Not many headlines would have been devoted to the cyberattack in February on the large Midwestern hospital if it weren’t for the ultimate victims of the crime: sick and injured children.
The shocking ransomware attack on the Ann & Robert H. Lurie Children’s Hospital of Chicago – where the cybercriminals demanded $3.4 million to release control of the institution’s IT systems – was sadly just one of many such recent incidents. In fact, nearly 94% of the record 133 million breached patient records in 2023 were due to some sort of hacking incident.
While it is the hospital (and cyber insurance company, if applicable) that pay the ransom in these attacks, it is patients and clinicians that suffer through disrupted care, leading to delays, potential errors, harm and even death.
Researchers from the University of Minnesota’s School of Public Health in late 2023 analyzed a database of Medicare claims to compare the patient outcomes of patients who were admitted to a hospital at the time of a ransomware attack to those discharged weeks before the incident. They found a 20.7% relative increase in death for the patients who were unfortunate enough to be in the hospital at the time its IT systems were held hostage by threat actors likely thousands of miles away.
To Pay or Not to Pay
Given these potentially tragic outcomes, it is highly understandable that more than 40% of hospitals pay a threat actor’s ransom demands. Yet even when a ransom is paid, the hospital or health system is still obligated to report the incident to the Department of Health and Human Services’ Office for Civil Rights, since the event can carry a financial penalty and becomes public. The organization’s reputation is then impacted in the community, and data protection services need to be offered to affected patients, another significant cost.
The increase in cyberattacks on healthcare organizations is coming at a time when its hospital victims can least afford it. The operating margins at rural hospitals, which have increasingly become targets by threat actors sensing greater security vulnerabilities than larger peers, shrank from 7.7% in July 2019 to 3.3% in June 2022, according to an analysis by KFF. This trajectory is expected to continue, but in reality, no hospital – no matter its location – can easily afford to pay a multi-million-dollar ransom.
Cybersecurity is Patient Safety
At every healthcare organization, patient safety is foundational. Clinical workflows are designed using evidence-based methods associated with maximum patient safety and harm prevention. Yet, given the very real harm that a cyberattack can cause, strengthening security around IT systems and data needs to be prioritized on the same level as any other safety-focused measure, such as preventing hospital-acquired conditions or preventing falls.
Cybersecurity management demands, however, are concurrently increasing due to the greater volume and sophistication of attacks. Financially challenged hospitals likely cannot afford to purchase leading security tools, nor recruit IT professionals in a highly competitive job market.
Leading organizations large and small are instead partnering with IT managed services partners specialized in healthcare and healthcare-related cybersecurity to protect their organizations from attack and respond effectively if an incident occurs. Such partners have the technical knowledge and experience, but more importantly, they have the qualified staffing resources, ample time, and targeted solutions to devote to this aspect of care that is inextricably linked with patient safety and clinical outcomes.
Cybersecurity is a 24/7/365 priority; it’s time for healthcare providers to treat it like one.
Rick Passero
Rick Passero is chief information security officer of Anatomy IT. He is a Certified Information Systems Security Professional with more than two decades of enterprise IT experience and cybersecurity leadership, primarily focused on healthcare delivery organizations.
