The Cybersecurity Imperative for Hospitals

8/1/2024

This article first appeared as a column in the 2024 August issue of South Florida Hospital News

By Mary Mayhew, FHA President and CEO

Last month, there were two bleak reminders of the ever-present threat of cyberattacks in health care and the need for constant vigilance as part of ongoing emergency preparedness and response investments. Hospitals are active participants in deterrence against what are not just meddlesome troublemakers but are often organized, highly sophisticated, state-sponsored threats to public infrastructure, health, and safety.

The first reminder was an unprecedented joint advisory by the Cybersecurity and Infrastructure Security Agency, National Security Agency, FBI, and several international agencies warning of a state-sponsored cyber group in China. The organization, known by multiple names, has a history of theft of medical research related to infectious diseases, with the American Hospital Association warning that the group “may pose a particular risk to health care organizations that have significant unpatched internet-facing vulnerabilities and are engaged in sensitive medical research and innovation.”

The second was news that the Florida Department of Health was subject to a ransomware attack, possibly affecting 100 gigabytes of personal data in its Bureau of Vital Statistics.

Health care is the number one target for hackers and cyberterrorists, including nation-state actors. In 2023, there were more than 500 healthcare attacks, with the average cost of those attacks nearing $11 million, almost double the cost of attacks against the financial industry. The Office of Civil Rights data reveals since 2020, 75 percent of U.S. citizens have had their personal health information compromised by cybersecurity attacks. Hospitals are both the primary targets of attacks, and in the case of the Change Healthcare breach, secondary victims. While hospitals were not targeted, hospitals and patients were not spared the consequences.

The Change Healthcare attack was unprecedented in its scope and impact and placed a significant emphasis on the cybersecurity practices and protocols of third-party companies working with health care providers. Change Healthcare, a behemoth company, processes 15 billion health care transactions annually and touches 1 in 3 patient records. The company processes $2 trillion in health care payments each year out of the total $4.5 trillion spent on health care in the U.S. The attack against one of the country’s largest health care companies had significant consequences for patients and the hospitals, health systems, and other providers who care for them. In some communities, patients struggled to obtain prescriptions or experienced delays in scheduling care or receiving and paying bills. A survey from the American Hospital Association representing nearly 1,000 hospitals found that 74 percent reported direct patient care impact, including delays in authorizations for medically necessary care.

The monthly cash impact of the attack and subsequent loss of services on Florida’s hospitals alone was $1.3 billion.

From ransomware and phishing scams to e-mail bombing and malware, the threats are real. And they are evolving at a very rapid pace.

Hospitals are taking extensive prevention and protection measures against cybercrime, while enhancing their response plans and actions with a focus on continuity of care. Identifying and prioritizing the risk to essential services, like pharmacy, medical records, laboratory, and radiology and imaging services, is mission-critical to enhance safeguards and operational continuity. Hospitals have designated response team members to develop clinical continuity procedures, tools, and resources, and to train their employees how to best function through extended downtimes.

This commitment is expensive, but for Florida’s hospitals that prioritize patient care and community service above all else, the cost of not investing in that security is far greater.

Cybersecurity is a new battlefield and a threat to domestic security, and hospitals are on the frontlines of patient care, of emergency response, and, increasingly, of defense against malevolent actors.