Health Care Data Breaches May Cost More Than Money
Cybersecurity threats against health care organizations rose by 60% year over year in the first three quarters of 2019. Phishing or spear-phishing is the most commonly used attack against health care facilities. These attacks trick users into opening emails that contain malicious software that then spreads to the hundreds or thousands of end-point devices on a network.
Attacks like this can result in locking up an entire health care organization’s data and a ransom demand from the attacker before releasing the hostage data. They can also cost patients lives.
Two recent studies on health care cybersecurity (or the lack of it) provide details. Anti-malware firm Malwarebytes in a new report titled Cybercrime Tactics and Techniques: the 2019 state of healthcare, indicates that cybercriminals have at least three big reasons for targeting health care organizations: they contain a trove of personally identifiable information; they have hundreds if not thousands of entry points, including Internet of Things devices that are often unprotected against attack; and, most important, a ransom demand is often paid because lives depend on regaining access to the data.
Those are the immediate effects. A study published in September looked at the impact of a data breach on the quality of care over a longer time. The researchers compared data for a five-year period (2012 through 2016) for a group of 3,025 hospitals with 14,297 hospital-year observations.
Using the 30-day mortality rate for acute myocardial infarction (AMI) — commonly called a heart attack — as the measure of care quality and time from the emergency room door to an electrocardiogram (ECG) as the measure of the speed of care, the researchers wanted to find out if quality fell in the years following a data breach at that hospital.
The researchers’ hypothesis was that a hospital’s efforts to enhance cybersecurity following an attack on the hospital’s network and data “would likely increase the time to access the EHR [electronic health records], order, review, and execute the ECG and thus result in an increase in time to treatment.”
In the first three years following a data breach, the 30-day heart attack mortality rate rose by 0.23 percentage points in the first year, 0.36 points in the second year, and 0.35 points in the third year.
The time-to-ECG for a breached hospital rose by 1.4 minutes in the first year following a data breach, dipped slightly in the second year, rose by 2.7 minutes in the third year and rose by 2.0 minutes in the fourth year.
The researchers note that improvements in heart attack treatment have reduced the mortality rate by about 0.4 percentage points annually in the period between 2012 and 2014. Recovering from a data breach essentially wipes out annual gains made in treating heart attacks and keeping victims alive.
While the time period of the hospital study predates the flurry of ransomware attacks on health care organizations, the researchers commented: “Our findings suggest that ransomware attacks might have an even stronger short‐term negative relationship with patient outcomes than the long‐term remediation efforts studied here.”
Coveware, a maker of ransomware incident response software, has reported that in the second quarter of 2019, the average ransom payment extracted from ransomware victims nearly tripled from an average of $12,762 in the first quarter to $36,295. The average downtime rose from 7.3 days to 9.6 days. Companies that pay the demanded ransom received a working software tool to recover the data 96% of the time, but only 92% of ransomed data was ever recovered.
Even if a hospital pays the ransom, however, the effects of a ransomware attack linger for years and people could die as a result. We need to do better.