Cyber attacks on hospitals and healthcare organizations are becoming a regular occurrence, prompting cybersecurity to become a top priority for the industry’s leaders. In 2018, the average cost of a cyber attack was $3.62 million, in addition to a damaged reputation.
Three Hospitals Suffer Cyberattacks in February
The month of February saw three major cyber attacks on the healthcare industry.
Easton Hospital, CHS Reach Settlement
Between April and June 2014, Easton Hospital and Community Health Systems (CHS) in Easton, Pennsylvania incurred a data breach that affected 4.5 million patients throughout the hospital network. The breach, which is believed to have originated in China, included patient names, addresses, birthdates, telephone numbers, and Social Security numbers.
The data breach led to a number of lawsuits. On February 1st, those affected by the breach began receiving notices about a court settlement that would provide two types of payments for qualifying patients. $250 will be given for out-of-pocket expense and documented time lost from the data breach; or up to $5,000 for losses due to identity fraud or identity theft stemming from the cyber attack.
Catawba Valley Medical Center
On February 4th, Catawba Valley Medical Center in Hickory, North Carolina, suffered a cyber attack that impacted 20,000 patients. Officials from the hospital said patient names, birthdates, Social Security numbers, and health information were compromised. As in many cyber attacks, the medical center’s network was compromised when an employee mistakenly opened the wrong email, which turned out to be a phishing attack. A spokesman for Catawba Valley Medical Center said they have sent letters to all patients affected and have taken preventative action against further incidents.
Cabrini Hospital Suffers Ransomware Attack
The medical files of about 15,000 patients from a specialist cardiology unit at Cabrini Hospital in Melbourne, Australia were encrypted via a ransomware attack. The hospital has been unable to access some of the patients’ files even after the hospital paid the ransom for the decryption key.
Included in the breach, according to the Australian Cyber Security Centre, were patients’ personal details and sensitive medical records that could be used for identity theft.
Hospitals Are Cyber Criminal’s Newest, Biggest Targets
Stuart Madnick, a professor in information technology and engineering systems at MIT’s Sloan School of Management, said that hospitals are experiencing up to 70 percent of all ransomware attacks. Why, you may ask? Hospitals are an easy target, simply because they have little to no options other than to pay the ransom. Refusing to pay means patients could lose control over their personal health information or even have life-saving surgeries postponed.
Perhaps one of the biggest problems lies with the fact that hospitals are notoriously slow to update their technology and, as a result, do not keep up with cyber threats. First off, medical equipment can be extremely, extremely expensive. On top of that, trying to convince a doctor to budget for cybersecurity instead of purchasing a new MRI machine is no easy task. Lastly, suppliers of the medical equipment are to blame as well. As technology advances, the priority for a healthcare supplier is to develop new, affordable equipment and to get it to market as quickly as possible. However, throughout this process, cybersecurity often takes a backseat as the supplier needs to meet its bottom line.
Perhaps the fact that the average cost of a cyber attack on a healthcare organization in 2018 at $3.62 million will get someone’s attention. What goes into this cost? Stolen funds; days or weeks spent investigating and repairing the network; and paying any fines or ransoms. Furthermore, attacks can result in a loss of records and patient information as well as long-lasting damage to the institution’s reputation.
According to Madnick however, hospitals are slowly but surely taking notice.
“Hospitals are beginning to respond,” Madnick commented. “Two to three years ago, this wasn’t on their radar.”
Photo courtesy of Brainwave GRC