The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 was designed to be a $27 billion transformation of personal health information (PHI) into electronic health records (EHRs).
Yet, one unintended consequence of the landmark legislation is the historic number of assaults by cybercriminals on the healthcare industry.
As part of the U.S. Government’s 2009 economic stimulus package, HITECH provided incentives for the healthcare industry to transition patient data from paper files locked away in doctors’ offices to electronic records on the information superhighway, accessible from anywhere in the world.
Unfortunately, one of the worst side effects of EHRs has been the movement of personal and critical patient data from secure paper records to easily accessible digital files.
The Unintended Outcome
What was intended to create accessibility for the benefit of the patient has resulted in accessibility for the benefit of cybercriminals with nefarious intentions, including reselling the information online, holding it ransom for vast sums of money, and committing identity theft for the purpose of obtaining free medical procedures and medications.
With patient data available to hackers on hospital and healthcare provider networks, cyberattacks in the healthcare industry have skyrocketed. The growth in ransomware attacks, in particular, has been a scourge on the U.S. healthcare system.
The impact has taken multiple forms, including system and operations downtime, and patient care disruptions. Ransomware attacks can lead to dramatic financial losses for hospitals, healthcare providers, and other healthcare-based enterprises.
Beyond the ransom that victims may have no choice but to pay in order to regain access to critical operational files, they will also incur the cost of notifying patients of the data breach; plus the expense of regulatory investigations, potential civil litigation, significant system upgrades, and machine restoration; as well as the revenue lost from turning away patients who cannot be processed or treated during a breach.
One of the costliest and most disruptive by-products of a healthcare ransomware PHI breach is a judgment by the U.S. Department of Health & Human Services (HHS) that a HIPAA compliance violation has occurred—the fines for which max out at $6 million per year according to the website HIPAA Journal and other corroborating sources.
This paper discusses the impact ransomware on the healthcare industry, and how organizations can better protect themselves by preventing successful ransomware attacks.