Cybersecurity In Hospitals: Are You Prepared?

Impact of Healthcare Data Breaches: A Call to Action

A recent IBM report on cyber security reported that healthcare data breaches cost the industry almost $11 million in 2023. That is almost twice as much as in the financial industry. It represents an increase of 53% since 2020.

This should be a wake-up call for hospitals because there are plenty of horror stories in the news to support these findings.

In December 2023, a hacking incident at a Missouri hospital exposed significant amounts of private patient data. Their website reported that an unauthorized party “may have viewed or taken certain information stored on the network during this time.” For more on this, see the article in Becker’s Hospital Review.

In another recent case, hackers breached Chicago’s Lurie Children’s Hospital’s network, forcing the healthcare provider to take its computer systems completely offline. That required shutting down email, phones, electronic health record systems and their patient portal to protect further data breaches according to Cybersecurity Dive.

Ransomware Can Be Even More Devastating

Exposure of patient data isn’t the only danger in a hospital cyberattack. According to a Verizon report, 70% of cyberattacks involve ransomware, a practice in which the hacker commandeers systems containing large amounts of private data and holds it hostage, demanding enormous amounts of money to restore it.

One hospital in Ontario, Canada experienced this first-hand. Their ransomware attack in 2021 has taken years to overcome. The initial breach occurred in the hospital pharmacy when a folder in one of the programs was unzipped by an employee. That seemingly simple action unleashed a cyber-nightmare, allowing an experienced hacker to immediately seize control and hold hostage all applications, records, and systems throughout the entire hospital. The price they demanded to restore it was two million dollars!

Instead of Paying The Demands, The Hospital Got To Work

While their Medi-Tech health information system was down, their medications cabinets still had patient profile information. Fortunately, there were nurses on the team with years of experience in manual medications management. Their experience paid off. They were able to revert to traditional ways of organizing medications, repackaging them from bulk to unit doses and handwriting pharmacy labels.

An assembly line was created to check and double check each patient’s medications needs. Eventually, thanks to more experienced staff and hands-on knowledge of individual patients’ needs, the hospital pharmacy employees were able to devise a system that would ensure that the proper medications and dosages were administered to patients.

This process of handling the hospital cyberattack, however, was costly. Staff found themselves working twenty-hour days. Other important tasks were put aside. Younger employees who were used to automation had to be coached step-by-step through the manual process.

It took a few weeks of tedious, time-consuming, and stressful manual workarounds to get the hospital pharmacy back on track. If there is a silver lining to this disastrous event, it comes in the form of preparation for potential future attacks.

The team poured all that they had learned from the crisis into a special project they refer to as their hospital pharmacy cyberattack “tackle box”. Included are instructions, protocols, and supplies to help ensure that employees were ready in the event of another cyberattack.

Hospitals Are Partnering With IT Professionals To Help Keep Their Systems and Data Safe 

The risk of hospital cyberattacks has increased so dramatically that hospital leaders are turning to skilled IT professionals. 

According to Healthcare News IT was once a largely commoditized service but now IT is being transformed into a strategic partnership as hospitals rely more heavily on specialized skills and experience that go far beyond simply maintaining software and supporting end users.

Hospitals Must Work Together To Be Prepared For A Potential Cyberattack

The American Hospital Association has created guidelines to help hospitals avoid a cyberattack, as summarized below: 

• Collaborate. While IT is key, expand involvement to include other stakeholders such as clinical staff and emergency managers. Hospital leaders should also work within the greater community and engage with other health care organizations and professionals.
• Anticipate. Operate under the assumption that a cyberattack is going to occur and work through the issues associated with it. That should include educating the entire staff and conducting regular drills and exercises to optimize response times and ensure that protocols are in place.
• Prepare. Build a best practices approach to cybersecurity. That should include investing in research to compare and evaluate cybersecurity interventions. Develop a cyber disaster plan to help ensure continuity of care in the event of an attack.
• Evaluate. Take time to analyze new technologies and evaluate new vendors. You should demand accountability from all vendors and they should be able to demonstrate security measures they are taking.
  
  

Vendors and other partners who are HITRUST certified may have an advantage as well. HITRUST is a framework that emphasizes cyber security as well as the adherence to best practices standards. 

The potential for hospital cyberattacks will only increase as more data is accumulated and shared across applications and networks. Now is the time to work together with your IT team and stakeholders to create programs with protocols that optimize data security and minimize the potential of a cyberattack. Hospital leaders who take the time to do so will help create models for the future to deter hackers and keep records and patients safe.