One hundred million dollars.
That’s the price tag on just one healthcare “cybersecurity incident” this year.
In April 2022, one of the largest hospital companies in the United States announced it had suffered a cyberattack. Tenet Healthcare Corporation operates 620 healthcare facilities in 34 states including 60 acute care hospitals. The attack on its systems caused weeks of service delays and downtime at various facilities, and impacted over a million patients. By the time the company released its Q2 earnings in July, it was reporting “significant adverse EBITDA [earnings before interest, taxes, depreciation, and amortization]” due to the incident and “$100M in unfavorable impact…brought on by lost revenues from interruptions to business operations and remediation.”
According to HealthITSecurity, “An investigation revealed that an unauthorized party potentially infected the hospital network with malicious code and was able to remove some data from the network between March 3 and April 24. The information involved in the incident included names, Social Security numbers, health insurance information, medical record numbers, dates of service, provider and facility names, addresses, birth dates, reason for visit, procedure information, account or claim status, and billing and diagnostic codes.”
The company is also facing at least one class action lawsuit alleging Tenet and its affiliates “failed to follow industry standards to protect patients’ data, including providing sufficient employee education, implementing multilayer security systems and installing malware detection software common among health care providers…[and] also failed to meet minimum cybersecurity standards set by multiple organizations and did not have data security practices that aligned with Federal Trade Commission guidelines.”
Sad status quo
The repercussions of this attack are staggering — but hardly anomalous. Last year, it was Scripps Health suffering to the tune of $112.7 million. A May 1, 2021, cyberattack on its systems led to a month of serious disruptions to patient care and organizational function, as well as the theft of sensitive data from nearly 150,000 patients. The incident was directly reflected as lost dollars in the company’s quarterly earnings report just 60 days later: “As of June 30th, we estimate total lost revenues to be $91.6 million and incremental costs incurred to address the cyber security incident and recovery were estimated at $21.1 million.” And the year before that, it was Universal Health Services getting hit by a September 2020 cyberattack that cost the company $67 million according to its year-end 10-K.
These are shocking numbers, but cybersecurity issues have become so pervasive in healthcare that they rarely seem to generate the kind of alarm they should. In October alone this year, there were breach reports issued by Michigan Medicine, Ascension St. Vincent’s Coastal Cardiology, Radiology Associates of Albuquerque, CommonSpirit Health, Anesthesia Associates of El Paso, Providence WA Anesthesia Services, Keystone Health, Aesthetic Dermatology Associates, CSI Laboratories, Zomo Health, Anthem MaineHealth…the list goes on. The US Department of Health and Human Services maintains a maddeningly long catalog of cases currently under investigation involving breaches of protected health information affecting 500 or more individuals. It contains over 500 active cases for 2022 alone.
And it’s not just ransomware gangs and anonymous criminal hackers that healthcare organizations have to worry about. Poor implementation of new tools also poses a serious threat. It now appears tracking technologies “from companies like Google and Facebook’s parent company Meta” may have been collecting sensitive information, including protected health information (PHI), on up to 3 million patients at Advocate Aurora Health. Similar technologies were deployed by WakeMed, potentially feeding Facebook “information such as: email address, phone number, and other contact information; computer IP address; emergency contact information; information provided during online check-in, such as allergy or medication information; COVID vaccine status; and information about an upcoming appointment, such as appointment type and date, physician selected, and button/menu selections.” Same with Novant Health, and who knows how many others. Naturally, lawsuits have already been filed.
Leave aside the ethical issues concerning potential impact on millions of individuals whose very private health information is no longer private, or those surrounding proliferating incidents of inability to deliver essential care. In a purely commercial sense, cybersecurity weakness is rapidly becoming an existential threat to financial solvency in healthcare. The number, scale, and costs of breaches and cyberattacks keep growing. Sure, organizations can now purchase cybersecurity insurance as a contingency. Tenet has “recouped $5 million from its cybersecurity insurance” to help offset that $100m loss.
I sympathize with Tenet and all the other victims of cyberattacks and breaches. Healthcare organizations didn’t cause this scourge. The complexities of adapting to data-driven and digitized healthcare innovation while upholding privacy and security responsibilities and maintaining a patchwork of systems that are constantly under threat are, to say the least, daunting.
But technological evolution has produced an urgent need to recalibrate how risk is assessed and mitigated, as well as how infrastructure is monitored and adapted. The sector needs a shift in mindset. Cybersecurity is not some ancillary function of an IT department. It’s now a core competency essential to operating any healthcare business and should be addressed by leadership with actionable intelligence and insight.
Facing that truth requires effort — and investment. Continuous attention to how we collect, store, move, and utilize health information is the new cost of doing business. We already have excellent best practices, but healthcare fails to implement them consistently. We already have myriad streams of vital information on relevant cybersecurity threats and risks, but healthcare fails to use them strategically. Healthcare organizations need to establish a new kind of cybersecurity situational awareness if they hope to survive.
New and formidable cyber threats arise daily. Thwarting them requires decisive leadership and serious commitment. Healthcare cybersecurity is a challenge we must face now.