One hospital found it was underfunding cybersecurity at 5 percent of its IT budget after it considered the potential damage a cyberattack could cause.
Cybersecurity may seem like an IT issue, but the cost of preventing cyberattacks and the financial damage resulting from successful attacks places the situation squarely in the CFO realm.
“As part of the overall leadership team, the CFO should be asking tech leadership for a cost/risk reduction analysis for each technological expenditure requested to remedy identified vulnerabilities and gaps,” explains John Riggi, senior advisor for cybersecurity and risk, American Hospital Association (AHA). “And if there were to be a cyber incident, what is the potential financial impact to disruption of operations, even for one day? That’s something the CFO should have readily on hand.”
A 2017 survey by accounting firm KPMG found that 47 percent of healthcare providers and health plans had instances of security-related HIPAA violations or cyberattacks that compromised data. That’s up 10 percentage points from the previous survey, which was conducted in 2015.
Cyberattacks on healthcare organizations take many forms. In some cases, the attack targets data.
“If an attacker breaches a retail outfit, they may walk away with some credit card numbers that may be profitable short term. However, if attackers hit hospitals, they get access to a treasure trove of data,” notes David Chaddock, a senior manager in the cyber security practice at West Monroe Partners.
That “treasure trove” of data that hackers can get from hospitals falls into several categories. The most obvious is information that might lead to HIPAA violations, such as patient data. Another is personally identifiable data that is not related to patients, such as employee social security numbers and payroll data.
But data doesn’t just mean personal information. One data category that hospitals sometimes overlook when securing their systems is proprietary research data.
“Often hospitals are so focused on protecting health information due to regulatory requirements, that they may neglect to protect medical research and innovation data,” Riggi says. “That information can be particularly valuable to both criminal and nation state adversaries bent on stealing your intellectual property.”
Another category of cyberthreat involves hackers infiltrating hospital computer systems to commit fraud, such as by misdirecting money intended for employees or vendors.
“We’ve seen where a hacker impersonates the e-mail of someone with financial authority in the organization and then misdirected a pending payment to a legitimate vendor to a criminal’s bank account, ultimately ending up overseas,” Riggi says.
Some attackers disable hospital computer systems by encrypting the data and networks and then demanding a ransom payment to restore them. Such “ransomware” was reported by 32 percent of healthcare providers and health plans that had a cyberattack, according to the KPMG study.
Perhaps the most frightening type of attack focuses on medical devices. Because nearly every bit of healthcare technology is linked via the internet, malicious individuals can sometimes break into a system and remotely affect the devices.
“All devices can be hacked,” says Justine Bone, CEO, MedSec, a security solutions provider for healthcare delivery organizations and medical device manufacturers. “And there are many different threats to them, ranging from device-specific attacks to widespread virus-style attacks. In all of these, there is a possibility of patient harm. Devices may cease to function at best and deliver dangerous therapy at worst.”
The common denominator in all of these attacks is cost—they are expensive to deal with. The costs include potential revenue loss due to downtime, staff cost, data recovery, litigation, and penalties. And if the attack is severe enough, the organization’s reputation can suffer.
See related sidebar: Cybersecurity Preparation Guidelines
Consider the various individuals who are involved when a hack is discovered. If the hack involves data, a forensic consultant will likely be required to identify what data is compromised and how it was taken, and of course the hospital’s IT department will need to take time to work with that consultant. The facility’s marketing or public relations department will need to prepare an announcement and notify patients. A legal team will need to deal with legal fallout, both from regulators and patients. And leaders will need to guide the process and take steps to prevent a repeat.
“It’s a diverse cross-sectional group that has to be involved in what can be a robust investigative process that demands a lot of staff time,” says Pam Hepp, a healthcare attorney who co-chairs the cybersecurity and privacy group at the Pittsburgh-based law firm Buchanan, Ingersoll & Rooney.
Hepp explains that beyond staff costs, hacked hospitals that experience a breach will need to provide notice and in many cases credit monitoring to affected individuals, notice to the Secretary of Health and Human Services and sometimes state regulators, and, depending on the size of the breach, notice to the media as well. Once the cause of the hack has been determined, hospitals must also take remedial measures and amend policies procedures and conduct training.
But Wait, There’s More
“Typically, the OCR [Office of Civil Rights of the Department of Health and Human Services] investigates, and they routinely ask for all policies and procedures, risk assessments, training materials and evidence of training, and so on,” Hepp says. “And that investigation could result in fines or a settlement imposed by OCR. Then there can be state regulatory sanctions and private lawsuits as well.”
The total bill for a serious hack can reach into the millions of dollars, Hepp says. She has seen cases where the settlement with OCR reached $5.5 million, in addition to costs that may need to be incurred to comply with the requirements of the settlement agreement.
Finally, beyond the dollar loss is the potential reputational damage a hack can cause, especially if patients are harmed. “In a worst-case scenario, a cyber incident impacts the function of a medical device that impacts safety,” Riggi says.
Should You Pay the Ransom?
Sometimes hackers just freeze hospital systems and demand cash to free it up again. The first question hospital leadership faces in that situation is, “Should we pay the ransom?”
In a previous position, Riggi was an FBI senior executive and wrote the agency’s ransomware policy.
“The FBI’s policy is not to pay the ransom, because it potentially encourages the behavior, emboldens the adversary, and potentially funds more serious and potentially violent crimes by that group,” Riggi says. “That being said, the guidance was written understanding that sometimes restoring the network is beyond an organization’s control or capability. Ultimately, the FBI leaves the payment decision as a business decision if there’s a serious disruption of operations or potential impact to patient care and safety. So, in sum, the FBI hopes well-prepared organizations that can restore systems from back-up in a timely manner may never have to face the ‘pay/don’t pay’ decision. Either way, an organization should always contact their local FBI Cyber Task Force to advise them of the attack and to seek assistance.”
Hepp adds that the decision to pay or not pay often depends on how prepared the hospital is. If the hackers have locked up a hospital’s data, but it has a good back-up that can quickly restore the system, the hospital may decide not to pay.
“But in certain situations, the hospital may have no choice,” Hepp says.
Investing in Prevention
Hospital CFOs should play a role in the cyber risk assessment that every hospital should undertake, Riggi says. The risk assessment identifies the data or systems most likely to be hacked and the potential vulnerabilities—technological, procedural, or organizational —that could lead to a hack. The CFO should consider the financial investment required to fix vulnerabilities and understand the cost of not fixing them.
Among the potential expenses:
- Technology products and services to prevent intrusions
- Training to teach employees how to avoid risky actions, such as opening suspicious e-mails
- Staff or consultant time to prepare policies pertaining to cyber risks
- Staff time to work with outside vendors to ensure they do not introduce vulnerabilities
The size and complexity of an organization as well as the types of data it works with also play a role in determining the amount of investment required. Riggi says he recently consulted with a hospital that decided to allocate 3 percent of its IT budget toward cybersecurity. That figure seemed reasonable until they compared it with the overall hospital budget and the potential physical and financial harm a cyberattack could cause (they had ranked cyber risk as their No. 3 enterprise risk issue).
“They understood they were woefully underfunding cybersecurity and immediately doubled the information security budget,” Riggi says. “This is where the CFO’s analysis was and will always be very important.”
Ed Avis is a freelance writer, Chicago.
Interviewed for this story:
Justine Bone is CEO, MedSec.
David Chaddock is senior manager of cybersecurity, West Monroe Partners.
Pam Hepp is an attorney, Buchanan, Ingersoll & Rooney.
John Riggi is senior advisor for cybersecurity and risk, the American Hospital Association.