Healthcare Governance Body Warns Hospitals Face Debilitating Cyberattacks

[ad_1]

The largest healthcare accreditation body in the U.S. issued cybersecurity guidelines calling for hospitals to prepare for cyberattacks that could take down critical systems for a month or longer—measures that will require significant investment.

Hospitals need to put in place tools and processes that anticipate technology critical for life and safety could be down, and find alternative ways to work without those systems, the nonprofit Joint Commission said. 

Cyberattacks on healthcare providers have increased in recent years, with some strikes getting more targeted, said David Baker, executive vice president for healthcare quality evaluation and improvement at the Joint Commission. In particular, phishing is the most common way hackers infiltrate hospital systems, he said. “If only a few staff respond to a phishing attack,” he said, “the consequences can be devastating.” 

The Joint Commission assesses healthcare organizations’ emergency-management plans, which detail processes to respond to natural disasters and other emergencies and include plans to respond to a cyberattack, Baker said. The organization urges hospitals to heed its cyber guidance, though the recommendations are nonbinding. The commission doesn’t plan to assess cybersecurity readiness, he said.  

So far this year, the medical data of more than 61 million people has been stolen or exposed in more than 400 cyberattacks reported to the U.S. Department of Health and Human Services. Los Angeles-based Prospect Medical Holdings, a private-equity company that operates more than 15 hospitals and dozens of medical centers in California, Connecticut, Pennsylvania, Rhode Island and Texas, was hit by hackers early this month.

Prospect spokeswoman

Nina Kruse

said the hospitals are continuing to treat patients and emergency departments are open but some technology is down. The attack has caused delays in appointments and services such as blood draws.

“We do not yet have a definitive timeline for how long it will be before all of our systems are restored,” she said. 

Hospitals often need at least three to four weeks to restore critical systems, with noncritical ones taking longer, said John Riggi, national adviser for cybersecurity and risk at the American Healthcare Association. 

Incident response is more complex than in other sectors because hospitals need to remain operational around the clock even when tech systems are shut down. “We just can’t stop taking patients in while the remediation happens,” he said. 

The Joint Commission’s guidelines recommend hospitals maintain access to patient records and results, and that labs, radiology and pathology services can still share test results with doctors even when tech normally used isn’t available. Options include investing in encrypted, offline backups of critical data, or “fail-safe” computer terminals that could handle clinical information during downtimes, the commission said. 

Cyberattacks have taken a financial toll on the sector. The cost of data breaches in healthcare has increased by 53% since 2020, and is now more expensive than in any other sector, according to a report published in July by

International Business Machines.

On average, a healthcare data breach costs $10.9 million, compared with the $5.9 million in the financial sector, where cyberattacks are the next most expensive, IBM said. The tallies include the costs of forensic experts, outsourced support, in-house investigations and the value of customer loss. 

“We do not yet have a definitive timeline for how long it will be before all of our systems are restored.”


— Prospect Medical Holdings spokeswoman Nina Kruse, after the company was hit by hackers early this month.

Point32Health, the nonprofit health group that runs Tufts Health Plan and Harvard Pilgrim Health Care, last week reported $51.4 million in net losses for the first half of 2023, largely related to a cyberattack it disclosed in April. In February, hospital group CommonSpirit Health said a 2022 ransomware attack cost it around $150 million in technology fixes and lost revenue.

Hospitals aiming to meet the commission’s recommendations would need to invest “significant effort and expense,” Baker said. Yet many hospitals, especially small remote ones, struggle to pay for cybersecurity protections, industry analysts say. 

Amid economic uncertainty, cybersecurity leaders across sectors are looking to cut spending. In healthcare, 47% of cyber professionals said their budgets increased between 2022 and 2023, down from 52% the previous year, according to an April survey of 159 professionals from the Healthcare Information and Management Systems Society, a nonprofit focused on healthcare technology.

Government initiatives and nonprofits that work on healthcare security and safety are stepping up efforts to help hospitals with guidance and grants, said Errol Weiss, chief security officer at the Health Information Sharing and Analysis Center, which facilitates the exchange of threat intelligence among members. 

“There’s certainly a lot of attention [being paid] with the small rural hospitals and the needs they have when it comes to more resources around cybersecurity,” Weiss said. 

Last week, the Advanced Research Projects Agency for Health, an agency within the U.S. Department of Health and Human Services, opened a program to identify and fund cybersecurity technology for healthcare companies. The funding program is now accepting proposals from researchers. 

Write to Catherine Stupp at catherine.stupp@wsj.com

Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8

[ad_2]

Source link