Getty Images

Healthcare Cyberattacks, Data Breaches Pressuring Nonprofit Orgs 

A new Fitch report notes the increase in cyberattacks against nonprofit healthcare facilities and hospitals.

Heathcare facilities and hospitals are facing a rise in cyberattacks, creating increased revenue and expense pressures on not-for-profits (NFP), according to a new report

Fitch Ratings released a report on July 22 entitled, “Relentless Cyber Attacks to Pressure NFP Hospitals’ Operations.”  

“The healthcare sector has seen a historic increase in the number and severity of cyber assaults over the past 18 months,” the report states. “The sector is viewed as a target-rich environment due to the large amount of sensitive data that healthcare entities maintain for patient care and operations.” 

With an uptick in cybercrimes during the COVID-19 pandemic, “cyber criminals took advantage of the crisis, causing immense disruption to the healthcare sector at a time when it was facing enormous patient care demands. Ransomware pay-outs and efforts to protect or ‘harden’ healthcare systems and cyber defenses are affecting hospital financial flexibility by increasing on-going operating expenses,” the newly published report notes.  

“Attacks may also hinder revenue generation and the ability to recover costs in a timely manner, particularly if they affect a hospital’s ability to bill patients when financial records are compromised or systems become locked. The recovery time and costs associated with breaches of critical data not only pose significant financial burdens but also hamper the ability of healthcare institutions to provide care, which could ultimately have human costs.” 

In 2020, cyber breaches were responsible for exposing over 22 million Americans’ patient data, according to the report.  

“Restoration of systems to pre-attack status took an average 236 days,” the report states, adding that the healthcare sector is a “treasure trove of critical and sensitive patient data, which are highly sought after by cyber criminals for ransomware and double extortion schemes.” 

John Riggi, the American Hospital Association’s senior advisor for cybersecurity and risk, weighed in on the new report.  

“This report serves as another validation point, which unfortunately has become very evident - cyberattacks, particularly ransomware attacks, targeting hospitals have grown in frequency and severity with wide ranging impact including disruption of care delivery, potential risk to patient safety and lost revenue due to disruption of services,” Riggi said in a statement to HealthITSecurity.   

“We have also seen firsthand how COVID-19 translated into a cyber ‘triple threat’ for hospitals,” Riggi stated. “One, an expanded ‘cyberattack surface’ due to the urgent need to rapidly expand network connected devices and increased reliance on internal and remote technologies to care for patients, two, an increase in cyberattacks exploiting the expanded attack surface, and three, reduced revenue and resources available for hospitals to bolster network defenses and counter increased attacks.” 

“Cybersecurity has become a top priority for hospitals to protect patient data and patient safety,” Riggi stated. “Unfortunately, we do not see cyber threats diminishing without sustained and strong government action to defend the homeland from these foreign-based cyber adversaries.” 

The Fitch Report stated that healthcare workers that worked remotely during the pandemic also added to security concerns. 

“Remote work for nonessential staff opened up opportunities for infiltration, as did the sector's increased use of integrated technology, such as smart medical monitoring devices, telehealth and other virtual care capabilities,” the Fitch report states.  

“Software for such devices and heavy medical equipment such as CT scanners and MRI machines are often proprietary and designed with patient care and not necessarily cyber risk in mind. Thus, such software may not always be fully integrated in the institutional cyber defense framework. Additionally, the large costs of such equipment generally mean that institutions, particularly smaller hospitals, may rely on these devices for many years, even with outdated or unsupported software, leading to gaps in institutional security systems.” 

One expert, Bert Kashyap, co-founder and CEO of cybersecurity firm SecureW2, weighed in on the remote work security issue the health facilities are facing. 

Kashyap said that initially during the early phase of the pandemic, the healthcare sector was focused on getting workers the ability to work from home. Now, with an increased cyber threat level, facilities need to focus on cybersecurity. 

“Cyberattacks are stretching IT budgets of healthcare organizations especially due to surges in ransomware and the general threat they pose,” Kashyap said. “The types of services and devices healthcare organizations support are expensive, complex, and need continuous availability which makes securing them very expensive. Furthermore, the deep integrations with numerous third-party providers mean compromises elsewhere now have an immediate financial impact on operations.” 
 

Next Steps

Dig Deeper on Cybersecurity strategies