Cyberattacks Put Patients’ Health at Risk, Not Just Personal Data

Regulations like HIPAA are created to protect patient data and confidentiality, not your network. Here’s why a vulnerable network is also leaving your patients’ physical health and safety at risk.

Ann Dickinson

July 21, 2022

Regardless of your familiarity with the healthcare or the IT industry, you’ve probably heard of the Health Insurance Portability and Accountability Act or more often referred to as HIPAA. 

According to Bitsight.com, HIPAA is an industry-based compliance framework, which requires healthcare organizations, insurers, and third-party service providers to implement controls for securing and protecting patient data and conduct risk assessments to identify and mitigate emerging risks.

However, regulations such as HIPAA are developed to protect patient data and confidentiality, not the network. This means that it’s possible to pass an audit and still have a vulnerable environment. And this misdirected focus on compliance and not cybersecurity as a whole might be a contributing factor to the recent increase in cyberattacks on the healthcare system. 

Due to the massive amounts of valuable patient data they house, with each medical device providing an entry point into the network, healthcare institutions, regardless of size, are popular targets among cybercriminals. 

Yet, vulnerabilities shouldn’t be just thought of as exposed patient data. Data breaches also directly affect patients’ physical health and safety, typically across multiple healthcare providers and services due to the increased consolidation of healthcare. 

Cybersecurity attacks cause disruptions and delays within multiple facets of the healthcare system. A ransomware can disrupt access to health records, which could delay treatments or even postpone surgeries that could cause ambulances to be rerouted to unplanned locations. According to the 2021 HIMSS Cybersecurity Survey, roughly 1 in 5 healthcare IT professionals (21%) reported disruptions of service affecting clinical care in the past year.

Industry-based compliance framework like HIPAA is a great place to start, but it shouldn’t be the only cybersecurity contingency plan, especially when having a strong cybersecurity plan in place is a matter of life or death. 

John Riggi, the top cybersecurity adviser at the American Hospital Association, advises hospital employees to think about cybersecurity in terms of harming patients, and following these 10 steps when creating a plan. 

  1. Develop clear cybersecurity policies that are accessible. 
  2. Educate employees on email phishing, and what to do with emails from outside the network or unknown sources. 
  3. Install basic defenses. 
  4. Get an evaluation of the cybersecurity score from an external firm. 
  5. Identify and fix current and potential vulnerabilities. 
  6. Have an emergency response in place in case a cyberattack happens, with defined roles for the leadership team. 
  7. Have a robust plan for patient care in case of a cyberattack. 
  8. Make sure the corporate partners are also practicing good cybersecurity hygiene.
  9. Continuously talk to other healthcare organizations about cybersecurity, and share information on threats and best practices.
  10. Take advantage of free resources, such as the Cybersecurity and Infrastructure Security Agency, a division of the U.S. Department of Homeland Security.

For additional free resources, check out the 10 biggest cyberattacks in healthcare in the 1st quarter of 2022 (chiefhealthcareexecutive.com) or reach out to us for a free scan of your environment today!

Ann Dickinson