Covered entities must commit to keeping protected health information (PHI) secure by first preventing unauthorized data breaches, and by second, guaranteeing PHI remains inaccessible if a breach does occur. Employing strong cybersecurity measures, including email security that guarantees HIPAA compliant email, is the safest way to ensure hospital shutdowns and their repercussions don’t occur.
In July 2019, a ransomware attack by the Ryuk variant targeted Springhill Medical Center in Mobile, Alabama. Ryuk threat actors have infected hundreds of healthcare providers over the past few years. The ransomware knocked Springhill Medical Center’s IT systems offline for three weeks; staff reverted to writing all paperwork by hand. Most unfortunately, the attack disrupted communications, access to technology, and patient care. A mother whose daughter died nine months after delivery (during the aftermath of the cyberattack) filed a lawsuit against the hospital. The lawsuit alleges that the hospital did not inform the mother about the cyberattack when she arrived to give birth. It also states that the cyberattack ultimately compromised the visibility of fetal heartbeat monitors in the labor and delivery ward. Because of this, staff missed critical data needed for accurate patient care. Springhill Medical Center denies wrongdoing but if the lawsuit succeeds, it will mark the second confirmed death of a patient due to a ransomware attack.
A ransomware epidemic
Ransomware is malware (or malicious software) used to deny a victim access to a system until a ransom is paid. Victims typically download malware through phishing emails that include malicious attachments or fraudulent links. Email is the most accessible threat vector (or entry point) into any network since employees are the weakest link in the cybersecurity chain.
Ransomware attacks have caused so much chaos that some describe the onslaught as a ransomware epidemic. The U.S. government, after elevating the threat level of ransomware, even created a federal task force to address the problem. In 2020, ransomware-related breaches accounted for almost 50% of healthcare cyberattacks. Moreover, over 1 million people every month had their data exposed because of a healthcare breach. Unfortunately, the costs of a breach of unsecured data can be astronomical, especially in the healthcare industry.
Healthcare costs: expensive and deadly
Healthcare providers have always been juicy targets to cybercriminals because, among other reasons, hospitals can’t fully operate and treat patients without access to technology or PHI. In fact, a disruption of critical services is just one of several reasons those in the healthcare industry are more likely to pay a ransom.
RELATED: To pay or to not pay for stolen data
But damages go beyond possible ransom payments and other related monetary costs. Sadly, the aftermath of a ransomware attack can be difficult for many organizations to resolve. For healthcare organizations, a breach can also become lethal. When confronted with a breach, healthcare providers may face unrecoverable PHI, shutdown services, HIPAA violations, and upset patients. And consequently, patients’ deaths.
In fact, a new report from the Ponemon Institute explores a link between ransomware and mortality rates, also highlighting four other impacts:
- Complications from medical procedures
- Delays in procedures and tests that result in poor outcomes
- Increase in patients transferred elsewhere
- Longer lengths of stay
And as in the case of Springhill Medical, a further impact: a lawsuit brought on by the interruption of adequate services.
Be proactive and employ best cybersecurity practices
Given the importance of providing solid patient care, covered entities must protect themselves from data breaches with a layered approach to cybersecurity.
What does this mean? It means utilizing a cybersecurity program that includes:
- Employee awareness training
- Up-to-date and consistent policies and procedures
- Strong technical and physical access controls
- Patched and updated systems and devices
- Clear recovery and backup plans
And, given the nature of ransomware attacks, email security, like our HITRUST CSF certified solution, Paubox Email Suite Plus. Paubox Email Suite Plus protects email from inbound and outbound threats. It can be used from any existing email platform (e.g., Microsoft 365 and Google Workspace) and requires no change in email behavior.
Our solution also offers a new, patent-pending security feature, Zero Trust Email, which insists on another layer of verification before any email is delivered. It is time that healthcare organizations take ransomware protection seriously before service disruptions play a role in another patient’s death. Proactively understanding, implementing, and updating cybersecurity is the only way to ensure everyone remains safe.