Health care organizations, hospices included, continue to be prime targets for hackers and other cybercriminals, leading to data breaches that disclose protected health information and cause potentially huge financial losses. Despite the risks, most health care providers do not have adequate protections in place, according to a new report by cybersecurity watchdog Kapersky.
The average cost of health care cybersecurity incidents is as much as $408 per patient as well as an average $1.75 million in advertising to counteract resulting damage to their reputations, Kapersky reported.
Kapersky engaged the research firm Opinion Matters to conduct an online survey of 1,758 health care workers, of whom 1,004 worked in the United States and 754 worked in Canada.
Close to one-third of respondents said that they had never received any kind of cybersecurity training from their workplace and said they felt that they should have. Nearly 20% said their organization should provide more of such training and only 32% said they were aware of their employers’ cybersecurity policies.
The survey also found that many health care employees do not understand regulations designed to protect patient information, such as the Health Insurance Portability and Accountability Act (HIPAA).
A number of hospices have experienced significant data breaches so far this year.
Tennessee-based Alive Hospice in May discovered unauthorized activity pertaining to an employee email account, finding that a hacker had access to their systems for as long as two days. The account contained patient demographic information, Social Security numbers, driver’s license numbers, credit and debit card numbers, staff details, medical histories, treatment and prescription information, medical record numbers, health insurance data, Medicare and Medicaid numbers, and log in details for email and other online accounts. This follows a 2018 phishing attack that also impacted that hospice.
“While Alive Hospice has stringent security measures in place to protect information, it is taking steps to implement additional safeguards to further protect the security of information,” the company said in a statement.
Alive Hospice is not alone. The Hospice of San Joaquin in California was hit with a ransomware attack in July that infected its network and services with malware. An employee email account was compromised in April at Care Partners Hospice and Palliative Care, an Oregon nonprofit, giving hackers access to patients’ protected health information.
In March a phishing attack exposed hospice patient information at Maryland-based Frederick Regional Health System, according to media reports. A similar incident took place in April involving Bend, Ore., hospice provider Partners in Care.
All told, more than 200 data breaches have occurred among U.S. health care providers to date in 2019, affecting more than 500 people, according to the U.S. Department of Health & Human Services.
The report contained several recommendations, including employing an IT security team that understands unique risks to the organization, as well as having appropriate policies and tools to counteract those threats and training all staff on cybersecurity.
“With a growing number of private patient information files being electronically transferred daily, it is more important than ever to be sure that patient information is being safely processed and stored,” the report indicated. “As the data highlights, there is a severe lack of cyber security training for healthcare employees which leaves a significant opening for cyberattacks as well as missteps in human error.”
Companies featured in this article:
Alive Hospice, Care Partners, Frederick Regional Health System, Kapersky, Opinion Matters, Partners in Care