Healthcare cybersecurity attacks are on the rise. As Protenus notes, industry data breaches increased by 48 percent between 2018 and 2019, with more than 41 million patient records compromised. Meanwhile, according to the 2019 HIMSS Cybersecurity Survey, 82 percent of hospitals said they suffered a “significant security incident” in the past 12 months. The result is an estimated $4 billion price tag for healthcare compromises in 2019 alone.
In fact, the prognosis for potential IT problems is now dire enough that some physicians’ training scenarios include simulated hospital ransomware attacks that force them to deal with the real-world consequences of cybersecurity failures. And while budgets are increasing — according to data from Cybersecurity Ventures, the industry is looking at $65 billion worth of spending on security products and services from 2017 to 2021 — breach risks refuse to budge.
The disconnect here is that specific attack responses often ignore the human element of healthcare cybersecurity. The solution? A holistic approach based on systematic treatment and assessment practices from the biopsychosocial model. Here’s what this looks like for healthcare IT.
The Biology of a Breach
First developed at the University of Rochester by Dr. George Engle and Dr. John Romano, the biopsychosocial approach “systematically considers biological, psychological and social factors and their complex interactions in understanding health, illness and health care delivery.”
The model is now widely used as a way to understand the multifaceted nature of healthcare issues and create treatment plans that go beyond physical signs and symptoms to treat the person as a whole. It can also offer valuable insight for healthcare cybersecurity by helping C-suite executives and tech professionals look beyond IT infrastructure to assess the larger impact of security incidents.
Let’s start with the familiar, including common points of compromise such as internet of things (IoT) deployments. Recent work out of Israel resulted in a virus capable of adding fake tumors into MRI and CT scans, exemplifying the potentially far-reaching effects of an IoT breach. Meanwhile, the HIMSS survey notes that email remains “the most common initial point of compromise for significant security incidents.” And according to Verizon, 25 percent of health providers experienced mobile-related breaches last year.
These cybersecurity incidents tend to prompt an understandable reaction: treating the immediate symptoms to reduce overall risk by deploying new network monitoring tools, enhanced mobile security controls and advanced threat detection systems. But the growing divide between security spending and effective defense demonstrates that technological remedies alone aren’t enough.
The Psychology of IT Incidents
Along with the on-site effects of ransomware attacks and account takeovers, emergent psychological effects can also take a toll on healthcare systems. Consider the rising costs of healthcare insider threats: According to Proofpoint, health organizations now spend almost $11 million each year to remediate insider issues. There’s also the increasing pressure of targeted attacks by malicious actors.
Not only is patient data valuable to ransomware attackers, but the always-on-demand nature of medical IT systems means that service interruptions could negatively affect patient outcomes. As noted in a recent article from the Journal of the American Medical Informatics Association, unplanned electronic health record (EHR) downtime can affect the length of surgical operations and post-operative stays.
The result is hardly surprising: increased stress for IT and medical professionals alike. According to Healthcare IT News, 55 percent of health IT professionals say they’re “frequently or constantly stressed,” while 74 percent of doctors point to practice interruptions as their greatest source of stress. Add in regular audits mandated under the Health Insurance Portability and Accountability Act (HIPAA) and there’s even more pressure on healthcare organizations to ensure effective cybersecurity practices. As the HIPAA Journal observed, a recent audit of the National Institutes of Health (NIH) found technology control weaknesses that put patients’ protected health information at risk.
In the best-case scenario, staff will need to spend time and money remediating risks to ensure HIPAA compliance. In the worst-case scenario, breached data could lead to audits and assessments that result in monetary fines and increased recovery times. Either way, the psychological impact on staff can’t be overstated.
The Social Cost of Compromise
Healthcare is a human-driven enterprise. As a result, IT issues don’t just harm devices and doctors, they also create significant social costs. These disadvantages may include:
- Increased wait times — 68 percent of patients say the average wait time to see their healthcare provider is too long, and that time continues to increase. And while EHRs came with the promise of improved access and potentially shorter wait times, what happens when critical systems go down? As CISO Magazine notes, hospital ransomware attacks in 2019 resulted in everything from canceled surgeries to deletions of patient records to new patients being turned away because systems were overwhelmed — all of which can mean longer wait times and more frustration for clients.
- Reduced trust — HIPAA demands due care in handling patient data to limit the risk of theft or destruction. But beyond compliance concerns, there’s a bigger problem: trust. According to recent survey data, 41 percent of patients would consider switching providers after a negative digital experience, which makes effective data protection more than just good practice; exposing personally identifiable information (PII) to the prying eyes of attackers could damage healthcare return on investment (ROI).
- Divided attention — Doctors worry about frequent interruptions and distractions, and with good reason. According to Johns Hopkins University, medical errors are the third leading cause of serious patient complications in the U.S., and technology that doesn’t work properly — thanks to ransomware demands, malware infections or even cryptojacking — adds another distraction for busy medical staff, which could yield disastrous consequences.
A Holistic Approach to Healthcare Cybersecurity
While there’s no protective panacea that delivers a perfect defense against all biological, psychological and social threats in healthcare cybersecurity, a holistic approach across four key areas can help providers better focus their spending and improve operational outcomes.
- Detection — The best way to limit the effects of attacks is to detect and deflect IT issues before they compromise key systems. Advanced threat detection tools capable of automatically identifying and eliminating threats can help reduce healthcare risk.
- Prevention — An ounce of prevention is worth a pound of cure. This notion is hardly groundbreaking, but it’s absolutely relevant. Experts predict for 2020 a steep rise in artificial-intelligence-based and machine-learning-driven tools that can recognize the signs of an attack and prevent potential breaches in real-time.
- Response — No matter how thorough and effective your current protection measures may seem, attacks will eventually come. For healthcare organizations, the issue isn’t “when” but “how” — how will IT teams respond when ransomware infections occur or phishing scams succeed? Here, incident response planning and policies are key. From regular testing policies to business continuity plans and processes for regular system updates, ensuring teams are equipped to respond can help limit the impact of attacks on IT.
- Recovery — After incidents have been identified and remediated, healthcare providers must recover key data and restore key systems. With IT teams already stretched thin, third-party recovery and resilience solutions can help get cybersecurity efforts back on track.
Physical and digital processes aren’t the only predictors of IT incident severity. To counteract threats against healthcare cybersecurity systems, organizations must account for the human element by deploying holistic models that define and defend against the biological, psychological and social factors of infosec attacks.