As practices like yours increasingly rely on technology to improve workflows and connect with patients, mitigating cybersecurity risks has become a top priority, along with providing patients care. Half the battle of implementing protective measures against healthcare cyber threats is recognizing which potential issues need to be addressed and how to best prevent them from becoming crises. Human error has surpassed malicious activity as the most common cyber security threat in healthcare. In 2021, healthcare was the industry that paid the most in fees associated with data breaches. According to IBM, “The average total cost [of a data breach] for healthcare increased from $7.13 million in 2020 to $9.23 million in 2021, a 29.5% increase.” Data breaches can hinder a compromised practice’s ability to function and damage its relationships with patients, whose information may be inadvertently put at risk.
While healthcare is a sector that faces high exposure to cyberattacks, there are precautions your practice can take to avoid cyber threats and the substantial costs that accompany them. Planning for and responding to cyber threats in a timely manner are important components of your practice’s cybersecurity preparation. According to Rectangle Health’s Vice President of Marketing, Michelle Dowling, “It’s critical to view cybersecurity as an investment—one that’s worth time, finances, effort, and energy. Safeguarding your administrative, technical, and physical environments is an ongoing cycle that requires constant assessment, re-assessment, and mitigation of risk, based on evolving threats and vulnerabilities.”
5 Most Common Cyberthreats in Healthcare
- Misdelivery continues to be the most common cybersecurity issue for healthcare organizations, accounting for 36% of data breaches. Misdelivery occurs when internal stakeholders inside practices mistakenly send patient information to the wrong recipient, either by traditional paper mail or email. When staff has many pieces of information to send to patients, it’s not unfathomable that there will be some internal errors. This type of human error, along with publishing and data entry misfires, is a HIPAA violation and can results in a data breach. When information falls into the wrong recipient’s hands, the practice loses control of confidentiality associated with that communication. Personal information, rather than medical information, is most often subject to misdelivery mistakes. To avoid this, staff should add an additional recipient verification step to their traditional mail and email process to minimize errors.
- Hacking/IT incidents, a category in which ransomware falls, have been persistent challenges for healthcare organizations. According to Brookings, “Since the onset of the COVID-19 pandemic, the rate of ransomware attacks has soared across all industries, and healthcare has been the disproportionate target of such attacks.” Criminals motivated by substantial financial gain often target healthcare organizations with ransomware. “Ransomware is a type of malware that encrypts a victim’s files, rendering them inaccessible to their owner, unless a ransom is paid to decrypt them.” This form of breach often leads to healthcare organizations being forced to pay the ransom costs associated with getting control back of this sensitive data. Investing in cybersecurity insurance that covers ransomware attacks is an effective way to mitigate these types of risks.
- Insider threats come in many forms. From the human errors made by staff to malicious attempts to access and sell patient data, internal actors often bypass traditional security protocols either by mistake or with malicious intent. These breaches can be costly and difficult to anticipate. According to the Center for Internet Security, “The insider threat concept encompasses a variety of employees: from those unknowingly clicking on a malicious link which compromises the network or losing a work device containing sensitive data to those maliciously giving away access codes or purposely selling PHI/PII for profit.” Whatever the intent of this insider, it is essential for your organization to be prepared to act if this type of threat occurs. Reporting suspicious activity immediately can go a long way to reduce risk.
- Denial-of-service attacks can damage a company’s reputation and hinder its ability to operate. “A denial-of-service (DoS) attack occurs when legitimate users are unable to access information systems, devices, or other network resources due to the actions of a malicious cyber threat actor. Services affected may include email, websites, online accounts (e.g., banking), or other services that rely on the affected computer or network.” Ensuring your organization’s technology has antivirus protection software and firewall installed are ways to avoid this type of attack, which can also originate from many machines—not just one—working together to launch an incident, called a distributed-denial-of-service (DDoS) attack.
- Phishing attempts can disguise themselves well; often employees inadvertently contribute to these attacks by clicking on links that look authentic but are in fact malicious. “Phishing attacks use email or malicious websites to solicit personal information by posing as a trustworthy organization. […] When users respond with the requested information, attackers can use it to gain access to the accounts.” Encouraging employees to use caution when clicking on links or opening files and to report or flag suspicious activity is an important way to protect your organization from this form of cyber threats to healthcare.
How You Can Prepare Your Practice for Cybersecurity Threats
Cybersecurity insurance covers business costs associated with theft or destruction of IT assets. This coverage includes recovering identities and data that have been compromised and paying for legal fees that may arise after such information has been stolen. When evaluating whether your organization needs cybersecurity insurance, consider the ramifications of not having it. High legal and data recovery fees are just the beginning. This type of insurance may seem unnecessary, but it can pay off when your organization is facing a crisis to which it is unprepared to respond. Making sure your organization is prepared to respond effectively to a cybersecurity crisis affects more than just your internal team; It also affects your organization’s reputation and patients’ privacy.
However, insurance doesn’t prevent human error. It is also important that your internal team is vigilant about verifying recipient information before sending any form of communication, keeping passcodes up to date, avoiding the temptation to click on distrustful links, and staying informed about suspicious activity that occurs internally and externally.
Partner with Rectangle Health to Mitigate Payment Processing Security Risks
Rectangle Health’s flagship product, Practice Management Bridge®, is a secure patient payment and engagement platform tailored specifically for the healthcare sector. Rectangle Health securely stores healthcare payment information, protecting both your practice and patients with today’s highest standards for compliance and PCI. With Practice Management Bridge, sensitive patient and payment information is not held on your premises or stored on your servers or computers. Rectangle Health is an official Point-to-Point Encryption (P2PE) solution provider, which means that the scope of data your practice possesses is greatly reduced, lowering your liability and risk. We focus on keeping sensitive payment information tamper-proof, and we monitor transactions for fraudulent activity.
Our platform makes it easier for patients to pay for their care by providing flexible, contactless payment solutions that include Text-to-Pay, online payments, and Care Now, Pay Later, a unique payment plan offering that allows patients to pay for balances in affordable installments. Set up a call now to learn more about how our solutions can help protect your practice from cybersecurity threats.
- IBM. (2021). Cost of a Data Breach Report 2021. Retrieved from https://www.ibm.com/reports/data-breach
- Skahill, E. and West, D. M. (2021, August 9). Why hospitals and healthcare organizations need to take cybersecurity more seriously. Brookings. Retrieved from https://www.brookings.edu/articles/why-hospitals-and-healthcare-organizations-need-to-take-cybersecurity-more-seriously/
- Pifer, R. (2021, June 24). More than 1/3 of health organizations hit by ransomware last year, report finds. Healthcare Dive. Retrieved from https://www.healthcaredive.com/news/more-than-13-of-health-organizations-hit-by-ransomware-last-year-report-f/602329/
- Center for Internet Security. (n.d.) Insider Threats: In the Healthcare Sector. CIS. Retrieved from https://www.cisecurity.org/insights/blog/insider-threats-in-the-healthcare-sector
- Cybersecurity & Infrastructure Security Agency. (2009, November 4). Understanding Denial-of-Service Attacks. CISA. Retrieved from: https://www.cisa.gov/news-events/news/understanding-denial-service-attacks
- Cybersecurity & Infrastructure Security Agency. (2009, October 22). Avoiding Social Engineering and Phishing Attacks. CISA. Retrieved from https://www.cisa.gov/news-events/news/avoiding-social-engineering-and-phishing-attacks