The Costs of Healthcare Hacks Are Mounting

As the frequency of cyberattacks on healthcare systems and hospitals increases, so too do the costs for preventing them.

Photo of a person typing on a laptop next to a stethoscope
Photo by National Cancer Institute via Unsplash

Sign up for smart news, insights, and analysis on the biggest financial stories of the day.

The world is full of crooks, but it takes a truly dastardly person to extort a hospital.

The frequency of cyberattacks on healthcare systems and hospitals is increasing, headlined this year by enormous breaches at UnitedHealth and Ascension. It’s unclear just how lucrative an enterprise it is to hold a health system’s technology hostage, but what is calculable is the huge costs that healthcare providers have to bear in the wake of an attack — not to mention the terrible impact on patient care.

Hacks and Quacks

The disruption of ransomware attacks can cause visceral damage to patient care. This month, the UK’s National Health Service had to put out an emergency call for Type O blood donors in London after a ransomware attack on a blood analysis contractor knocked out the health service’s ability to decipher what type of blood it had banked up. Meanwhile, one nurse told NPR he nearly gave a baby a “wrong dose of narcotic” due to the chaos caused by the Ascension hack.

But the costs continue once a healthcare provider has actually resolved an attack. In April, UnitedHealth said the cyberattack it faced in February cost the company $872 million just in the first quarter of this year, and projected costs could rise as high as $1.6 billion. Both United and Ascension have been hit with class-action lawsuits, and not just from impacted patients. UnitedHealth investors have filed a class-action suit accusing the company of failing to erect proper firewalls. The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare providers to implement “reasonable and appropriate” cyber protections, which only gets more and more difficult in a world where hackers are targeting more and more hospitals:

  • “There are instances where some healthcare providers, especially smaller ones, may struggle to afford the level of cybersecurity they realistically need,” Layna Cook Rush, head of the Data Incident Response Team at legal firm Baker Donelson, told The Daily Upside. She added that cyberattacks on healthcare systems are growing in both frequency and sophistication.
  • Shankar Somasundaram, CEO of cybersecurity firm Asimily, said that many hospitals operate on “thin margins.” He added that hospitals are increasingly using internet-dependent equipment, which only increases a hospital’s attack surface.

Have You Tried Turning It Off and On Again: Unfortunately, sometimes good cybersecurity is simply a matter of implementation. Oren Koren, co-founder of cybersecurity firm Veriti, said he has worked on cases where a hospital was hacked simply because its security systems weren’t properly set up by the staff, and even came across staff shutting off security features because they interfered with the continuity of patient care. “In any hospital that we’ve worked in, something was not enabled,” Koren told The Daily Upside, adding, “I have encountered healthcare associates who have disabled everything because they care about the patient.” Worse, according to Koren: Cybercriminals and the black market in which they operate are simply evolving quicker than hospitals and their staff can adjust.