In an increasingly connected and digitized world, and in light of recent legislation empowering providers to embrace the electronic exchange of health information, the healthcare industry has grown increasingly vulnerable to cybercrime. Specifically, healthcare data breach statistics clearly show there have been more and more data breaches in the last decade, with 2021 seeing more data breaches than any other year since the U.S. Department of Health and Human Services’ Office for Civil Rights started publishing records to this end 1: Over 40 million individual records were reported to have been compromised in 2021 2. Meanwhile, the United States currently spends $3 trillion on health care annually, reflecting nearly one fifth of its domestic product 3. This corresponds to over $9,000 per capita – in stark contrast to the average $5,000 of other advanced economies. Of this staggering amount, researchers have estimated that 25 to 30 percent is lost to waste, including abuse or fraud 4 – the latter which healthcare organizations suffer the greatest costs from 5. Cybertheft of health information in particular is causing increasing costs.
Healthcare is a particular target for cybercrime as a result of its inherent vulnerability to collusion and misrepresentation – given that much sensitive information, including payments, is transferred electronically, and, thus, subject to cyberattack 6. In a recent meta-analysis probing the status of cybercrime in healthcare, researchers assessed 19 articles for common themes linked to the high prevalence of cybercrime – finding that the most prevalent cyber-criminal activity in healthcare was identity theft through data breach. Other activities included internal threats, external threats, cyber-squatting, and cyberterrorism 7. The sensitivity of patient information places pressure on healthcare systems to resolve situations quickly, potentially by paying the ransom.
A healthcare data breach, on average, costs over $7 million in 2021 – having risen 10% from the prior year, when one such data breach was valued at just over $6.4 million, according to IBM Security’s 2020 data breach cost report 8.
Cybertheft has hefty medical costs as well – financial loss may compromise the ability of the health care system to perform at its best, while cyber lockouts may force facilities to pause normal operations.
The situation is particularly challenging since the evolution of health care administration systems is advancing faster than security solutions – current healthcare cyber-security systems do not come close to rivaling the capacities of cyber criminals, outpacing the latest industry or government attempts at defense 7.
As such, there is no simple solution, and keeping up with cybertheft schemes of increasing complexity warrants unparalleled vigilance. However, since information security is a costly resource, many health care providers may hesitate to fully invest in the protection of their data. Critically though, certain basic recommendations have been laid forth for any health care organization. These include enforcing robust IT security practices (including network access controls, firewalls, and anti-virus software), creating aggressive counter-intelligence programs, using predictive modeling and data analytics to identify any anomalies, and strengthening collaborations across all stakeholders (including industry, government, and law enforcement), among others.
Curbing cybertheft would result in a cost reduction of over $1 trillion for the health care system. In order to capitalize on the benefits of an online health information exchange system, aggressive research will be critical to identifying how best to render cyber information as safe and secure as possible into the future.
References
1. Healthcare Data Breach Statistics. Available at: https://www.hipaajournal.com/healthcare-data-breach-statistics/.
2. The biggest healthcare data breaches of 2021 | Healthcare IT News. Available at: https://www.healthcareitnews.com/news/biggest-healthcare-data-breaches-2021.
3. ‘Nobody is safe from this’: Cybercrime in health care | AOA. Available at: https://www.aoa.org/news/practice-management/perfect-your-practice/healthcare-cybersecurity?sso=y.
4. Shrank, W. H., Rogstad, T. L., & Parekh, N. Waste in the US Health Care System. JAMA (2019). doi:10.1001/jama.2019.13978
5. Average cost of healthcare data breach rises to $7.1M, according to IBM report | Fierce Healthcare. Available at: https://www.fiercehealthcare.com/tech/average-cost-healthcare-data-breach-rises-to-7-1m-according-to-ibm-report.
6. Cybersecurity and fraud in health care | Deloitte US. Available at: https://www2.deloitte.com/us/en/pages/public-sector/articles/health-care-cyber-security-fraud.html.
7. Luna, R., Rhine, E., Myhra, M., Sullivan, R. & Kruse, C. S. Cyber threats to health information systems: A systematic review. Technology and Health Care (2016). doi:10.3233/THC-151102
8. Cost of a Data Breach Report 2020. IBM. https://www.ibm.com/security/digital-assets/cost-data-breach-report/1Cost%20of%20a%20Data%20Breach%20Report%202020.pdf