Cybersecurity Nightmares: The Cost of Healthcare Cyberattacks in 2023
Posted on: April 6th, 2023 02:42 pm
Cyberattacks have always been common in the healthcare industry, but activity has increased sharply in the past few years.
Healthcare organizations worldwide averaged 1,463 cyberattacks per week in 2022, up 74% compared with 2021. The average cost of each breach is about $10 million, making healthcare the largest and fastest-growing industry to experience multi-million dollar penalties.
To avoid costly fines, reputational damage, and other penalties and consequences, entities must do whatever they can to prevent ransomware, phishing, and other cyberattacks.
Most covered entities are aware that cybersecurity mitigation needs their budget and attention.
Unsurprisingly, the cybersecurity budgets of healthcare organizations are rising steadily to reflect this recent growth.
Read on for examples of recent impactful cyberattacks and practical steps to avoid being the next victim of a damaging crime.
Recent Hospital & Healthcare Cyberattacks
Often targeted because of their massive databases containing sensitive information, hospitals and health systems have been especially susceptible to sophisticated cyberattacks in recent years. Many organizations are still feeling financial and reputational loss from attacks that took place several years ago. Some examples of recent high-profile security breaches occurred at the following:
CommonSpirit Health: $150,000,000+
In October 2022, CommonSpirit Health, the largest Catholic health system in the United States, experienced a costly cybersecurity incident. The organization began reporting IT outages, appointment cancellations, and more, only to discover later that a ransomware attack caused these disruptions.
As of February 2023, CommonSpirit Health has incurred over $150 million in financial loss from legal fees, remediation, data breach mitigation, and more. That excludes potential insurance-related recoveries, so the fines and penalties are far from finished, especially given the entity’s uncertainty about moving forward with insurance claims.
Scripps Health: $118,700,000+
Scripps Health, a non-profit healthcare system based in San Diego, California, experienced an IT systems attack resulting in their patient portal being offline in May 2021. Their annual earnings report states, “As of June 30th, 2021, we estimate total lost revenues to be $91.6 million and incremental costs incurred to address the cyber security incident and recovery were estimated at $21.1 million.”
Along with that, $6 million was spent on insurance recovery and other operating costs in June. This cyberattack significantly disrupted care, impacted email servers, and forced medical personnel to use paper records, and the costs are still adding up. In December 2022, NBC San Diego posted an article entitled “Scripps Health Could Owe You $ for the 2021 Ransomware Attack. Here’s How to Claim Your Settlement Payment.” The price of insurance, legal fees, mitigation, and more continue to damage the reputation and operations of this health system.
Tallahassee Memorial HealthCare: Potentially $10,000,000+
Florida hospital system Tallahassee Memorial HealthCare reported an “IT security issue” at one of their hospitals in February 2023. The expected breach forced a 772-bed hospital to move emergency patients to other facilities and cancel non-emergency surgeries, resulting in a loss of hospital revenue and patient trust.
The expected ransomware attack resulted in shutting down computer networks. As a result, the hospital staff could not access digital patient records or lab results. The hospital has been working with the FBI to investigate the security event, demonstrating that even suspected attacks can cause long-term uncertainty and penalties for health systems.
How to Avoid Healthcare Cybersecurity Attacks
In late 2022, hackers accessed the data of 270,000 patients at Lake Charles Healthcare System, a Louisianna hospital system. The hospital was able to thwart the attempted ransomware attack that would’ve cost them millions. Although they still had to do damage control, the consequences were nowhere near as severe as if the attack had been successful.
How were they able to prevent the worst-case scenario, and how can your organization set the foundations to mitigate similar risks? Read on for three practical ways to protect from breaches and remain compliant:
1. Implement a Robust Cybersecurity Framework
To lower the potential for beaches and subsequent penalties, you should have a cybersecurity framework that aligns your security measures, strategies, and requirements with the goals and objectives of your business. This framework should offer standard procedures and processes that enable consistent, year-round compliance, from how often staff should receive compliance training to how to implement remediation efforts.
Many enterprises only conduct corporate risk assessments and assessments for 10-20% of their covered entities that they then use as a sample. A comprehensive cybersecurity plan will ensure you can leverage your corporate assessment for all entities for a more consistent and complete HIPAA enterprise-wide assessment.
2. Utilize a Centralized Compliance Solution
Implementing a centralized compliance solution offers effective, scalable ways to remain compliant. The right compliance software will help you address every step of the compliance process while reducing your team’s fatigue when going through complex tasks and procedures. Additionally, research has shown that organizations that experience compliance failures will likely have a greater financial loss when dealing with data breaches. In other words, compliance failure amplifies data breach cost, and a centralized compliance solution can help prevent the former and, subsequently, the latter.
A solution will use automation that reduces complexity and repetitive tasks that usually fall on employees. It will increase the efficiency of compliance procedures while reducing the time, effort, and resources needed to achieve full compliance. A centralized software, specifically, grants you to view and complete assessments and remediation in one place so you can respond to incidents quickly, markedly missing the chance of something important falling through the cracks.
3. Conduct Periodic Risk Assessments
One vital step for strengthening enterprise-wide risk posture is completing periodic risk assessments (at least annually.) Most covered entities know the risk assessment requirement, but completing them properly has its own challenges.
Start by identifying assets, noting risks to those assets, documenting security controls, and laying out remediation steps. Your automated solution can ease the burden of assessments and ensure thoroughness. Then, once your assessment is complete, year-long actions should be taken to remediate and make process changes based on the identified risks.
The OCR website features the “Wall of Shame,” a list of breaches reported in the last 24 months that are currently under investigation. The current list, which features nearly 1,000 organizations, demonstrates a marked increase in cybersecurity attacks and breaches. Maintaining a solid risk posture is critical to avoid falling victim to attacks, experiencing financial and reputational damage, and negative publicity.
Most organizations never think a breach will happen to them until it does, so preparing for the worst-case scenario is recommended. Enterprises looking to protect themselves from cyberattacks and ensure compliance must be vigilant at all times and prioritize assessment and remediation to build a strong foundation that isn’t easily breachable.
Solutions such as HIPAA One® compliance software remove the fear and confusion of compliance by giving covered entities step-by-step guidance on risk analysis, remediation, and documentation all in one place so enterprises and SMBs can remain confident in their compliance.
Don’t let anything fall through the compliance cracks. Learn more about ensuring full HIPAA compliance by getting in touch with the HIPAA experts at Intraprise Health.