More than 330 data breaches had already been reported by healthcare organizations to HHS’ civil rights division this year as of Monday. Nearly 41.5 million patients will be impacted by these breaches in 2023, bringing the total to 52 million, or the amount of persons affected by all recorded breaches in the previous year.
Just last month, 1,038 hospitals and doctor’s offices in 20 states were affected by a data theft at HCA Healthcare, the biggest for-profit health system in the US. According to research issued on Thursday by cybersecurity company Trustwave, healthcare institutions must assess their usage of legacy systems and their dependence on third parties if they hope to stop the spread of data security breaches like this one.
According to Karl Sigler, senior security research manager at Trustwave, “The healthcare industry is characterized by highly specific challenges, like heavy usage of custom applications, numerous third parties, and an unwavering commitment to patient care, that give rise to a unique cybersecurity risk profile.”
The nature of health-related data, he continued, makes it extremely valuable and alluring to hackers. He said that they make use of this information by extorting money from patients and providers or selling it on black marketplaces.
The research drew attention to the fact that many providers still rely on antiquated IT systems and medical equipment that employ out-of-date software, as well as legacy systems that suppliers no longer maintain or that are challenging to patch and upgrade. Healthcare firms should implement additional precautions, according to Sigler, as these systems present a higher risk to hackers.
“It’s a double-edged sword because, while healthcare organizations should always prioritize adopting software patches or making changes that may be essential from a cybersecurity standpoint, those same factors also lead healthcare organizations to be more cautious about doing so,” he said.
According to research conducted by the Trustwave team, it takes healthcare customers two months to address problems that have been highlighted to them following a cybersecurity assessment. This glitch reveals a security hole that hackers “will always take the opportunity to exploit,” he said.
Particularly common among hardware and medical gadgets is this issue. Medical device hardware normally lasts 10 to 30 years, but according to Sigler, sometimes doctors forget to update the software in these devices every few months.
Healthcare firms need to look into third-party dependency since it is another important risk. It’s very typical for providers to work with many different third parties, however, Sigler noted that this increases the attack surface.
Unfortunately, hackers sometimes target these third parties as a tactical move since, if they manage to hack a third-party vendor, they can access some or all of that third-party vendor’s clientele. Since many of these suppliers lack reliable cybersecurity protections and data breach protection, this poses a serious threat to healthcare institutions, he said.
Sigler advised providers to look more thoroughly at the cybersecurity precautions taken by their partners because working with third parties is typically something they cannot avoid. He said that “far too often,” healthcare companies “fail to assess the data security protections” of their external contractors.
The survey indicated that the average cost of a healthcare data breach is $10.1 million, thus paying greater attention to third-party partnerships and the usage of legacy systems not only delivers benefits in protecting patient privacy but also proves crucial for keeping costs down.
The financial consequences of a data breach within the healthcare business “far surpass” those seen by other sectors, according to Sigler, because of the sensitive nature of healthcare data and the strict legal standards which providers must follow.
Healthcare must comply with significantly stronger standards like HIPAA, which mandate that they not only safeguard patients’ personal health information but also notify customers and the government of any data breaches. The additional work required by such procedures and the ensuing fines raise the total cost, he said.
According to Sigler, cyberattacks can occasionally result in downtime at hospitals, which results in more financial loss. An illustration of this is the 2021 data breach at Scripps Health, a San Diego-based health facility that not only reimbursed the victims of the breach $3.5 million but also recorded a $113 million revenue loss as a result of a month-long system outage.