Topics
Reimbursement
Home health agencies get half a percent pay increase
Home health agencies get half a percent pay increase
Revenue Cycle Management
Mary Washington Healthcare latest to outsource revenue cycle 
Mary Washington Healthcare latest to outsource revenue cycle 
Strategic Planning
Two CFOs see promise of AI, but have yet to build a dedicated budget
Two CFOs see promise of AI, but have yet to build a dedicated budget
Capital Finance
Cigna nixes speculation of a Humana merger
Cigna nixes speculation of a Humana merger
Supply Chain
Feds shore up healthcare supply chain in wake of hurricanes Helene and Milton
Feds shore up supply chain in wake of hurricanes
Accounting & Financial Management
Labor expenses continue to challenge hospitals
Labor expenses continue to challenge hospitals
Budgeting
Health system operating margins declined in August
Health system operating margins declined in August
Quality and Safety
US healthcare system ranks last in equity, access
US healthcare system ranks last in equity, access
Billing and Collections
CFPB warns of illegal tactics by medical debt collectors
CFPB warns of illegal tactics by medical debt collectors
Claims Processing
Denials top reason for eroding provider-payer relationship
Denials top reason for eroding provider-payer relationship
Workforce
Elevance laying off 123 California employees
Elevance laying off 123 California employees
Operations
UAB, Press Ganey launch certificate program for healthcare leaders
UAB, Press Ganey launch certificate program for healthcare leaders
Medical Devices
Healthcare chatbots may promote racist misinformation
Healthcare chatbots may promote racist misinformation
Hospital/physician relations
Hospitals, physicians submit opposing views to FTC ruling on noncompetes
Hospitals, physicians submit opposing views to FTC ruling
Construction & Facilities Management
University Hospitals expanding with $3.2 million donation
University Hospitals expanding with $3.2M donation
Compliance & Legal
Johnson and Johnson sues HRSA for blocking 340B plan
J&J sues HRSA for blocking 340B plan
Policy and Legislation
Trump picks RFK Jr. to lead HHS
Trump picks RFK Jr. to lead HHS
Community Benefit
AMA pushes for stricter standards for hospital charity care policies
AMA pushes for stricter standards for hospital charity care policies
Accountable Care
NAACOS pushes ACO REACH extension after $1.54B in savings
NAACOS pushes ACO REACH extension
Acute Care
SDOH, tech key to advancing value-based care, says UHG
SDOH, tech key to advancing value-based care
Ambulatory Care
Cleveland Clinic and Amazon One Medical collaborate on primary care clinics
Cleveland Clinic and Amazon One Medical collaborate
Analytics
Interoperability in healthcare moving forward despite challenges
Interoperability in healthcare moving forward despite challenges
Business Intelligence
MD Anderson launches new cancer research center
MD Anderson launches new cancer research center
ICD-10 & Coding
Physician practices examine risk adjustment coding in wake of federal lawsuits
Practices keeping close watch on risk adjustment coding
Meaningful Use
Financial disincentives for providers who commit information blocking 
Financial disincentives for providers who commit information blocking 
Medicare & Medicaid
Elevance Health 'considering options' following star ratings hit
Elevance Health 'considering options' following star ratings hit
Patient Engagement
Patients see narrow networks in ACA marketplace plans, KFF finds
KFF: Patients see narrow networks in ACA marketplace plans
Pharmacy
CerpassRx, Waltz team on AI platform to manage specialty drug spend
CerpassRx, Waltz team on AI to manage specialty drug spend
Population Health
Reproductive care, including abortion, facing challenges
Reproductive care, including abortion, facing challenges
Risk Management
UPMC for You partners to offer Medicaid redetermination coverage in laundromats
UPMC for You offers Medicaid redetermination coverage in laundromats
Telehealth
Teladoc posts $640.5 million in revenue, stresses virtual care improvement
Teladoc posts $640.5 million in revenue
Mergers & Acquisitions
Cardinal Health set to acquire two companies for combined $3.9B
Cardinal Health set to acquire two companies for combined $3.9B
View more
Jun 24 More on Privacy & Security

Healthcare cyberattacks are costing an average of $11 million per breach

Ransomware attacks have dominated, accounting for over 70% of healthcare cyberattacks in the past two years.

Nathan Eddy

Photo: sestovic/Getty images

The global healthcare sector experienced a staggering 1,613 cyberattacks per week in the first three quarters of 2023, nearly four times the global average, and a significant increase from the same period the previous year, according to a KnowBe4 report.

This surge has contributed to a steep rise in cyberattack costs for healthcare organizations, with the average breach cost nearing $11 million  more than three times the global average making healthcare the costliest sector for cyberattacks.

Ransomware attacks have dominated, accounting for over 70% of successful cyberattacks on healthcare organizations in the past two years.

Phishing and social engineering tactics are the primary methods used to initiate the majority of cyberattacks, with estimates suggesting that 79% to 91% of attacks begin this way.

The report noted employees in large healthcare organizations have a 51.4% likelihood of falling victim to phishing emails, giving cybercriminals a better than even chance of successfully breaching these institutions.

"Healthcare is already expensive, partly due to the cost of equipment and consumables needed to diagnose and treat illnesses and injuries," said Erich Kron, security awareness advocate at KnowBe4. "Paying a multi-million-dollar ransom, plus the cost of a security team brought in for incident response, is a significant outlay of funds."

He added this is especially true given the huge size of modern healthcare systems that may be connected across the country.

WHY THIS MATTERS

Healthcare organizations collect and process a huge amount of sensitive data  and cybercriminals know it.

The risk of regulatory fines and lawsuits related to the leakage of this information is monumental, which allows attackers to leverage the risk to demand large ransoms.

The healthcare industry is also very computer-driven, with a huge number of network-connected devices and computer systems online at any time.

"After an attack, it is critical to make sure these devices do not contain backdoors or other malware that will allow attackers to reinfect the network again in the future," Kron said. "This all takes time, skills and money to accomplish."

He added the sheer volume of attacks on something as critical as healthcare, combined with the extremely high click rates in the industry, paints an unfavorable picture for the future of healthcare data.

"Not only is data at risk, but healthcare workers are also often overwhelmed with patient loads and the loss of technology further burdens them, possibly to the point of breaking," he cautioned. "This could result in dangerous mistakes being made, not out of malice or carelessness, but out of exhaustion."

THE LARGER TREND

Change Healthcare, Ascension and Kaiser Foundation Health Plan are among the most recent targets of far-reaching cyberattacks, the fallout from which is likely to continue even as new breaches arise.

Kron said with attacks becoming more common and apparently more damaging healthcare organizations need to take a focus on cybersecurity in the same way they focus on safety.

"At the end of the day, a successful ransomware attack is a safety concern for the patients and employees and must be treated as such," he said.

KnowBe4, based in Clearwater, Florida, offers security awareness training and simulated phishing platforms. It is used by more than 65,000 organizations worldwide, according to the company.

From Kron's perspective, it is critically important that healthcare organizations look closely at their specific risks and develop a plan to address them.

"Not every organization is the same, so the critical risks may vary from place to place and it is important to not spend financial and human resources addressing low-risk items," Kron said.

He explained a focus on human risk is important most ransomware attacks start with a phishing email directed at an employee. "It is also relatively low-cost and can be tied in many ways to existing safety programs," he said.

The goal is to improve the security culture of the organization in the same way to make sure employees think about keeping patients safe.

In addition, healthcare organizations should have robust incident response plans in place and should test them often.

Kron explained many organizations have found themselves unable to make decisions, figure out processes, or contact key decision-makers while dealing with an incident.

"A lot of time that could be used to stop the spread of malware or start recovering is wasted while figuring out what to do next," he said. "A solid plan that is tested is invaluable in these situations."  

 

Email the writer: nathaneddy@gmail.com

The HIMSS AI in Healthcare Forum is scheduled to take place September 5-6 in Boston. Learn more and register.

News
Healthcare organizations ask HHS to delay quality measure reporting for ACOs Healthcare organizations ask HHS to delay quality measure reporting for ACOs The American Hospital Association and American Medical Association are among the 11 organizations signing the letter.