COVID-19 has ushered in a new era of health care where providers are now on the front lines of a dual-sided war. Not only are patients vulnerable to the spread of the virus, they’re also vulnerable to any gaps in your hospital’s cybersecurity measures—especially as demand for telehealth grows.
The health care industry has always been a prime target of hackers, of course, partly because patient data fetches the highest dollar on the black market compared to other forms of information. The threat is especially true for ransomware, with 88% of those attacks targeting hospitals.
With the rise of COVID-19 comes malicious assaults on health care institutions by hackers taking advantage of the rise in telehealth, and for good reason: Projections for the telehealth market show tremendous year-to-year growth of 64.3% after the pandemic caused a surge in demand for the technology.
But while the benefits of telehealth are clear, so are the risks it poses for patient privacy and cybersecurity. And the pandemic has increased the risk: In March, HHS temporarily lifted some HIPAA regulations on platforms used for telehealth visits, announcing it will not levy any penalties for covered health care providers who use the tools. This means any non-public facing platform like FaceTime, Zoom or Skype is not subject to HIPAA noncompliance during the health crisis.
While this allows for quick and remote health care, these virtual patient rooms open the door for malicious malware and hackers to target sensitive data.
The true cost of a cyberattack
A report from Radware exposed a staggering statistic on the cost of recovering from a cyberattack: a whopping $1.1 million on average, up 52% in 2019. With the current health crisis, the amount could be even more.
And in a recent June attack on the University of California San Francisco’s School of Medicine, ransomware encrypted several servers, and hackers demanded money in exchange for access to the compromised files. The university was forced to pay $1.14 million to regain access to the files—nearly half the demanded sum.
On top of the financial undercut, a cybersecurity threat can affect your organization long after the initial attack takes place—and may even be a matter of life and death. In fact, cyberattacks can negatively affect patient response times, which are particularly critical in time-sensitive cases like heart attacks. One study revealed an increase of 2.7 minutes in ECG administration time for those hospitals who were affected by a cyberattack, with an increase in heart attack mortality rates up to three years after the incident.
With lives in the balance, it’s often up to the provider to continually monitor their devices for suspicious activity, a task that only adds to the day-to-day stress of caring for patients.
How to protect against telehealth cyberattacks
What can leadership do to help mitigate cybersecurity risks? Your organization needs to prioritize its digital hygiene as much as its sanitary hygiene, especially for small-to-medium organizations that lack a dedicated cybersecurity team. Here are three ways your organization can protect itself:
Implement security training
An alarming finding from Kaspersky uncovered that nearly one-third (32%) of health care professionals had never been given any form of cybersecurity training. With health care providers responsible for monitoring their own devices for potential threats, cybersecurity education is critical for your organization. From weak passwords to suspicious emails, security training helps reduce the “human error” involved in many malware attacks. For the emerging field of telehealth, the warning signs of an infected device may be unclear to the untrained eye, so teaching staff to spot a threat early will minimize harm done to your system and help establish a culture of security.
Partner with a health care cybersecurity specialist
Contracting with a full- or part-time health care IT specialist who understands both the increased cybersecurity risks of telehealth and the importance of meeting HIPAA and FedRAMP compliance will help ease some of the burden from health care providers. Plus, a specialist can assist your organization with other protective measures like migrating sensitive data onto the cloud and drafting a response plan in the event of a cyberattack.
Use secure vendors
It’s no surprise telehealth comes with some patient hesitancy. Those who engage in a telehealth visit with their provider expect their data to remain private and confidential, which means thoroughly vetting the vendors your organization uses. Making sure vendors are HIPAA-compliant and have implemented privacy measures of their own will prevent any breaches of confidential data, like what recently happened with UK-based app Babylon, which suffered an attack that leaked videos of patients’ private consultations. A data breach can negatively affect your reputation, impacting patients’ perceptions of your care as a whole.
Cyberattacks will continue to be a threat
With threats evolving as quickly as the technology itself, cybersecurity will continue to be a hot health care topic in the future. The imbalance of qualified cybersecurity workers and high demand for positions has created a wide skills gap, one that organizations are urgently seeking to bridge. With the average salary projected to grow, finding strong, direct-hire cybersecurity talent can present a challenge, and some systems have implemented solutions for the shortage in the meantime.
While completely eliminating the risk of a cyberattack may not be possible, implementing some smart strategies in your organization to protect sensitive data acts as your best safeguard.
Kim Hernandez is the Sr. Regional Manager for the Healthcare IT Division at Morgan Hunter, serving health care organizations nationwide to help them meet a range of hiring needs, from temporary staffing to direct-hire placements. Share your thoughts on Facebook, LinkedIn or on Twitter @MorganHunterCo.