With the increased vaccine supply and more appointments, it may seem like we can finally put 2020 behind us. But cyberattacks on healthcare organizations are an unfortunate hangover from last year that shows no sign of slowing down. In fact, it is getting worse.

We knew 2020 was a bad year for cyberattacks. Healthcare data breaches increased 55% in 2020 over 2019. Last year alone, malicious hacks breached just over 20 million patient records. To make matters worse, the cost per record breached went up to $499.

Why are Healthcare Organizations Targets?

The logical target for a hacker looking for money would be a bank or some other type of financial institution. And for a long time, that is exactly who cyber criminals attacked. But the financial industry grew wiser and built better protections over the years. Healthcare organizations, meanwhile, did not.

Attacks on healthcare organizations are not new. However, the pandemic put healthcare in the spotlight, and criminals saw an opportunity to take advantage of chaos. Ransomware is a type of malicious software that encrypts the victim’s files until they pay a ransom to get their information back. Healthcare organizations were number one target for ransomeware attacks in 2020.

The pandemic put pressure on healthcare organizations that made them more vulnerable to attack:

• Having to add staff during virus surges without adequate onboarding.
• Rushing to have people work from home who are using personal devices.
• Struggling to stand up telehealth offerings last minute.

Healthcare organizations were also slow to identify and recover from data breaches in 2020 because of the pandemic. In the early part of the pandemic, there were systems that experienced breaches but were too busy to notice or report them. They only discovered the breach later in the year.

Interestingly, 75% of data breaches in healthcare come from business associates and third parties, instead of healthcare providers, insurance plans, or clearinghouses. Cyber attackers are focusing on entities like third party billing companies and fundraising services.

The High Cost of Cyber Attacks on Health Systems:

As healthcare organizations reveal their financial performance, the true cost of these attacks is becoming clear. And the cost is quite high.

Universal Health Services (UHS) is a health system of 26 acute care hospitals, 328 behavioral health inpatient facilities, 42 outpatient and ambulatory care centers, and a health insurance plan. They operate throughout the U.S. and the U.K.

UHS announced a $67 million loss due to a ransomware attack in September 2020. People at the company described computer and phone systems taken over and with text about the ‘shadow universe’ which references Ryuk ransomware – a type of ransomware used to attack large systems.

The cyberattack forced them to stop using their information systems in the U.S. and resort to paper documentation. They were not able to get fully back online until October. It also caused them to divert ambulance traffic and elective procedures to competitor facilities.

Part of the expense was from having to pay for additional staff to restore the information system. UHS also had to delay billing into December 2020, which had a negative impact on their cash flow at a time when the pandemic had another surge. They are hoping to recover some of this loss from insurance.

New Areas of Vulnerability with Mobile Health Technology:

Mobile health apps became more popular during the pandemic. Healthcare providers are starting to use mobile health apps to treat certain conditions.

For example, Highmark Health Plan – one of the largest Blue Cross Blue Shield providers in the U.S. – recently announced it would expand access to Freespira. Freespira treats panic attacks and Post Traumatic Stress Disorder symptoms through a tablet app and a small sensor that detects a person’s breathing and exhaled carbon dioxide. It teaches panic attack sufferers how to breath differently and reduce symptoms.

Freespira is an example of a digital therapeutic – technology that helps to treat a medical condition, often taking the form of a mobile app combined with some type of coaching. Digital therapeutics offer more options for treating different conditions, and are increasing in popularity along with telehealth.

A recent finding shows that many mobile health apps are vulnerable to cyberattacks that uses their application programming interface (API) – computer code that lets software products share data with each other. Hackers could get full patient records through this type of attack.

This makes the security threat posed to mobile health apps even more serious. A hacked mobile health app could expose names, birthdates, allergies, diagnoses, and medications. And hacking one app has the potential to expose information for many different people.

The issue is that mobile health apps are not held to the same security standards of other health technology applications.

What One Government is Doing:

France also recently experienced a series of cyberattacks on hospitals. Similar to the UHS incident, these were Ryuk ransomware attacks that froze computer systems. The hospitals were forced to transfer patients to other facilities and postpone surgeries.

The frequency of attacks on hospital systems increased during the pandemic. French cybersecurity specialists speculate this increase may be because criminals assume hospitals stressed by the pandemic will pay quickly.

As a result President Macron announced a budget of one billion euros for a new cybersecurity plan. While pledging money does not mean the problem is solved, it is a step. Governments everywhere need to do much more to protect health systems and their patients.

Key Takeaways:

The pandemic put healthcare organizations in the spotlight, which also made them more vulnerable to cyberattacks. Cyber criminals use ransomware attacks to lock computer systems until they are paid. Their assumption is distressed hospital systems will pay them quickly.

The attacks are costing real money, as much as $67 million for one hospital system in the U.S. But in the future attacks may not be limited to electronic health systems. As mobile health app use increases, they present a new vulnerable area.

Ultimately, governments will need to find solutions to protect health systems these attacks. In the end, the people impacted are the patients.