Rural health providers are increasingly under cyberattack. Enticed by valuable stores of health records and sometimes porous security, hackers infiltrate a hospital’s IT system and encrypt its data, making it unusable until the provider pays a ransom. If the hospital doesn’t pay up, the hackers can sell the data on the dark web to those who use it for insurance fraud. For the hackers, it’s almost a no-lose cybercrime, But for the hospitals or medical groups – particularly those in the middle market already operating on thin margins — the damage can be fatal, RSM research found.
There are some lower-cost measures that health care providers can take to reduce the risk of cybercrime.
A recent article in The Wall Street Journal provided some chilling examples of the cost that these attacks have imposed on medical providers. Sometimes, the article said, providers have had to use paper documentation and turn away patients until they are able to rebuild the affected systems. In more extreme cases, the provider may simply close for good.
The Journal article also cited a study by IBM and the Ponemon Institute that found health care to have the most expensive breaches on a per record basis. The smaller the size of a potential target the more likely its IT system will be breached, the study also found.
While the health care industry is a rich target for hackers …
The total cost of the hacks outpaces other industries…
Especially on a per-record basis ..
And the problem isn’t going away …
RSM’s research suggests that the total cost of a breach, which includes direct and indirect expenses, increases for smaller organizations. Most rural providers have revenues in the $50 million to $300 million range, which suggests that the total cost of data breach is about $4.1 million, according to the research, which was done in conjunction with NetDiligence. It’s a figure that often exceeds a hospital’s annual operating profits. According to the 2019 Almanac of Hospital Financial and Operating Indicators published by Optum, rural hospitals with revenues below $200 million produce median margins from negative 0.7 percent to positive 0.6 percent. With such break-even margins it is no wonder some rural providers are forced to close when faced with a data breach.
Even before the rise in data breaches, rural hospitals were at risk. More than 80 rural hospitals have closed since 2010, according to Modern Healthcare. Consider obstetrics services. A study published by Health Affairs in 2017 said that 54 percent of the nation’s rural counties do not have access to such services. The incidence and prevalence of cyberattacks on rural providers coupled with the financial and patient disruption they create will not ease.
What can local providers, especially rural providers with fewer resources, do now to help mitigate these risks? Two measures provide a start:
- Assess their current framework. While the IT environment and infrastructure should be part of this assessment, RSM found that many providers do not look closely enough at their own culture. Do staff and clinicians lock workstations when they’re done? Do workers receive phishing or social engineering training? These are relatively low cost ways to address serious cyber vulnerabilities.
- Have a response plan. The notification requirements can be complex, and hospitals do not want to sort through them while simultaneously working to unencrypt data from a ransomware. The response plan is more comprehensive and must include information like IT staffing, and cloud or hosting vendor contact information. RSM research suggests lacking such a plan is a significant contributor to breach expense.
The financial incentives for hackers are too great. Local providers and their communities and regulators must rethink their approach to cybersecurity.