Healthcare Cyberattacks: Real Money, Real Lives, Real Risks

I’ve never added up the time I spend each day fending off cyberattacks. Listening to and then deleting robocalls on my landline answering machine. Deleting spam emails on my laptop. Deleting suspicious texts on my smartphone. Deleting unwanted invitations on my social media channels.

It’s become ritualistic, and I bet it adds up to an hour or more each day as I’m always working on my phone, tablet or laptop. It’s tough enough doing your job without needing to swat away these attacks like flies buzzing around your head, waiting for you to walk away from your ham sandwich.

I’m just one person doing one job in one room. I can’t imagine what it’s like being the CEO of a hospital or health system with thousands of employees and thousands of patients in thousands of rooms.

Three recent developments drove home the seriousness of the cybersecurity threat facing healthcare. Not that the threat wasn’t real before. But it’s certainly getting real now.

In late July, IBM released its annual Cost of a Data Breach report. The 78-page report is based on data breach experiences at 553 companies or organizations in 16 countries across 17 industries. The average cost of a data breach in healthcare, which the report defined as hospitals and outpatient clinics, was $10.9 million this year, up 8.2% from $10.1 million in 2022. That was the highest of any of the 17 industries and more than double the $4.5 million average for all industries combined. $11 million per breach is some real money.

Earlier this month, The Joint Commission issued a seven-page Sentinel Event Alert on cyberattacks and patient safety, saying cyberattacks can have a “disastrous” effect on patients, causing care disruptions that could harm patients. The private accrediting body outlined seven recommendations for healthcare organizations like hospitals to minimize the risk of a cyberattack on patient safety. I’ve always thought of The Joint Commission as the Johnny-come-lately of patient safety. It never predicts an issue, is ahead of an issue or is in front of an issue. It’s always happy to wade in after everyone else is wet. Maternal mortality and health equity are two recent examples. But my point is this: If The Joint Commission is weighing in on cyberattacks and their risk to patient safety, it must be real as in real lives.

Also in August, researchers at the University of Texas at Dallas published an 88-page paper on how merger and acquisition activity by hospitals affected their risk of a cybersecurity attack. According to the paper, the risk of a cyberattack doubles in the two years surrounding a hospital consolidation. The probability of an attack was 6%, starting a year before a deal closed and running through the year after a deal closed.

The possible reasons for the increased risk included media attention about the deal, which attracted the attention of cybercriminals, and increased IT system vulnerabilities created by consolidating hospitals trying to integrate two separate IT systems. With hospital mergers and acquisitions activity still showing no signs of slowing down, that risk is real.

Real money. Real lives. Real risks. Cyberattacks are a market-altering phenomenon in healthcare.

All I have to worry about is a fake Amazon account suspending my purchases unless I update my account with new credit card information.

Thanks for reading.

To learn more about this topic, please listen to the March 30, 2023, episode of our 4sight Health Roundup podcast, “Ransomware, Cybersecurity and Healthcare,” on 4sighthealth.com.