By Tom Kelly
June 23, 2021 at 5:00 am ET
In the past year alone, there’s been an increase of more than 30 percent in the number of cyber breaches reported. Anne Nuremberger, President Joe Biden’s national security adviser for cyber and emerging technology, has urged companies to “immediately discuss the ransomware threat and review corporate security posture.”
But one of the industry sectors most vulnerable to cybercrime is health care. Since April 2021, the health care industry has been one of the most frequent targets of ransomware attacks. The threat is real and doctors and administrators within the health care industry need to make cybersecurity a priority.
This is especially true as health care providers adopt telehealth services. Telehealth, which rapidly became the next biggest trend in medicine, promised to deliver better, more efficient and more consistent care with the use of digital web platforms, video conferencing tools and remote monitoring devices. However, when the coronavirus pandemic hit, telehealth was the last lifeline connecting doctors to their patients during social distancing and lockdowns.
But that rapid adoption meant the medical industry shifted to telehealth well before it had established the cybersecurity protections it needs to keep patient privacy secure. Rising cybercrime coupled with the native vulnerability of the health industry’s cybersecurity system means telehealth databases are sitting ducks for hackers and ransomware criminals.
Even before the pandemic, hospitals and health care providers were one of the biggest targets of data breach and ransomware attacks. After the pandemic began, it didn’t take long for these cybercriminals to ramp up their attacks; within weeks, dozens of hospitals were the victims of data breaches and ransomware attacks. And even as cybercrime continues to rise, fully 73 percent of health system, hospital and physician organizations say they are still unprepared to face a potential cyberattack.
Telehealth expands the attack surface for health care providers and worsens vulnerabilities. On telehealth platforms, patients are consciously discussing, and therefore disclosing, their most sensitive personal health information. But any digital technology is only as safe and secure as the cybersecurity infrastructure and privacy practices that support it. While we may expect trusted institutions like hospitals, medical clinics, and health insurers to have excellent cybersecurity infrastructure, they often do not.
It only takes one successful hack on a “secured” line of communication for a user’s personal information to be gathered and sold on the dark web to the highest bidder. In particular, the sensitive nature of private medical information makes it a target for ransomware hackers looking to exploit medical facilities by threatening to share delicate information online.
In 2020, a ransomware attack accounted for one of the largest data breaches on record for the year. And the target was the medical industry. The attack compromised a Catholic health system and its data vendor. The attackers were able to tamper with, steal and delete patient information and other sensitive data. All told, more than 3.3 million patient records were affected. And just last month, Scripps Health was shut down following a devastating ransomware attack.
Telehealth has a lot to offer, and remote patient services are likely here to stay for the long-term. But as with the use of any digital technology, there’s a tradeoff between added convenience and privacy. While health care information is protected by HIPAA in the United States, cybercriminals don’t respect those laws.
The rise in cybercrime should be a wake-up call for the medical industry. The benefits of telehealth may not be worth the costs if patients cannot be assured that their data is protected. It’s time to improve cybersecurity measures and implement the best practices that can secure patient data.
Tom Kelly is president and CEO of IDX, a Portland, Ore.-based provider of data breach and consumer privacy services such as IDX Privacy; he is a Silicon Valley serial entrepreneur and an expert in cybersecurity technologies.
Morning Consult welcomes op-ed submissions on policy, politics and business strategy in our coverage areas. Updated submission guidelines can be found here.