Exclusive: Assessing the Financial Impact of Inadequate Cybersecurity on Health Systems

By Madeline Armstrong

Hospitals around the country run the risk of losing millions of dollars if they have inadequate cybersecurity.

“The number one cybersecurity risk to hospitals and health systems is that of high impact ransomware attacks which disrupt and delay patient care and risk patient safety,” said John Riggi, national advisor for Cybersecurity and Risk at the American Health Association.

According to Riggi, there are a number of financial risks that come from a ransomware attack. These include loss of revenue due to canceled procedures, lost business opportunities, required technical remediation, credit monitoring, increased staff costs, cyber insurance costs and – above all – potential class action lawsuits.

At least five healthcare organizations have been hit with potential class-action lawsuits since the beginning of the year over data breaches, according to a case list compiled by Becker’s:

  • QRS, a health IT and EHR software company, is facing a potential class-action lawsuit after it notified about 320,000 patients that their protected health information was exposed during a cyberattack last year. The lawsuit was filed Jan. 3 by one of the patients whose information was affected.
  • Broward Health, based in Ft. Lauderdale, FL, faces a potential class-action lawsuit after it notified 1.35 million patients that their protected health information was exposed during a cyberattack.
  • Marietta, Ohio-based Memorial Health System is facing a potential class-action lawsuit after alerting about 216,500 patients that their protected health information was exposed during an August 2021 ransomware attack.
  • True Health New Mexico, a payer, could face a class-action lawsuit after it notified about 63,000 members that their protected health information was exposed during a cyberattack. The lawsuit was filed by three of the members whose information was affected.
  • Sea Mar Community Health Center based in Seattle was hit with a lawsuit seeking class action status after notifying 688,000 patients that their protected information was exposed in a cyberattack that took place between December 2020 and March 2021.

Scripps Health in Southern California had their hospital system offline for three weeks due to a ransomware attack in 2021. The entire system had to be operated offline, creating delays in patient care and diverting care to other hospitals in the area. This impacted both the patient experience and the system’s revenue.


“They had to divert ambulances and urgent care to other systems within the area who weren’t prepared to take on that additional work,” said Oscar Miranda, chief technology officer of healthcare at Armis, a company that assists organizations in securing managed and unmanaged devices including medical devices and industrial control systems.

“There is data coming out that shows a correlation on the additional emergency room admittances for these other systems that correlate with the down time of this other system,” Miranda said.

According to Riggi, the cost of a data breach or ransomware attack can run up to well over $100 million.

However, lower scale minor disruptions to a system can result in reputational costs. This is when a hospital loses patients due to inadequate services.

“If I cause any disruption to that workflow, I start creating a domino effect,” Miranda said. “A five minute delay with my first appointment might end up with potentially canceling the last two or three appointments for that day.”

In a survey conducted last year, nearly half of all hospital executives said their facility had to shut down because of a cyber incident, according to a Philips and CyberMDX report.

The survey included 130 hospital executives in IT and security roles, as well as biomedical technicians and engineers.

Large hospitals were shut down for 6.2 hours, on average, at a cost of $21,500 per hour. Midsize hospitals fared much worse: shut down for 10 hours on average at a loss of $45,700 per hour.

Yet the same survey showed less than 11% of respondents consider cybersecurity a high priority spend.

In today’s digital era, patients can easily switch providers if they are unsatisfied with their care. According to Miranda, this issue has been exacerbated during the COVID-19 pandemic because most services were moved online.

However, there have been some methods put in place to ensure hospitals have adequate cybersecurity. The United States recently adopted The Patch Act that requires all medical devices to have a software Build of Materials (SBOM), a list of all the open source and third party components present in a codebase. “[This] ensures that medical devices right out of the gate before they’re even sold for premarket are fully vetted from a cybersecurity standpoint,” Miranda said.

Additionally, Riggi said that hospitals and health systems have increased funding for cybersecurity programs.

The healthcare industry is projected to spend upwards of $125 billion on cybersecurity products and services from 2020 through 2025, according to Cybersecurity Ventures.

The stakes are high. The 2021 cost of healthcare data breaches jumped to an average of $9.3 million per occurrence, according to a report released by IBM Security. That’s a 29.5% increase over 2020’s average of $7.13 million.

“Many hospitals have enacted ongoing phishing tests and use layers of technical defenses to deflect and detect network intrusions such as multi-factor authentication, network segmentation, endpoint protection and enhanced backup and recovery capabilities and procedures,” Riggi said.

This is the kind of service that Armis provides. They help organizations understand what attack surfaces look like, how to address cybersecurity vulnerabilities and help them remediate possible risks.

“It is not uncommon for any healthcare system to actually depreciate and have to keep these systems for quite a large amount of time even after that particular software has gone end of life,” Miranda said. “As easy as it looks to replace it, there’s a lot of cost and disruption associated with that so you need a tool to fill in the gap until the device that has flaws and vulnerabilities can be replaced.”

Total
0
Shares
Related Posts