Cyberattacks have been in on the upswing since the start of the COVID-19 pandemic. According to a recent white paper from Crowdstrike and Medigate, 82% of health systems experienced some form of cyberattack from March 2020 to September 2021, and 34% of the reported attacks involved ransomware. Interestingly, 33% reported paying the ransom, but only 69% of those who paid the ransom reported having their data fully restored. Crowdstrike is a cybersecurity technology company based in Sunnyvale, California, and Medigate is an international clinical device data security and integration platform company that has headquarters in Brooklyn, New York.
“Physicians in private practice know they are especially vulnerable to cyberattacks,” said Thomas Finn, director of business development at Medigate. “They cite HIPAA penalties as a concern, right along with interruptions to the running of their practices, and the impacts to patient safety as their top worries.”
The Crowdstrike/Medigate paper emphasizes the need for health care delivery organizations (HDOs) to harden their security infrastructures via a renewed focus on defense fundamentals. The report covers various capabilities that health systems should consider in defending their organizations against advanced threats. During the first lockdown of the pandemic, the volume of attacks shot up dramatically and continues to rise. These attacks represent a triple threat because in addition to seeking payment from the HDO, they also coerce payments from patients and business partners.
Medical Files ‘Highly Prized’
“In terms of value, medical files are highly prized because they can be monetized in a variety of ways,” Finn said. “Fake claims to defraud payers often place false diagnosis and treatment information into the medical records of patients whose data was stolen.”
The privacy enforcement standards under HIPAA set substantial penalties for violations related to the theft of private health information (PHI). The recent passing of the HIPAA Safe Harbor Law essentially incentivizes the entire industry to take the steps required to secure PHI, which now includes connected medical assets, Finn said. “The FDA recently recalled nearly a half million pacemakers because of a discovered hacking vulnerability,” he said. “And as we know, private practices are now using telehealth and remote patient monitoring, so once again, they are even more vulnerable now.”
Potentially Devastating Penalties
Penalties for these types of HIPAA violations are based on how proactive a medical practice was at preventing cyberattacks. In some cases, the penalties can be devastating. Some practices are running up 6 figure annual cybersecurity bills. “The amounts can be $250,000 per year for a small physician practice or as much as $400,000 annually for a larger one,” Finn said. “Regardless, a health system that is well-defended from cyberattacks and still suffers a negative experience is obviously better positioned to deal with all the potential liabilities.” Finn said.
Health systems and private practices that do not feel compelled to take the right defensive steps are now viewed as negligent. Health care is a target due to its vulnerable attack surface and the financial payoff from selling the stolen information. “If you were a cybercriminal, where would you focus?” Finn said, adding there are many ways to monetize medical records. “A credit card can be shut off. You can’t shut off your medical history. You don’t get a do-over and the cybercriminals know this,” Finn said.
This article originally appeared on Renal and Urology News