By making strategic yet affordable investments and undertaking specific basic measures, smaller practices can make great strides to strengthen their defenses.
When it comes to cybercrime, the healthcare sector has one of the biggest targets on its back. Due to high value of patient data on the dark web, growth in connected devices, lack of resources within practices focused on cybersecurity, and distractions associated with the COVID-19 pandemic, healthcare organizations have become more vulnerable to costly, damaging cyberattacks.
Small- and mid-sized ambulatory care practices arguably face the most challenges, given their limited staff and capacity, full patient appointment schedules, and even financial limitations. Conversely, large health systems and hospitals have several IT team members dedicated solely to cybersecurity.
An August 2021 report from CyberMDX showed that average cost of a shutdown caused by a cyber incident exceeds $45,700 per hour for smaller organizations with an average shut down time of 10 hours, compared to $21,500 per hour at an average 6.2 hours of down time for larger healthcare institutions. During the first half of the year, ambulatory care practices, including family medicine and specialty clinics, were targeted nearly as often as hospitals, according to analysis of Department of Health and Human Services data.
As everyone's eyes turned toward pandemic response in 2020, cybercriminals focused on healthcare. Early last year, 79% of healthcare data breaches were the result of cyberattacks. The pace ramped up even more in November and December of 2020 with a 45% increase in healthcare cyberattacks.
Cybersecurity Ventures projects that healthcare will suffer two to three times more cyberattacks in 2021 than other industries.
These predictions are holding true, with ransomware being among the top perpetrators. By May 2021, the Conti ransomware alone infected more than 290 healthcare organizations, gaining access to them through malicious links, infected attachments, or stolen Remote Desktop Protocol (RDP) credentials.
Phishing attacks are gaining steam as well, considering how practices rely heavily on email and other cloud communications. The Department of Health and Human Services noted that 42% of breaches in 2020 involved email. These statistics are staggering, but not surprising considering the lack of resources put toward cybersecurity, which is only 6% or less of the total IT spend.
Cyberattacks against healthcare are typically very lucrative for criminals. According to Experian, patients’ full medical records can sell on the dark web for up to $1,000 per patient, compared to credit cards and Social Security numbers, which go for about $5 and $1 each, respectively.
Small and mid-sized ambulatory care providers may feel that they're hindered by lack of staff, expertise, money, and time to have dedicated cybersecurity staff. Despite these obstacles, cybersecurity should not be viewed as a sacrifice.
Here's a look at five basic steps these practices can take to lessen the risk of cyberattacks:
Protecting against cyberattacks may seem like an impossible job, particularly as healthcare practices are constrained by limited budgets and overworked employees. But by making strategic yet affordable investments and undertaking specific basic measures, smaller practices can make great strides to strengthen their defenses.