Attacks on the Rise, Role of Third-Party Vendors
Although the April 2021 cyberattack got widespread media attention, Dr Dicker said that cyberattacks in health care systems occur frequently.
An annual report on data breaches in US health systems indicated that hacking incidents were up 42% in 2020 compared with 2019.4 The report is released by Protenus, a company that uses artificial intelligence to detect and prevent compliance violations in US health systems.
The report includes information on 758 health data breaches in 2020. Although most (65%) were reported by healthcare providers, 12% were reported by third-party vendors contracted by health systems.
“Any large health care system has 100 to 200 or more vendors of different types when it comes to software,” Dr Dicker noted.
Lakin said health care organizations often overlook these partners. “Often, organizations may not have a good understanding of the vendor’s cybersecurity posture,” he said. “When you have executed an agreement, you have inherited their security posture.”
However, Lakin noted that he is beginning to see more organizations take third-party security seriously and factor those risk assessments into decisions about partnering with vendors.
“Cybersecurity insurance premiums may be lowered by implementing these more advanced tools and risk-assessment processes,” Lakin said. “I think we are seeing a paradigm shift where people are incentivized to increase the effectiveness of their security programs and strengthen foundations.”
Preventing Attacks, Minimizing the Impact
Once Jefferson Health was able to handle the immediate effects of the cyberattack, planning shifted to preventing an attack from disrupting patient care again. One of the key lessons, Dr Dicker said, was backing up essential information.
Lakin also highlighted the importance of backing up data. “The goal is to prevent these large-scale cybersecurity attacks from happening,” he said. “But in the event your organization is impacted, you have to minimize the impact, contain it, and operate through it. To do that, you have to have a solid back-up strategy and well defined data retention schedules.”
In their analysis of the UVMHN attack, Dr Ades and colleagues concluded that “backup of physical copies of all forms and systemic therapy templates is essential, as well as access to basic patient information and secure platforms for all communication.”
“This type of preparation can factor into expediting a response to a cyberattack and into the organizational decision whether to pay the ransom or not,” Lakin said. This preparedness may sway a potential attacker into thinking that “the juice is not worth the squeeze,” he added.
Moving forward, organizations should work to have robust risk-management programs that include risk assessment of third-party vendors. Documented business continuity management programs are also important to have and practice so that reactions to these attacks become muscle memory in the event of a crisis, Lakin said.
He added that health care cyberattacks are not going away.
“I see it growing directly proportional to the amount of technology used,” Lakin said. “Most organizations are looking to run lean, and, in order to do that, they need processes and automation that typically require technology. Anything on a network is going to be able to be attacked. The ultimate challenge for the industry is going to be finding the right cybersecurity talent to meet this growing need.”
- Ransomware activity targeting the healthcare and public health sector. Cybersecurity and Infrastructure Security Agency. Updated November 2, 2020. Accessed September 28, 2021. https://us-cert.cisa.gov/ncas/alerts/aa20-302a
- Gourd E. Increase in health-care cyberattacks affecting patients with cancer. Lancet Oncol. 2021;22(9):1215. doi:10.1016/S1470-2045(21)00451-4
- Ades S, Herrera DA, Lahey T, et al. Cancer care in the wake of a cyberattack: How to prepare and what to expect. JCO Oncol Pract. Published online August 2, 2021. doi:10.1200/OP.21.00116
- 2021 Breach Barometer. Protenus. Accessed September 28, 2021. https://www.protenus.com/resources/2021-breach-barometer