In an era where digital transformation is reshaping every sector, healthcare remains one of the most targeted by cyberattacks.
In an era where digital transformation is reshaping every sector, healthcare remains one of the most targeted by cyberattacks. Recognizing the heightened risks, the largest healthcare accreditation body in the U.S., the Joint Commission, has recently issued comprehensive cybersecurity guidelines. These are aimed at preparing hospitals for potential cyberattacks that could incapacitate critical systems for extended periods, necessitating significant investments to bolster defenses.
Hospitals are now being urged to implement robust tools and processes to ensure continuity of essential services, even when key technological systems are compromised. The guidance from the Joint Commission, a reputable nonprofit organization, comes in response to the increasing frequency and sophistication of cyberattacks targeting healthcare providers. According to David Baker, Executive Vice President for Healthcare Quality Evaluation and Improvement at the Joint Commission, phishing attacks are the most common method used by hackers to infiltrate hospital systems. Even a few staff members responding to such attacks can lead to catastrophic consequences.
The Joint Commission plays a pivotal role in assessing the emergency management plans of healthcare organizations. These plans cover responses to a variety of emergencies, including cyberattacks. However, the Commission's recommendations on cybersecurity are advisory and not mandatory, and it does not currently plan to evaluate cybersecurity readiness directly.
The urgency of these guidelines is underscored by recent events. This year alone, cyberattacks have compromised the medical data of over 61 million individuals across more than 400 incidents reported to the U.S. Department of Health and Human Services. One notable example is Prospect Medical Holdings, which suffered a significant cyberattack, leading to disruptions in patient services and delays in appointments.
Restoring critical systems in hospitals post-attack is a time-consuming and complex process. According to John Riggi, National Adviser for Cybersecurity and Risk at the American Healthcare Association, hospitals typically need three to four weeks to restore critical systems, with noncritical ones taking longer. The continuous operational nature of hospitals adds another layer of complexity to incident response.
The Joint Commission's guidelines emphasize maintaining access to patient records and ensuring the uninterrupted functioning of essential services like labs and radiology, even when regular technology is unavailable. This could involve investments in encrypted, offline backups or fail-safe systems for critical data.
The financial implications of these attacks are staggering. A report by International Business Machines indicates that the cost of data breaches in healthcare has surged by 53% since 2020, making it the most expensive sector for data breaches. For instance, Point32Health reported substantial net losses due to a cyberattack, highlighting the economic strain on healthcare providers.
Implementing the Joint Commission’s recommendations involves significant effort and expense. Smaller and more remote hospitals, in particular, face challenges in affording adequate cybersecurity measures. Amid these challenges, government initiatives and nonprofits are increasing their support to hospitals through guidance and grants. Agencies like the Health Information Sharing and Analysis Center are vital in facilitating the exchange of threat intelligence among healthcare providers.
The escalating cybersecurity threats in the healthcare sector call for a coordinated and robust response. While the Joint Commission's guidelines provide a roadmap, the implementation is fraught with challenges, especially for smaller healthcare providers. As cyber threats continue to evolve, the need for sustained investment, innovation, and collaboration in cybersecurity measures becomes increasingly imperative to safeguard the healthcare sector's digital landscape.
