatly ($100-$600 per hour), depending on the number and types of systems involved and the complexity of the recovery of evidence.
HIPAA fines for compromised personal health information (PHI) and associated lawsuits
HIPAA-covered entities may be subject to steep penalties for violating regulations ranging from $10,000-$25,000 for every violation, up to $1 million per year.
In addition, wrongful disclosure of ePHI can include fines of $50,000 and imprisonment up to one year.
Overhauled IT security and communication infrastructure to prevent future incidents.
Hollywood Presbyterian will need to reevaluate its business continuity and disaster recovery plans. As a result of inadequate planning, the hospital lost revenue when it was forced to transfer patients to other nearby medical centers, all the while continuing to pay for overhead expenses and salaries.
As you can see, the expenses add up quickly. But the above-mentioned damages don’t even begin to factor in the negative impact on brand and patient trust, both of which are extremely important to healthcare institutions and are time- and resource-intensive to rebuild.
For the 6,000 healthcare organizations in the U.S., the Hollywood Presbyterian incident should serve as a wake-up call to take immediate steps to protect themselves and their patients from ransomware infections, hacks and other similar attacks.
So, that begs the question, how can organizations best mitigate risk and avoid costly breaches at the hands of ransomware and other threats?
First off, resources need to be allocated for IT infrastructure maintenance and security. Next, the use of non-encrypted communication tools for sharing PHI – including email – should be greatly reduced or completely eliminated, as this is one of the more vulnerable areas and among the easiest to fix.
Making sure that IT systems have the latest software updates will help maintain the security of the entire infrastructure. This includes performing regular scans for viruses, malware, ransomware and spyware; backing up data frequently; and changing passwords on a regular basis. It is equally important to protect servers, desktops and all mobile devices on the network.
If regular updates are not made across the entire infrastructure, you significantly increase the risk of attacks that can penetrate the network and result in data loss/costly HIPAA violations. However, who is to say that the risks stop at data loss?
The potential for something more nefarious is real, which is all the more reason why organizations must adopt safeguards to protect themselves and their patients.