Increasingly frequent data breach attacks on hospitals are imposing new obligations on hospital leaders. While general cybersecurity threats are significant, hospital CEOs and directors would be well-advised to implement additional oversight measures focused on data breaches. Hospital leaders already face numerous concerns about hospital operations, solvency, regulatory compliance, and accelerated industry changes. However, frequent and severe data breaches now require a sharper focus on this critical issue.
Increased Data Breach Activity and Visibility
The HHS Office of Civil Rights (OCR) maintains an inventory of data breaches disclosed by healthcare providers. From January 2024 to August 31, 2024, there were 435 reported data breaches, averaging 1.8 breaches per day. This alarming statistic underscores the pervasive nature of the threat. Notable 2024 incidents have involved major healthcare entities such as Change Health Care (United Health Group) and Ascension health systems, highlighting the issue’s urgency.
These high-profile breaches should serve as a wake-up call for the entire healthcare industry. They demonstrate that even large, well-resourced organizations are vulnerable to cyberattacks, emphasizing the need for constant vigilance and improved security measures across the board.
High Financial Costs
Data breaches can result in a variety of costs, both immediate and long-term. According to IBM’s recent research, the average cost of data breaches in healthcare is $9.8 million. This figure encompasses a range of expenses, including:
- Immediate response costs
- Legal fees
- Patient notification expenses
- Credit monitoring services for affected individuals
- Potential fines from regulatory bodies
Additionally, organizations may face fines from the OCR and significant expenses from class action lawsuits. Notable settlements include:
- Community Health Systems (2014) – $5 Million Settlement
- St. Joseph Health System (2012) – $7.5 Million Settlement
- Excellus BlueCross BlueShield (2015) – $17.3 Million Settlement
- Premera Blue Cross (2015) – $74 Million Settlement
- Anthem (2017) – $115 Million Settlement
These settlements highlight the potential for massive financial liabilities resulting from data breaches. Moreover, hospitals may experience increased cyber insurance premiums following a breach, further straining their financial resources.
Increased Trust and Reputational Risk
A fundamental responsibility of hospital leadership is to foster and maintain trust with patients concerning the quality of care and the security of sensitive healthcare information. Data breaches can severely undermine this trust among patients, the public, and shareholders.
The erosion of trust can have far-reaching consequences, including:
- Decreased patient confidence in the healthcare system
- Reluctance to share sensitive health information
- Potential loss of patients to competitors perceived as more secure
- Negative media coverage and public perception
- Difficulty in attracting and retaining top medical talent
Rebuilding trust after a significant data breach can be a long and challenging process, making prevention and robust security measures all the more critical.
Increased Legal Exposures and Possible Board Negligence
Hospital leadership must be mindful of several legal exposures, including:
- Non-compliance with regulatory requirements
- Class action lawsuits stemming from the theft of patient information
- Potential SEC fines for public companies due to material data breaches
- Personal liability and negligence claims against CEOs and board members
For instance, Senator Ron Wyden urged the FTC and SEC to investigate the negligence of the United Health Care CEO and Board for failing to hire a qualified Chief Information Security Officer (CISO). This case illustrates the potential for personal liability that executives and board members may face in the wake of a significant data breach.
The Challenge of Protecting Legacy Systems from Data Breach Attacks
Many hospitals rely on legacy systems that are difficult and very costly to update or replace. These outdated systems often lack modern security features and may be more vulnerable to cyberattacks. HHS mandates that hospitals implement cybersecurity measures to safeguard HIPAA-protected electronic patient health information (ePHI).
Protecting legacy systems presents unique challenges:
- Limited or non-existent vendor support for outdated software
- Incompatibility with modern security tools and protocols
- Difficulty in integrating with newer systems
- Increased vulnerability to known exploits
Hospitals must develop strategies to secure these legacy systems while planning for their eventual replacement or modernization.
Future AI Threats
The rise of AI-generated phishing and malware attacks poses a new challenge, enabling even novice hackers to breach hospital systems. AI-powered attacks can:
- Generate highly convincing phishing emails
- Automate the discovery of system vulnerabilities
- Adapt and evolve in real-time to bypass security measures
- Mimic legitimate user behavior to avoid detection
As AI technology continues to advance, hospitals must continuously update their security protocols to stay ahead of emerging threats.
New Actions for Hospital Boards
Boards should reassess their past cybersecurity policies and focus more formally on the ongoing crisis of data breaches. Here is a list of recommended actions.
- Institutionalize a focus on data breaches by conducting CEO-led kickoff meetings involving IT and clinical executives and reinforcing this focus through quarterly leadership events.
- Enhance technical measures:
- Implement Multi-Factor Authentication (MFA)
- Ensure robust data encryption practices
- Maintain rigorous patch management processes
- Conduct regular employee awareness training
- Pay special attention to data breach defenses for legacy systems. Develop tailored security strategies for outdated systems and prioritize the modernization of critical legacy infrastructure.
- Implement robust detection measures. Hospitals should recognize that prevention alone is insufficient and that creative threat actors can bypass many prevention measures. Therefore, hospitals should deploy advanced threat detection tools and processes and establish redundant detection systems for increased security.
- Emphasize tactical response plans for incident management. Focus on the critical initial hours of a breach (“containment”) to “stop the bleeding” and “stop the spread” of the data breach activity. Develop and regularly update containment strategies and conduct tabletop exercises to simulate breach scenarios.
- Ensure business executives are involved in decision-making. Define which decisions must be made by business executives or managers and avoid delegating crucial decisions solely to IT staff or external firms (MSPs, MSSPs, IR Firms).
- Implement regular inspections and audits. Establish internal audit committees to review data breach defense programs quarterly and conduct third-party security assessments to identify vulnerabilities.
By implementing these measures, boards can significantly enhance their organization’s resilience against data breaches and demonstrate their commitment to protecting sensitive patient information.
Conclusion
The increasing frequency and severity of data breaches in the healthcare sector demand a proactive and comprehensive approach from hospital boards. By focusing on data breaches, enhancing technical defenses, and ensuring effective incident response strategies, boards can better protect sensitive patient information and uphold the public’s trust in them.
As the healthcare industry continues to navigate these challenges, hospital leadership must remain vigilant and responsive to emerging threats. By prioritizing data security and implementing robust oversight measures, hospitals can mitigate the financial, legal, and reputational risks associated with data breaches while maintaining the highest standards of patient care and privacy protection.