Healthcare information systems stand as the new lucrative targets for cybercriminals, experiencing an exponential rise in attacks. Reports suggest that cyberattacks on hospital systems almost doubled last year, escalating from 25 to 46, with each attack affecting multiple healthcare facilities. According to a threat analyst at Emsisoft, 46 systems represented a total of 141 affected hospitals.
Increasing cybersecurity concerns have given rise to national legislation designed to enhance protections, notably within the U.S. Department of Health and Human Services (HHS) jurisdiction. Lawmakers across party lines have proposed the “Strengthening Cybersecurity in Health Care Act”. This legislation would mandate the HHS to conduct regular audits of its systems and provide biannual reports on measures taken and the progress achieved.
Hospitals and large health systems aren’t the sole entities at risk. Attacks have been noted across smaller health service providers as well, ranging from local ophthalmology groups to nationwide fertility clinic operators. For instance, a Colorado ophthalmology group faced an attack affecting 6,000 patients. Moreover, a service provider operating multiple fertility clinics proposed a $5.75 million settlement following a data breach affecting nearly 900,000 patients.
The gravity of these cybersecurity threats is far-reaching, often imposing significant, time-sensitive ransoms on healthcare organizations. In a recent attack, a Chicago hospital was given only two days to pay a ransom of $900,000 or risk patient data leaks. These attacks disrupt services and can lead to substantial financial implications for the targeted entities.
Another alarming concern is the potential misuse of breached data. For instance, last year, a Pennsylvania health network suffered a data breach that resulted in cancer patient photos being posted to the dark web. Such incidents carry the risk of personal embarrassment for patients and potential non-compliance issues for the organizations involved.
The HHS responded earlier this year by introducing a set of healthcare-specific cybersecurity performance goals. These goals seek to aid the healthcare sector in emphasizing key security safeguards. The proposed “Strengthening Cybersecurity” legislation would supplement these goals, requiring the HHS to report biennially to Congress outlining how the agency is identifying and addressing vulnerabilities.
Keeping up with the pace of cyberattacks, the ubiquitous need for robust cybersecurity measures in the healthcare sector is more critical than ever. Beyond just legal compliance, these measures have a direct bearing on patient welfare and trust in healthcare institutions.