Ambulances being re-routed. Postponed radiation treatments for cancer patients. Patient deaths resulting from delayed emergency treatment.
These are the real-life impacts of healthcare data breaches. While cyberattacks have become widespread across various industries, from manufacturing to banking, no other industry experiences the human impact of these breaches as greatly as healthcare does. The healthcare industry has been hit with a wave of recent attacks and this trend shows no sign of stopping.
Ransom demands for healthcare breaches currently average $4.6 million. However, what’s even scarier than losing data and money, is the impact these breaches have on patients. In healthcare, cyberattacks don’t just impact data - they affect lives.
The Downside of Digital Records
Medical records contain patient medical information that, unlike other forms of data, cannot be easily replaced. As a result of the 2009 Meaningful Use Act, which mandated the transition to digital health records, medical records are now fully digital. The implementation of HIPAA compliance standards, focused on guarding protected health information (PHI) and enforcing the use of Electronic Health Records (EHRs), resulted in medical records moving from paper to digital, generating a huge volume of sensitive data for healthcare providers to protect from cyberattacks.
The sensitivity of patient data is a large part of what makes healthcare providers vulnerable to cyberattacks. While financial data can quickly become unusable after being stolen because people can quickly change their credit card numbers, medical data is not perishable, which makes it particularly valuable.
Hackers realize how heavily healthcare organizations rely on these electronic medical records and this makes them appealing targets for cyberattacks. They assume providers will need to restore access to patient data quickly to ensure continuity and confidentiality of patient care.
Immediate Impact of Cyberattacks on Patient Care
Preventing clinicians from accessing health records can prevent patients from accessing care.
In the 2020 Universal Health Services (UHS), 400 hospitals and health facilities in the United States and United Kingdom, were affected. The UHS Healthcare attack cost 67 million dollars - but the human impact was even more staggering.
The attack not only wiped out IT systems but also took the phone system out of action.
Since patient medical records are now completely electronic, a cyberattack results in hospital employees being unable to access patient information. In the case of the UHS breach, staff had to use pen and paper to record patient information.
The immediate impact of the attack was ambulances being re-routed to alternative facilities and some elective procedures were postponed or diverted to other hospitals. Medical records were rendered temporarily inaccessible and, in some cases, permanently lost, treatments were delayed and patients experienced long waits for test results. Even with IT technicians working around the clock to restore service, the disruption lasted for three weeks.
In another recent attack, the University of Vermont Health Network was forced to operate under EHR downtime procedures for more than a month, with its patient portal, EHR, and lab results inaccessible for most of its care sites during that time.
In September 2020, the University Hospital Düsseldorf in Germany was the victim of a cyberattack and was forced to turn away patients who came to its emergency room for treatment. After being diverted to a facility an hour away, a patient with a life-threatening illness sadly passed away due to the delay in receiving medical care.
While some of the human impacts of cyberattacks are immediate, other impacts are less direct and may not fully emerge until two or three years after a security breach.
The Impact of Post-Breach Remediation Efforts
A 2019 study from Vanderbilt University found that breaches may adversely impact patient mortality because remediation activities after a breach disrupt provider care practices. While the breach itself is usually the focus of reporting on cyberattacks, the impact of remediation attempts may not be evident for two to three years after the attack.
Security breaches require a review of the overall security program. After a cyberattack, healthcare organizations will often enact policies similar to those of financial institutions, such as requiring passwords or key cards to access sensitive data. Post-breach remediation methods may also include multi-factor authentication (MFA) and enforcing time-outs on machines after clinicians have been logged in for a specific length of time.
The Vanderbilt study focused on quality metrics related to time and conditions that were related to time. It’s hard to imagine anything more time-sensitive than arriving in the emergency room with chest pain. When hospitals have been breached, their 30-day mortality rates are impacted over the next two to three years. The time that is required to get an EKG increased in some cases by more than two minutes. In a non-healthcare setting, a two-minute delay would be a minor annoyance. However, two minutes is literally life or death to a patient suffering a heart attack.
When it comes to accessing information, clinicians are more focused on speed than security. Enhanced security protocols make systems more secure but add time to the process of accessing patient medical records. Post-breach security procedures, processes, and software worsen the usability of health IT for clinicians.
Security Impacts Usability
When clinicians find that security requirements are cumbersome, they will turn to creative workarounds that can put data at risk.
Hospital staff have been known to write their passwords on notes taped to their keyboards or even writing them on the wall. There are even workarounds for security methods that require physical tokens, such as leaving key cards inserted into card readers all day in order to save time.
Clinicians need usable security solutions. When security options are not usable for clinicians in their various workflows, such as having too many passwords to memorize or being required to change passwords too frequently, they will resort to workarounds.
Security needs to be balanced against usability issues, and particularly in environments like healthcare where the primary goal is quality patient care.
How Identity-Bound Biometrics Can Help
Identity-Bound Biometric authentication can offer a solution for securing healthcare systems that balances security with usability. For example, fingerprint scans can allow clinicians to quickly access information and devices, such as supply cabinets, without having to memorize passwords or carry a card.
Much like a personal health record, Identity-Bound Biometrics, such as a palm or fingerprint scan, are unique to an individual. They offer a concrete way of verifying a person’s identity and confirming that that person is who they say they are with the highest levels of integrity, availability, security, and accuracy.
In healthcare, security solutions must be used to guard against cyberattacks. The effects of attacks in healthcare can have a devastating human impact. Protecting patients must be the top priority - that includes both protecting patient data and protecting the clinician workflows that enable providers to give their patients the highest quality care possible.