The thought of a ransomware attack on your hospital or health system may keep you up at night. You could be losing even more sleep recently as COVID-19 seems to have spurred a new wave of attacks against hospitals, according to the FBI and other federal agencies.
There is, however, an even more devastating threat from this cybercrime that could affect your institution and patients for years to come: stolen medical records. In many ransomware cases, the hacker will secretly download patient records to sell on an underground area of the internet, commonly referred to as the dark web.
Why? Stolen records sell for as much as $1,000 each, according to credit rating agency Experian. Cybersecurity firm Trustwave pegged the black-market value of medical records at $250 (PDF) each. Credit card numbers, on the other hand, sell for around $5 each on the dark web, according to both sources, while Social Security numbers can be purchased for as little as $1 each.
The long money is in medical records
The reason for this price discrepancy—like any other good or service—is perceived value. While a credit card number is easily canceled, medical records contain a treasure trove of unalterable data points, such as a patient’s medical and behavioral health history and demographics, as well as their health insurance and contact information.
Prevent attacks with training and network safeguards
Patients clearly suffer the most from the theft and exploitation of their records. Medical identity theft, which is where a patient’s identity is fraudulently used to obtain medical services or prescriptions, costs $13,500 to resolve, either through paying a provider, insurer or legal services, or all of the above. Victims also spend more than 200 hours trying to repair the damage and securing their information.
For hospitals, the money paid to release a hospital from the ransomware encryption is only the most immediate financial pain. The fallout could last for years. Hospitals need to conduct a costly investigation of the attack and associated breach while providing identity theft protection to victims. Patients could also file a class action lawsuit against hospitals when records are compromised in a cyberattack.
If it is determined that the hospital violated HIPAA rules and was at fault, the U.S. Department of Health and Human Services’ Office for Civil Rights, which investigates breaches of protected health information, can demand monetary penalties of more than $1.7 million along with other corrective actions, depending on the size and nature of the breach.
Consistent staff training—especially in light of the new barrage of COVID-19-related attacks—can help prevent ransomware from being released into your network, most often through a fraudulent email sent to a staff member containing a link or virus embedded in a computer file.
Connected medical devices are another way cybercriminals gain access to patient data and the hospital’s on-premise or cloud-based server. Eliminating this vulnerability by connecting devices to a secure clinical computing hub that effectively makes devices invisible to hackers is also another effective security step.
Considering the significant costs to patients and your organization, hospitals cannot afford to postpone cybersecurity, even amidst the tremendous disruption caused by COVID-19. A stronger, prevention-focused security stance will continue to benefit your hospital long after the pandemic is behind us.
Paul Nadrag is a software developer at Capsule Technologies.