How to Help Avoid Being a Cyberattack Statistic

You know the negative, long-lasting effects of cyberattacks. But is your organization prepared to fight against them?

The cold, hard truth

Cyberattacks could be costing the healthcare industry an average of $100 million a day. The Change Healthcare cybersecurity incident that happened in February was a sobering reminder of just how vulnerable healthcare organizations and their patients are to these kinds of attacks. One out of every three Americans were potentially impacted by the incident. This attack has been called the largest cybersecurity attack on the American healthcare system ever. The hackers were allegedly paid $22 million in bitcoin.

As a result of the cyberattack, Change Healthcare was forced to take their systems offline, resulting in the disruption of patient care in many ways, including medication delays and out-of-pocket costs for patient medications. Healthcare providers are having major cash flow issues due to claims denials for services cause by this event.

The average cost of a healthcare data breach was $10.93 million in 2023, up from $10.10 million in 2022. Healthcare has the highest data breach cost of all industries. Between 2020 and 2023, the average cost of a data breach rose by 53.3%. To put these numbers in perspective, the second costliest sector was the financial sector at an average cost of $5.9 million.

What you can do about it

Here are twelve things you can do to help prevent your organization from becoming another statistic:

1. Conduct a self-assessment: this includes taking stock of the information you have, scaling down and only keeping what you need, locking it, pitching what you no longer need and planning ahead for an incident.
2. Utilize a multi-factor authorization process.
3. Maintain current operating systems. It’s difficult to restrict physical access to equipment, but you can make that equipment harder to hack into.
4. Have a written business continuity plan in place addressing disaster recovery, continuity of operation planning and business continuity in place to help mitigate risk and safeguard the organization with minimal disruption in operations.
5. Have a HIPAA breach protocol incident response plan in place.
6. Have policies and procedures in place to minimize the effects on patient care, just as you would for a fire or flood. It’s important to have a plan in place to lessen the impact, such as keeping a paper list of physicians’ cell phone numbers in case your system become inaccessible.
7. Train employees to identify phishing emails. Email phishing is the most common type of cyberattack used on the healthcare industry. It’s when a seemingly-harmless email comes to one of your employees with a link(s) to a decoy webpage that asks for their system login information. Once the hacker has it, it’s too late. The hacker will then have access to their entire system of patient information.
8. Encrypt and/or deidentify patient data: Encrypting ePHI helps prevent hackers from using it, if stolen. Deidentification means removing any information from records that could identify a person, if stolen.
9. Install and maintain anti-virus software.
10. Collaborate within your organization, taking a multidisciplinary approach. It’s equally important for clinicians to understand their role in what’s at stake as the IT department.
11. Expect technology vendors to use evidence-based practices and stronger security measures to reduce your vulnerabilities.
12. Obtain cybersecurity insurance coverage: Glatfelter’s wholesaler, Glatfelter Brokerage Services (GBS), introduced a more robust cybersecurity product at the beginning of this year in response to the significant increase in cyber-attacks. If you're interested in the product, ask your agent to check out the GBS website, linked below, and submit an application for you.

Along with potentially losing millions of dollars as ransom payment, there are other consequences to cybersecurity attacks. Your organization could be fined or slapped with a HIPAA violation. It’s critical that you not only help try to prevent an attack by enrolling in a cyber insurance policy, but that you proactively prepare for these types of events. The chance of experiencing a cyberattack is increasing as cybercriminals become more sophisticated and healthcare organizations struggle to maintain a sufficient workforce. Starting with these twelve actions may help prevent or lessen the severity of the next attack.

What are some other ways your healthcare organization has dealt with cybersecurity risks? Make note in the comments below!