ADVERTISEMENT
The Impact of Data Theft on Patient Care: Insights from a Health Care Cybersecurity Professional
Health care cybersecurity is an increasing priority as cyber criminals’ tactics become more sophisticated and data breaches can erode patient trust and jeopardize patient safety.
Read the full transcript:
Welcome back to Pophealth Perspectives, a conversation with the Population Health Learning Network where we combine expert commentary and exclusive insight into key issues in population health management and more.
So could you start out by sharing your name, your title, and just an overview of your professional experience?
Sure. So my name is Jeff Stravers and I work as a virtual chief information officer, or vCIO, for ANATOMY_IT. I've been in the technical field, I guess I'll say for 40+ years now. I started out as a basic field service break-fix technician, and just over the course of the years have held various roles and responsibilities in it and to where I'm currently now working as vCIO.
So why should cybersecurity be an increasing priority for health care systems and leaders?
Yeah, that's a great question and I think ultimately it's one of the biggest threats, external threats, that impacts health care and primarily for a fairly simple reason: the rewards to the cyber criminals are significant. The payload or the payoff that they get by perpetrating these acts and being able to breach data is amazing and we'll talk about that in a bit. But the reality of it is the threat actors are getting more sophisticated, they've got better tools in some respects, they probably have better tools to perform these breaches and cyber threats than we do to prevent them. They're extremely organized. I mean, they've got full portfolios set up, they have businesses, they have boards of directors for the people that work for them, it’s a lucrative career. They are behind the scenes, people don't see them. They can come and go as they please and do the things that they do. So I think that's one of the reasons why it needs to be an increasing priority because the threat is continuing to be very real and much more realistic that it's going to happen. I think health care has historically been behind from a technology perspective, I don't think that's a secret to anybody. And while it's catching up, there's still in a lot of cases, some pretty significant disparities between what the threat actors have available to them and what we have to prevent it.
Especially when you look at some of the not-for-profit health care areas. They struggle to fund the security technology that they know they really need. They have to have it, they're at the same risk as everybody else, but for them it can be a balancing act between the technical tools that they have to have compared to the patient care equipment. And if you got to choose between whether I replace an ambulance or I buy a new security tool, that can be a hard decision because the ambulance is going to chew into a lot of their capital. And that's just one example. But the money issue is generally a concern.
IT is generally not something that health care considers as a revenue generator either. So when margins are small and dollars are few, they're looking at those systems that bring money into the health system and they see it as one that just results in them spending money, if you will. That's another real concern or a real reason behind it. And I think ultimately at the end of the day, we are much more a connected society than we ever were, and health care is no exception. Everything in a health care facility, whether it's a clinic, whether it's a hospital, an insurer, whatever the case may be, is connected to the internet. That includes medical devices which have historically had weak security out of the box and often are overlooked to. And now all the patient records are likely tied to an internet connection of some kind. And so just the ability to gain access to that data is so much more available than it ever was. So that's my take on why it needs to continue to be an increasing priority. The value of the record is not getting smaller. Matter of fact, it's increasing and that's just going to continue to drive that push to try to get those records.
I had no idea that it was such an elaborate system on the backend, the idea that there's such a coordinated effort, companies working together to do this. It's almost like a heist movie, right?
Yeah, right it is. And I think a lot of people don't necessarily realize that. It's funny because, and I'm sure it didn't start that way, it started as some, we all envision it being some third world country with some guy sitting in a shady back room hacking away at a computer. And the fact of the matter, I mean, these places have pension plans, they have retirement plans, they have business models, all of that. And it's kind of amazing in some respects.
Could you elaborate on the impact of data theft for overall patient care and mortality?
Yeah, I think in some respects it has multiple areas of impact. We'll start with the simple and then work our way up a little bit, but at its core it can erode patient trust and that's always a concern. So providers and health systems, they spend a lot of time trying to build that trust with patients. Some people are pretty good about trusting their physicians and things of that nature, but it seems like that's always been one of those areas where I don't want to go to the doctor. And so you hate to be that person that has to go, has to make an appointment. And once you finally get to that point where you found a provider that you like, you trust, and then all of a sudden your records are breached, probably no fault of that provider, but it does erode trust not only in the facility itself, but also in the provider that you're working with just because you as a patient connect the dots as one being equivalent to the other.
And so with that, then patients potentially will tend to not come back. So all of a sudden now I'm not, well, “the last time I went I had all kinds of trouble, so I don't want that to happen again. So now I'm not going to go be seen by a provider”. So patient care is then neglected, and so that's kind of at the heart of things. It can also slow patient care. So when systems are compromised, it takes time to recover. It can be as short as a few days to even a few months if it's a large system. I think on average it probably takes a week to 2 weeks for a standard health care system to at least recover to a point of being able to adequately use their systems again. And so during that time, it's going to force caregivers to revert to manual and paper processes, which it takes more time.
They're not familiar. It used to be they hated to use the electronic processes. It always took them longer. We counted clicks and those mouse clicks took forever. And well, most of 'em don't know how to use paper anymore. And most facilities don't have a good downtime procedure, or I shouldn't say most, but it's not uncommon for facilities to have to not have a good downtime process or paper backup process that they can put in place should there be a significant downtime. So it takes time for people to adjust. You have to find the forms, you have to maybe create some forms, you have to worry about workflow issues. So how do I get this patient from point A to point B? How do charges get posted? How are we going to get paid for this care that we're providing? How do we continue to care for the patient after their initial visit and things of that nature.
So it slows care, it removes, it has an impact on patient safety protocols because an EMR is naturally going to provide some of those protocols. It's going to have things, checks and balances in place that says, okay, this patient's in, I'm going to prescribe them this medication. And an EMR is going to pop up and say, wait a minute, they have an allergy to that medication, or they've had that medication too many times in the last so many days or whatever. That's just one, med administration is just one example. But those checks and balances are not going to be there in a paper process. And so there's risk to patient safety, which again kind of goes back to eroding trust.
And then critical services may not be available. So if I'm down or if the network is down, there's probably no way for me to take an X-ray image and have it sent to my reading radiologist for them to review. ER may not be able to treat some cases because it requires ancillary services that are not available because the network is down. And so really that forces them to go on diversion for certain areas where they're pushing patients to other facilities and things of that nature just simply because of a data theft.
And then if we really dive into the more serious aspect of it, so we talk about mortality and at first blush you think, how can my data being stolen result in mortality rates, or an increase in mortality rates? And I think it's probably not super common at this point, but the potential is there. And so we talked about having to go on diversion. So if emergent services aren't available due to the hospital being in recovery efforts, systems are down, or whatever, and they have to divert patients to another facility, well, what if you've got a critical patient in the ambulance and those extra minutes to get them to a different hospital may be too many minutes and you may lose a patient in transport just because of them having to redirect patients to someplace farther away.
Again, not something that's going to happen every time, but it is a real threat. And then another probably even less common aspect to it is that we hear about medical devices being susceptible, the internet of things. So a med pump, it's now plugged into the network, and so threat actors have been known to be able to hack into those devices. If they hack into those devices, they can change dosage rates and either increase the dosage too much that it creates an overdose impact or reduce the dosage to where the medication that's needed is not given. And again, just one example, but things like that can result in deaths, none of which is common, but the potential is there.
For sure. That domino effect starts with that cybersecurity threat and just can disrupt all kinds of things.
It's fun to see that awareness, right? So you have a technician who thinks I'm just here to fix the printers and doesn't really see how that's an issue, but when they realize that there's a patient in the ER that needs to get on a helicopter to be flown to a facility that can treat them better and they can't get on that because they can't print a label? When they realize that criticality to it, that's pretty cool, but it kind of explains the issue that we face at times.
So tell me more about the financial toll associated with cyberattacks due to disruption of health care operations.
Yeah, so it's twofold, right? I mean, so first off, on the basic side of things, if you are in a recovery mode or if you are diverting some services because you are in a recovery mode or you're working through a ransomware attack or whatever the case may be, you're obviously not generating as much revenue because you are sending some of those services off to other places. You maybe are not able to see as many patients in a day because you are using a slower process that doesn't allow you to work. If you typically see 60 patients in a day and because of the situation, you can only see 40. That has a dollar incent impact on the operation.
Outside of that, it really comes down to the penalties that are associated. So if I have a breach and the breach affects over a certain number of patients, I have to report that. And then that gets investigated by the ONC or HHS, however you want to look at it. And once they complete that investigation, they are potentially going to level a fine against the facility because of not securing patients’ data. And that fine is going to be based on any really the number of records and the type of records that are breached, and it can range into the hundreds of thousands of dollars to a health care facility.
After that, then the legal fees start coming in because people are going to start filing class action lawsuits against the facilities seeking damages because their information was breached and things of that nature. So it becomes expensive for a facility. There have been reports of hospitals closing as a result of the impact of a breach. So again, I don't think it happens often, and that's largely why health care organizations have to have cyber insurance so that they have coverage for that, but your cyber insurance premiums continue to go up, and so there's just an increasing cost. I just pulled a few quick numbers. So in 2023, IBM Security put together a data breach report, and they're estimating that the average cost of a data breach runs roughly almost $11 million, which is a huge increase over the last 3 years or so. And those numbers kind of vary a little bit depending on the report. I've seen reports as low as about 4 and a half million on up to the 9, 10, 11 million range.
And if you look at it, and again, as we think about the financial impact, we wonder why is health care such a target? Well, again, looking at some of the numbers, a PHI record can be worth depending on which report you look at, but anywhere from 250 to a thousand dollars each. So each record, so if I'm a health care facility and I have 60,000 records, patient records and all of that data is breached, well, that's a lot of numbers and it starts to have a pretty significant financial impact both for the person who is selling that data. So that's where they make their revenue because they can use it for multiple things. They can set up phony insurance claims, they can set up bank accounts, they can do a lot of stuff with those records that they're getting. So that's where the variance in that value is coming in.
But if you compare that, the next highest record of value is like $5.40. So if I'm a bad guy and I'm going to go after the money, I'm going to target health care records A, because they're probably easier to get to, and B, they have a lot more value. Then I don't know if you've seen, but there is just a recent report about a huge, what they call a MOAB breach stands for ‘mother of all breaches’, but it's been reported in the last 2 weeks of a security breach of 26 billion records. Now, not all of those are health care, but if you figure that a percentage of them are worth up to a thousand dollars each, I mean, that's a huge payday. And yeah, so that just kind of spells out the real toll from to a health care facility, from the financial impact and breach.
Those are some incredibly high numbers.
And they keep going up. I mean, every year it's an increase in what those records are worth.
Are there certain types of health care providers or insurers that are more targeted for these cyber attacks than others?
Not in my opinion. I used to think that the larger health care facilities and providers and systems were probably a bigger target just because there seemed like there would be a lot more to gain. If you could get into a health care system that spans the country. for instance, you may stand to get access to a million records, whereas a smaller facility, you may only get a few 10,000, 20,000 records or so. And so you would think that that would be a bigger target, but it really doesn't seem like that's the case. And I think if you stop and think about it, the reality of it is those larger targets, while they do target them, and they will continue to target them because if they can get in the payday is huge, but it's going to take them more time, more effort, more tools, more resources to breach one of those larger health systems.
Usually because they're spending money on security measures, they're able to put some cash on the table to buy good tools to help protect themselves. Whereas the smaller health care systems, the dentist office, the single provider clinics, the small insurance companies, vision centers, things of that nature, even critical access hospitals, they haven't had the ability to spend the same to secure the environment. And so if I can now go after a dozen of those and easily and quickly get to their data, in some respects, my percentage of gain is higher because it takes me less time and effort, and I can keep moving on to the next one and the next one and the next one. As far as the type, I did a quick search on the ONC, what we call the HIPAA wall of shame. So it's a listing of all the facilities that have had to report to the ONC of breach. And just for January alone, there have been 49 cases that are affecting 500 or more individuals. And of those, it was spread across everything from providers to health plans to business associates to health care systems. So I don't really see that there is necessarily one side of health care that's a heavier target anymore. The payload is the same no matter which, so you're going to go after all of it.
What some of the specific tactics being used to breach health care data security, and what can other leaders in health care do to prevent such attacks? How can there be more spreading of awareness and encouraging security measure adherence across organizations?
Yeah, no, that's a great question. And I think the tactics have not changed a lot over the last few years. The end user is still the weakest link. We talk about human firewall, and so the users are still where we have to put our focus. The tactics that are typically used are going to be phishing emails, ransomware attacks, unauthorized access, and something that we call credential stuffing or denial of service attacks, things of that nature. Pretty standard fare. It's easy to craft a phishing email to send, and if you send it to 200 people and one person clicks a link, you gain access. So it doesn't take a lot of time and effort.
I think we're finding that it used to be somewhat easy to detect a phishing email because it was fraught with spelling errors and grammatical errors and things of that nature. But we talk about AI these days, and the criminals are using AI to their advantage too, and they're crafting much more sophisticated phishing emails that are very believable and make it hard for the end user to really know the difference. And in the rush and hurry of the day, we tend to make bad choices and click on things that we shouldn't. So I think the attack vectors haven't changed so much. There's always that one person in a facility that's disgruntled and maybe, and that's where the unauthorized access comes in, where they go out and get the information and sell it. Not so common. I'm going to tell you that phishing emails and ransomware attacks are probably still the biggest threat. And because again, we're relying on people to make the right choices and do the right things, and in the hurry of the day, it doesn't always happen.
So what can we do as leaders to help prevent it? Probably first and foremost is embrace a really good, really robust IT security training solution. Do something that is going to put training at in front of everybody on a regular basis that needs to include phishing simulations that are happening on a regular basis. I think that is probably the one. If you can do nothing else, that is the first thing that you have to do, and it needs to be supported from the top down, right? I mean, the staff need to see that the c-suite is just as concerned about security as they maybe feel they are, that the c-suite is doing the training right along with them and promoting that security training.
Communication within the organization is huge. If you suspect an email is phishing, make sure you're communicating to it, and it in general can then communicate out to staff, Hey, this is something you should watch for and here's why and explain it. Right? So it's a little bit of a training, teaching continuous communication to encourage people of what they need to look for and how they can be more safe in their computing environment.
Investing in security technologies, things like a managed DDR or endpoint detection and response system. So something that comes along with a security operation center that's watched and managed 24/7. It's kind of that next generation of antivirus and anti-malware solution that's out. It's easy to implement. It really doesn't cost much more than a standard antivirus solution. And the benefits are significant. Invest in a zero-trust solution for your workstations, which basically means that anytime an unknown application tries to execute on a workstation, the solution is going to stop it and it has to be vetted and verified before it'll be allowed to run. So just trying to prevent malware and ransomware applications from actually running. Implement a SIM solution, which basically is going to watch for alerts and notify people and interrogate events that are happening within the network and make sure that they're legitimate. And then just be examples, support security initiatives, invest where it matters most. I know that for some facilities that monetary impact is significant and they can't maybe do all of the things that they know they should or would really like to do, but do what you can. Invest in a good training program, invest in those EDR and endpoint protection devices that really are not that costly.
And then support the messaging, drive it home to staff that security is important, that security is lack of participating in the security training and things of that nature just can't be tolerated, and it has to be done. And just keep communicating, keep varying the message so that it sticks. You worry about communication overload and people being burned out and they hear the same thing over and over and over again. It doesn't become just background noise. And I think that's a risk, but I think in IT security, it's a risk that we have to take. We can do things to kind of mix it up a little bit and make it a prevalent focus on what's happening in today versus, because things do change a little bit, so let's make it fresh and let's make it relevant for the current situations that are at hand. But we have to keep communicating. We just have to keep beating that drum. So those, in my opinion, are the biggest things that we can do. There's no end of utilities and tools and devices that we can add to grow and enhance security. And to the extent we are able to, we need to do that. That's going to vary on facility to facility just because of the inherent cost associated. So do the things you can promote the messaging, promote the training. Training just can't be underscored enough.
Is there anything else you'd want to add that you think is important or any final message to impart?
Yeah, I think just be diligent, right? Encourage staff, look for opportunities, and just continue to be diligent. This is not something that I think is going to ever go away until the day that the health record has less monetary value than something else this is a battle we're going to fight, and it really is a battle, and we just have to keep fighting.
Thanks for tuning in to another episode of Pophealth Perspectives. For similar content, or to join our mailing list, visit populationhealthnet.com.
