Any break in the standard flow of a business can result in severe financial losses. Where do these losses stem from? According to Bleuwire, the usual suspects that can cause downtime in any business are:
In the world of healthcare, however, downtime can result in patients missing critical appointments, the loss of sensitive personal health information (PHI), and providers receiving fines in the thousands or even millions of dollars for non-compliance. When downtime strikes, every minute counts. Will you be ready?
When it comes to healthcare organizations, ransomware is by and large the greatest threat to loss of PHI and cause of significant downtime. Ransomware is a form of malware that places encryption on the files of its victim. In order to restore access to the data a ransom payment is required, usually in the form of Bitcoin. The amount can range from hundreds to even thousands of dollars or more.
What are the effects downtime has on healthcare?
Whether it is through data backups or cloud infrastructure, there are ways that organizations can better prepare for potential downtime. The healthcare industry in particular is highly coveted by cybercriminals. Sensitive data targeted by ransomware can often yield large financial gains for the perpetrators.
Downtime in the healthcare industry is a critical situation. It goes beyond lost revenue but can be a life-or-death situation for patients relying on results or treatment powered by modern technology. It can also render feelings of uncertainty for both patients and providers who wait, not knowing how bad the potential damage on the other side of the attack may be.
Though large healthcare organizations can produce an extensive library of PHI and perhaps even larger ransom payout, smaller providers are not off the hook.
According to The Secretary of the U.S. Department of Health and Human Services (HHS), there were 592 breaches of unsecured PHI affecting 500 or more individuals within 24 months ending in December 2020. Approximately 306 of these breaches occurred in 2020, with the number continuing to grow year over year. Data breaches of this scale almost always contribute to downtime as reaction and recovery commence. One of the best ways to avoid downtime is to protect against cybercrime. It is the one area that most organizations, including those in healthcare, can control (to a certain degree).
What is EHR downtime?
When it comes to downtime in healthcare, the most significant instances are those referred to as electronic health record downtime (EHR). This refers to any period in which an EHR system is either partially or fully unavailable. Not only is this disruptive to day-to-day operational flow, but it also poses risks to patient reporting. Believe it or not, most hospitals are not adequately prepared for such a situation.
A close call: 3 U.S. based healthcare providers enter EHR downtime due to Cyberattacks
In late 2020, several U.S. hospitals, health systems, and other providers were attacked by ransomware, now being investigated by the FBI, called Ryuk. At its earliest point of attack, three systems went into EHR downtime, including the University of Vermont Health Network, New York-based St. Lawrence Health System, and Sky Lakes Medical Center in Oregon. Access to programs like MyChart Patient Portal went down, meaning patients and providers could not access results. In some cases, elective procedures had to be postponed. IT departments reacted by disconnecting all impacted systems to avoid further damage. This example demonstrates how a cyberattack can severely impact healthcare organizations that are not prepared for this scenario.
Ryuk is ransomware that primarily targets businesses, hospitals, and government branches. In circulation since 2018, Ryuk impacts about 20 organizations each week, with its most specific focus being those in healthcare. Like most ransomware, it usually finds its way onto a system via phishing emails with malicious attachments. It relies on open source tools and existing system administration utilities to bypass detection. This means that Ryuk can conduct malicious activity without ever triggering any security alerts. By the time a user finds it, it is too late. This form of ransomware encrypts all files, except for those with extensions: .dll, .lnk, .hrmlog, .ini, and .exe. It also skips over files stored in internet browsers, likely so that the victim can still utilize those systems for payment. In addition to encrypting files, Ryuk will also steal credentials stored on compromised computers. If that was not bad enough, there is currently no publicly available tool that can decrypt this ransomware without first posting payment.
You can read more about this incident affecting healthcare organizations at HealthITSecurity.
What might downtime look like at your organization and how do you calculate its loss?
According to OpsWorksCo, downtime can cost an organization more than just money, but it can also damage reputations, productivity, opportunities and data. Organizations can calculate the cost of their downtime using the following equation:
Lost Revenue + Lost Productivity + Recovery Costs + Intangible Costs
According to the most recent data found in a study by the Ponemon Institute, and shared by Summit Healthcare, the average cost of downtime in healthcare is $7,900 per minute. This does not include any fines related to HIPAA.
The bottom line
Cyberattacks can wreak havoc on an organization, regardless of the industry. However, in healthcare, besides financial and data losses, the downtime created by these types of attacks can inconvenience both clients and patients, many of whom require access to critical services or who have paid for services in advance.
The best way to avoid downtime at a healthcare organization is to develop and fund an effective cyberattack response plan. Educating employees on best practices and investing in modern technology, such as cloud solutions, can also protect organizations from costly cyberattacks.