Knowledge Expansion Cyber incidents in healthcare: How much would you pay? Insight Article Risk & Compliance Business Operations Technology Sign in to save David Finn The healthcare industry in the United States has experienced its fair share of cyber incidents — from ransomware to distributed denial of service (DDoS) attacks and data breaches — in recent years. Breaches alone cost the healthcare sector $6.2 billion each year, and a single data breach (across all sectors) costs $4 million. In healthcare, these costs include forensics, breach notification, lawsuits, fines and remediation costs. They also include diminished brand value and lost revenue. The latter is a bit easier to identify. Organizations know what their financial run rates were historically and leading up to the event, so short-term financial losses after the incident can be extrapolated. On the other hand, brand value can be hard to estimate because reputation is not a tangible asset. That’s why it’s important for practice leaders to better understand potential intangible losses caused by a cyber incident or data breach. A 2017 study found that 45% of IT practitioners and 42% of chief marketing officers did not believe their senior management understood the importance of preserving their company’s reputation. For large, publicly traded companies, stock prices drop an average of 5% immediately after a data breach is disclosed, but it’s not as easy to quantify for an industry in which many of the largest providers are private, not-for-profit organizations. Healthcare runs on trust. If patient trust is lost, those patients may walk if they have alternatives, which can result in a significant loss of revenue. This threat goes beyond breaches, too. In 2014, Boston Children’s Hospital experienced a DDoS attack by the hacker group Anonymous following treatment of a young patient who was removed from her parents’ care by the state. While the hospital never closed, it had to shut down external websites as the attack continued. The incident happened during an annual fundraising event and shut down a website for sourced donations. “This was not a tens of thousands of dollars thing, it was significantly more than that,” the chief information officer said of the incident. The loss was significant enough that Boston Children’s filed a claim against the hospital’s cyberinsurance carrier for the event; however, because there was no breach of data, the underwriter didn’t process the claim. The hospital was able to protect patient data and avoid a breach, despite the financial impacts. Cyber incidents and patient consumerism The loss of patients is another way cyber incidents can adversely affect a practice. One study indicated that 54% of patients said they would be very or moderately likely to change providers after a security data breach involving their personal health information. Those patients from that survey also said they would be most likely to switch providers if practice staff had caused the breach. A separate study by TransUnion Healthcare found similar results: 65% of patients would be likely to switch providers after a data breach. Changing providers may not be the worst news from the TransUnion study, however. Nearly one-quarter of respondents reported that security concerns inhibit their communications with their doctor: 9% said they always or often withhold personal health information and another 12% indicated that security concerns could lead them to withhold information from their doctors. If caregivers don’t get a full picture of their patients’ history, treatment won’t be as effective and may actually be inappropriate and cause harm. On top of this, an analysis of Department of Health and Human Services and Centers for Medicare & Medicaid Services data suggests more than 2,100 patient deaths annually could be attributed to hospital data breaches. The study compared patient-care metrics at hospitals that have experienced a data breach to those that have not. One of the metrics was the proportion of patients who suffered a heart attack and died within 30 days of admission to a hospital. Analysis found the rate of patient deaths increased by 0.23% one year after a breach and by 0.36% two years after a breach — roughly 2,160 additional deaths per year. Researchers explained that a data breach both diverts funds from patient care and distracts physicians for years after the event. Disruption from remediation activities, regulatory inquiries, litigation and more can occur for years after the breach and result in delays to services that translate to quality of care issues. Guarding against incidents The best way for organizations to reduce their risk and improve their ability to respond is by adopting a cybersecurity framework. The most widely adopted framework in healthcare is the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (CSF). Using this framework, organizations can create a risk-based, comprehensive and current approach to information protection and cybersecurity. A 2018 study on cyber threats evaluated hundreds of facilities, including physician practices, against the NIST CSF on a six-point scale ranging from 0 or “incomplete” to 5, which indicates an “optimized process.” The findings showed that physician practices scored an average of 2.0 and 1.8, respectively, in the areas of “respond” and “recover,” compared to scores of 2.6 and 2.5 for hospitals/health systems and 2.8 and 2.9 for business associates. Taking proper actions immediately after a cyber incident or data breach can reduce fallout. The better prepared your organization is, the sooner it will be able to identify the incident, what’s been affected, ways to limit its scope, what to do and how to respond — internally and externally — and how to recover from the event. What is the NIST Cybersecurity Framework (CSF)? Published by the U.S. National Institute of Standards and Technology in 2014, the CSF offers guidance on assessment and improvement in private-sector organization’s ability to prevent, detect and respond to cyberattacks. Updated most recently in April, the core area of the CSF is defined by five key functions applicable to any organizations. Those functions contain various categories relevant to cybersecurity: Identify: Asset management, business environment, governance, risk assessment and risk management strategy Protect: Access control, awareness and training, data security, information protection processes and procedures, maintenance and protective technology Detect: Anomalies and events, security continuous monitoring and detection processes Respond: Response planning, communications, analysis, mitigation and improvements Recover: Recovery planning, improvements and communications Adoption of the CSF often leads to development of a “current profile” of an organization’s cybersecurity work, which provides a baseline for a “target profile” of improvements.