By Heather Butler and Soumitra Bhuyan
Healthcare organizations are increasingly vulnerable to cybersecurity breaches, which put patients’ safety, privacy, and financial stability at risk. Statistics have shown that from 2014 to 2022, 14,655 data breaches were reported in the United States, out of which the healthcare industry faced 4,959 breaches, the most by any industry. According to the 2019 Healthcare Data Breach Report, the total number of healthcare records that were exposed, stolen, or illegally disclosed in 2019 was 41.2 million in 505 healthcare data breaches. The expanding use of remote technology in healthcare, including telehealth and telemedicine, has been accompanied by a substantial increase in cybersecurity risks.
Cyber breaches increase the financial burden for the healthcare industry, which already encounters high expenditures and low profit margins compared to many other sectors. A survey conducted by the Ponemon Institute in 2022 found that 89% of the surveyed healthcare organizations experienced an average of 43 cyberattacks in the past year, and at least 20% of organizations reported that these attacks increased patient mortality rates. For 11 consecutive years, healthcare data breaches cost the highest among all industries, with an average increase of total cost from $7.13 million in 2020 to $9.23 million in 2021.
Cybersecurity threats often stem from system vulnerabilities such as insufficient security protocols, outdated software, and a lack of regular assessments. Such increasing threats in healthcare are a significant concern for providers, policymakers, and patients. Among the various cyberattacks, denial of service (DoS), privilege escalation attacks, man-in-the-middle (MITM) and man-in-the-browser attacks (MITB), cryptographic attacks, structured query language (SQL) injections, malware, spyware, and phishing are the most prominent ones.
Ransomware and phishing attacks are common cyberattacks faced by healthcare organizations. The former typically uses one of the several other types of malwares to hack into an organization by encrypting the victim’s information, followed by threats from hackers to sell or expose the information to the public if the ransom is not paid. The latter, meanwhile, uses social engineering techniques to trick individuals and/or organizations into divulging information or performing activities such as clicking on a link or downloading a file. The attackers typically use emails that redirect the receiver to a website, which either collects their information or prompts the download of malicious software, thereby taking control of their system.
A 2020 HIMSS Cybersecurity Survey found that, of the 168 healthcare security professionals polled, 118 (or approximately 70%) reported that their organizations had experienced significant security incidents in the past year. The top security incidents reported include: phishing attacks (57%), credential harvesting attacks (21%), social engineering attacks other than phishing (20%), ransomware or other malware (20%), theft or loss (16%), website or web application attacks (14 %), negligent insider activity (13%), breach or data leakage (11%), and malicious insider activity (10%).
Confidentiality in patient-provider communication is paramount for patient care. The recent surge of telehealth, which happens virtually over the phone or internet, compared to traditional face-to-face patient-provider interactions, increases patients’ data vulnerability. Telehealth providers can be an easy target as healthcare data is stored and exchanged between networks and personal devices without any unified security strategy and protocol.
The rapid adoption of telehealth technology has led to a significantly increased digital footprint and vulnerability to attacks, leaving both the provider and patient data at risk. Another study published in the American Journal of Managed Care found that out of 51 telehealth apps, only 28 percent had a privacy policy, while only 16 % had a security policy in place, indicating the vulnerability of these telehealth apps.
A survey conducted by Arlington Research in 2021 found that 52 percent of surveyed telehealth providers reported experiencing cases of patients refusing telehealth treatment because of data security and privacy concerns. Another study found that about 32 percent of healthcare professionals in their survey did not know whether practicing telemedicine over the telehealth network would increase the risk of security and privacy violations. This underscores the importance of educating telehealth professionals about the security features of a telehealth network.
Among the various recommendations, regular assessments, more robust security protocols, raising end-user awareness, and investing in blockchain technology for patient data protection have the most potential. Regardless, healthcare providers must remain vigilant and educated about cybersecurity risks to ensure patient information safety and security.
Furthermore, healthcare organizations must integrate cybersecurity into strategic planning and budgeting. Successful measures may necessitate governance to manage IT projects while weighing costs and balancing access to sensitive information. Organizations might adopt comprehensive approaches such as the CERT Resilience Management Model or conduct risk assessments through external parties. Monitoring user behavior and leveraging identity and access management protocols are potential strategies. The National Institute of Standards and Technology (NIST) recommends implementing multi-factor authentication, encrypting data in transit and at rest, and regularly updating software to improve telehealth cybersecurity.
Heather Butler is an undergraduate student at the School of Environmental & Biological Sciences at Rutgers, The State University of New Jersey. Soumitra Bhuyan is an Associate Professor at Edward J. Bloustein School at Rutgers, The State University of New Jersey.