The growing impact of cyberattacks

According to Riggi, the number of ransomware and other cyberattacks against hospitals and health systems have increased in the last few years due to healthcare's growing reliance on network and internet-connected technology.

In IBM's Cost of a Data Breach 2022 report, healthcare was the industry most significantly affected by data breaches. Each breach costs healthcare companies an average of $10.1 million, and losses may be large enough to force some hospitals out of business.

These attacks also often disrupt and delay healthcare services, which can then negatively impact patient safety and outcomes.

"Attacks that take place in real time cause direct losses to hospitals, which have to reroute patients, deny care, lose access to electronic health records and see the risk to human lives rise as a result of the attack," said Limor Kessem, a principal consultant in cyber crisis management for IBM's Security X-Force. "That's on top of staff distress and having to revert to manual procedures and paperwork."

It can also take months for a hospital or health system to recover from a cyberattack. For example, Johnson Memorial Health was hit by a cyberattack in October 2021 and did not return to near-normal operations until almost six months later. The organization has also struggled with costs from the cyberattack, including seeing its annual insurance premium increase by 60%.

"That is an incredible increase in cost over the last three or four years and...when your claims aren't paid, it can be even more frustrating," said Johnson Memorial CEO David Dunkle. "We are investing so much in cybersecurity right now that I don't know how small hospitals will be able to afford [to operate] much longer."

How to prepare for a cyberattack

To help hospitals and health systems effectively prepare for cyberattacks, Riggi offers four key tips:

1. Take a multidisciplinary approach to your emergency response plans

When developing emergency response plans for cyberattacks, be sure that leaders across the organization, clinical staff, emergency managers, and other stakeholders are all included.

Partnering with your local community and coordinating with other healthcare organizations can also help mitigate the effects of a cyberattack across a region. Establishing prearranged channels of communication can make it easier to share information across organizations.

2. Expect cyberattacks to happen and plan for longer recovery times

According to Riggi, organizations should prioritize cybersecurity investments, with consideration toward the long-term effectiveness and reliability of these solutions.

Organizations should also educate and train their staff, conduct phishing exercises, and have several plans for incident response, disaster recovery, and business continuity in place. Cyber incident response planning should also be integrated with emergency response planning, and there should be department-specific plans to help identify high-risk patients and ensure continuity of care if an attack occurs.

Over time, leaders should continue to work closely with staff to continually refine processes and gather feedback.  

3. Create an evidence base of cybersecurity best practices

Riggi recommends organizations invest in research evaluating the effectiveness of different cybersecurity interventions. Organizations should also share their findings to help improve cybersecurity efforts across the entire healthcare industry.

4. Carefully evaluate new technologies and vendors

Organizations should practice due diligence when evaluating outside resources to reduce attacks. They should also encourage accountability, evidence-based practices, and stronger security measures from technology vendors. (Riggi, American Hospital Association, 10/2)

To get started, use this resource page to guide you through the following steps for becoming a cyber resilient organization:

1. 3 steps to (finally) address your cybersecurity 'elephant in the room'

2. How to be a cybersecurity sentinel

3. Scripps CEO: What we learned from being attacked by ransomware