HEALTHCARE CYBER RISKS

As a healthcare provider, you are tasked with protecting highly sensitive and valuable data. The extremely high value of medical and healthcare-related records (e.g. patient treatment records, insurance records, prescriptions related to controlled substances, Medicare and Medicaid records etc.) in the criminal underworld makes hospitals and healthcare systems uniquely vulnerable to cyber attacks.

Attackers are looking for valuable computer records which include:

• HIPPA-protected patient treatment records.
• HIPPA-protected patient personal information (e.g. medical history, financial information, driver’s license, social security number etc.)
• Personal and organization insurance records
• Patient prescription information,
• National Provider Identifier (NPI) information.
• DEA Registration Numbers
• DEA Registration Application information (e.g. Tax ID numbers, and prescriber login information for DEA databases)
• Information from Completed DEA Form
  • DEA Form 224a – Retail Pharmacy, Hospital/Clinic, Practitioner, Teaching Institution, or Mid-Level Practitioner
  • DEA Form 225a – Manufacturer, Distributor, Researcher, Analytical Laboratory, Importer, Exporter
  •  DEA Form 363a – Narcotic Treatment Programs
  • Cyber Insurance
  •  DEA Form 510a – Domestic Chemical Confidential personal and professional background information provided by treatment professionals (e.g. Information pertaining to controlled substances, in the applicant's background.)
• Drug codes and chemical codes
• Medicare and Medicaid records etc.

The great investment that the criminal underworld makes in attacking hospitals and healthcare systems makes them uniquely vulnerable to cyberattacks. Researchers have noted a steady increase in ransomware attacks in 2020 and this trend is expected to continue well into 2030.

Ransomware attacks on medical systems threaten the provider's ability to provide care and ensure that patients’ sensitive data remain protected from bad-faith actors.

Attackers know that threatening healthcare system data holds lives at stake. Their attacks lock hospital IT desks, electronic health records (EHRs), payroll programs, and other vital digital tools, leaving critical infrastructure inaccessible for days and weeks.

Meanwhile, the CEO and board must scramble to determine whether and how to meet the ransomware demand. Typically, during this period, unaffected parts of the hospital’s computer network will be shut down to prevent further damage to the hospital IT system. In the wake of an attack three very serious problems must be addressed given the unavailability of the provider’s computer system:

• Hospital staff must guess which patients were scheduled for appointments
• Many critical procedures will need to be rescheduled
• Many patients must go to other hospitals for treatment

More than 1 in 3 health care organizations globally reported being hit by ransomware in 2020, according to a survey of IT professionals. What’s more, the sector experienced a 45% uptick just since November 2020, according to HealthITSecurity.

Given the extreme vulnerability of healthcare providers, it is prudent to assume that your organization will be the subject of an attack and invest resources into monitoring and mitigation efforts to minimize damage and legal liability associated with the inevitable attacks.

Risk of cyberattacks on healthcare providers in the COVID era have grown at a geometric rate. Nearly half of all U.S. hospitals disconnected their networks in 2021 due to ransomware attacks according to a study from Philips and CyberMDX.  For example, in late 2021, dozens of hospitals and clinics in West Virginia and Ohio canceled surgeries and diverted ambulances following a ransomware attack that knocked out staff access to IT systems across virtually all operations. 

These facilities are owned by Memorial Health System, which represents 64 clinics, including hospitals Marietta Memorial, Selby General, and Sistersville General in the Marietta-Parkersburg metropolitan area in West Virginia and Ohio.  

In addition to ransom payments, a typical hospital will suffer an uninsured loss of about $3.5 million in revenue associated with legally required notifications to affected parties and IT work necessary to “scrub” network systems and restore hundreds of affected computers. While actual ransomware payments are designed to be affordable and paid (e.g. often less than $35,000), the real effect of the attack comes after the payoff in the form of:

• Risk of death or other threats to patient welfare as a result of disruption in operations.
• Loss of revenue from procedures not performed.
• Diminished hospital reputation 
• Exclusions from cybersecurity insurance and increased cost associated with future insurability

1 Leventhal,  Ransomware Attacks on US Healthcare Organizations Cost $20.8B in in 2020,Comparatech, 2021

Most losses from a cyberattacks are not covered by so-called "cyber insurance". Cyber insurance policies typically require the insured to attest to a very specific level of cybersecurity “hygiene” at the time the policy is written. Following an attack, the insurer’s forensic examiners will seek to confirm proper exercise of cybersecurity due diligence by the organization's leadership. Without proper guidance, these standards are rarely met and coverage is often denied.

While close inspection of a cyber-insurance policy might find limited coverage for ransom payments and payment of fees associated with notifying affected individuals, indirect losses (e.g. lost revenue, lost reputation, losses injured third parties etc.) are not typically covered. Moreover, social engineering attacks--the greatest threat to your cybersecurity--are typically explicitly excluded from most cyber insurance policies.

CEOs, board members and partners in any organization can face civil or criminal legal liability where oversight of cybersecurity has been deemed negligent and an attack is the proximate cause of death or bodily injury.  In most information-based business, the threat of death or bodily injury—while possible—is often indirect and fairly removed from the leaders’ stewardship of IT security.  In healthcare, death and bodily injury—even under the best of circumstances--are integrally connected with treatment. These claims are typically considered the most serious and are sometimes the source of criminal liability

The COVID-19 pandemic has resulted in an enormous increase in strain on our healthcare systems and increased the risk involved with any breach of data or obstacle to providing care.  The COVID 19 Pandemic has been the most urgent health crisis facing humans on planet earth.

The pandemic has put an enormous strain on our healthcare  systems and increased the risk involved with any breach of data or obstacle to providing care. Sudden and drastic increases in telework, distance learning, streaming entertainment and gaming has driven a geometric increase in internet use. At the same time, the on-site cybersecurity workforce was not immune to the diminution in force affecting all industries (e.g. quarantine, social distancing, attrition, etc.)

This has resulted in  a drastic increase in the vulnerability to cyber threats of IT systems generally. 

Healthcare providers are burdened with managing a precarious network of invaluable, under-protected information. Hackers can hold information hostage and leverage high payouts from already-exhausted healthcare organizations. These organizations often are forced to quickly disburse the funds to avoid further delays in medical care.

The threats posed to medical providers include:

• Risk to patient life and health
• Loss of access to medical records
• Malfunction of electronic systems
• Delays or forced refusals of care
• Loss of profit.

The key to preventing these perilous attacks is a comprehensive understanding of your susceptibility to cybersecurity risks and of the preemptive steps required to address them.

“If cybersecurity isn’t one of your top two priorities, it needs to be,” says University of Vermont (UVM) Medical Center Health Network Chief Medical Information Officer Doug Gentile, MD. " He adds, “If you don’t have a very robust security profile, you’re likely to get hit".

As larger healthcare providers strengthen their cyber defenses, ransomware attacks are more likely to occur with smaller providers like Federally Qualified Health Centers.  These providers serve rural and economically disadvantaged regions and are typically poorly defended against ransomware attacks. As larger providers strengthen their cyber defenses, attackers have pivoted to smaller operations which cannot afford the high fixed cost associated with meaningful cyber defenses. While these attacks yield a smaller “take”, they can be automated to simultaneously attack multiple organizations at once.

This increased vulnerability is compounded by the fact that patient income is strongly inversely associated with morbidity and mortality. These income-related health disparities appear to be growing over time.¹ Civil liability based on claims alleging death or serious bodily injury are associated with larger damage awards.

1 “Health, Income, & Poverty: Where We Are & What Could Help, " Health Affairs Health Policy Brief, October 4, 2018.

To protect a healthcare organization, CEOs, partners and board members from the risk of and liability associated with a cyberattack, it is crucial that a provider's leadership understand its cybersecurity legal risk and responsibilities. Identifying your organization’s weak spots before a hack is the best way to protect your network of information. TEMVI’s team of lawyers, engineers, and Certified Information Systems Security Professionals will work with your healthcare organization to:

• Help CEOs and boards understand and manage the liability posed by cyber attacks
• Help CEOs and boards understand and manage responsibility under regulatory frameworks like HITRUST, HIPPA and FISMA
• Help CEOs and Boards  prioritize and manage a plan of action to address the vulnerabilities that they face.