The Scary Costs of an EHR Cyberattack

They lurk in darkest recesses of the web where the erratic flickers of LED lights do little to illuminate their devious deeds. Ensconced away in subterranean chambers, the data vampires’ greedy hands feverishly run across their keyboards, poking and prodding your EHR network security—fangs dripping with anticipation of the all the private data held within. 

Did we get your attention? Enough of this trick or treating talk. Let’s get real. These shadowy creatures can also be humans, casually strolling through the hallways of your hospitals, smiling with a wide grin to everyone they pass on their way to your not-so-secure employee break area.

“Oh shoot,” they casually remark. “I forgot my badge. It’s my third day and I’m still getting used to this new routine. Would you mind buzzing me in just this one time?”

You think to yourself, “They look nice enough-who am I to keep them from their morning coffee?”

An unassuming hospital employee, who forgot lessons learned during cyberattack prevention training lets them into the breakroom. Next thing you know, valuable PHI and other private hospital data, left on a laptop, is on its way out the door under the arm of “the new guy.”

Hackers. Bad actors. Con-artists. Whatever you want to call them, cybercriminals take many forms, and aren’t always behind a computer. Whether hidden away in dark conclaves, stalking the halls of your hospital, or hanging out in a coffee shop around the block—cybercriminals represent a very real threat to your hospitals and your patients. Read on…if you dare!

EHR Breach Horror Stories

The threats posed to your hospital from an EHR system cybersecurity breach are terrifying. When a criminal gets their hands on your data it often has a rippling effect across your entire hospital. The consequences of a cyberattack are far-reaching enough to make a complete horror novel. For your reading sanity this article will focus on three key areas.

Fines and CostsI Vant to Suck Your Revenues

According to research from the Ponemon Institute the cost of a healthcare records breach is on the rise and not expected to slow. In addition to costs accrued by patient notifications, settlements, and system recovery time, a state attorneys HIPAA violation fine can range anywhere from $100 to $25,000.

In 2015, more than 78 million records held by Anthem, Inc., a healthcare insurance provider in the Blue Cross and Blue Shield Network, were either exposed or stolen. The cost to recoup a loss of that magnitude, from detection to patient notification to lost business, easily reaches into the hundreds-of-millions—far above what a typical cybercrime insurance policy would cover.

While this is an extreme example of a “mega breach,” even on average—a little under $4 million—that alone is enough to push a smaller community hospital to the brink of bankruptcy.

Device ManipulationMy Patient Monitor is Possessed!

An fully-integrated EHR system has the capability to feed data directly from patient monitors to a hospitals EHR. In other words, if a hacker breaches your EHR, they can potentially access the patient monitoring equipment.

One might ask, “Ok, but what can they really do with Bob’s heart disease history?” The answer: Spread disinformation or falsify patient monitoring data. Incredibly scary for physicians and nurses who rely on this constant flow of information to manage patient care, if a patient’s health information is manipulated, the results could be deadly.

A few of the good guys from the McAfee Advanced Threat Research team, call them “The Brothers Grimm,” discovered medical devices such as a patient monitoring station could be hacked via networks and machines connected to an EHR.

When performing a test on such a network, McAfee was able to replicate the data stream of a patient monitoring station using a remote device. In this instance, the real monitor could be disconnected from the network and false information could be delivered via a laptop or even a mobile phone. The article also addresses the potential of making modifications to patient monitoring devices in real-time.

Bad BrandingA Curse on Your Patient Experience

A breach means you are not secure. An unsecure hospital is not one patients trust with their care, or with their lives.

A breach can bring on a torrential downpour of negativity for your hospital starting with:
• Patient leakage
• Lost business
• Lost revenues
• Employees quitting
• Unable to attract talent
At worst your hospital could fail. At minimum, aside from the financial burdens that may be brought on by settlements and suits, you can lose some patients and some employees. Regardless, it can be an incredibly damaging situation.

Cybercrime: A Real Scare for Healthcare

Phishing phantoms and cyber ghouls aside, threats to the systems storing your EHR and PHI are very real and so are the consequences. Luckily, the means to defending against these nefarious foes can be quite effective and secure.

If you want to deter the healthcare vampires lurking in the dark web, illuminate them with proactive threat analysis coupled with consistent evaluation of the systems tasked with protecting your network—technical, digital, and human.

Find your team struggling for the time and resources to check off all those boxes? See what a cloud solution might be able to offer you in savings—from both data thieves and the scary costs of recovery.

Further Reading:

Best Practices for Healthcare Information Security
5 Top Security Concerns for Your Healthcare IT Environment

You may also be interested in: