Solutions

Solutions powered by
Learn More.
Frame 586 (1)

Quality Manager formerly known as abaqis®

Mitigate risk and elevate your quality of care. Improving both clinical and business outcomes starts with a smarter, more integrated approach to regulatory training, continuing education and quality management.

Learn More

NEW TO THE STORE

hStream Content Marketplace

Connecting you to the Best Content. Access to 75 Partners and 35,000+ Courses in our Industry-Leading Marketplace. Streamline content purchasing, updates, hosting, and connectivity for your organizational needs

NurseGrid Learn

Online store for Clinical Learners. Individual CE Credit and industry products for Clinical Learners are now available through NurseGrid Learn (Beta). Explore our robust collection of courses that provides an unparalleled level of flexibility and choice.

Practitioner Courses

Meet the DEA's new requirement under the Medication Access and Training Expansion (MATE) Act in an online, high-quality and self-paced 8-hour DEA MATE Act course specifically designed for practitioners, including Physicians, PAs, NPs, Pharmacists, Dentists and others.

LATEST & POPULAR

REPORT

2024 Annual Report on Medical Staff Credentialing
On-Demand Webinar

State of the Industry: What’s Next for Healthcare Quality & Safety in 2024?
BLOG

Summer 2024's Top Choice in Healthcare Credentialing: CredentialStream
BLOG

HealthStream Executive Briefing: CMS Minimum Staffing Standards: What You Need to Know
BLOG

The Impact of Human Connection: The LGBTQ+ Healthcare Community
Webinar

Clinical Placement for the Future of Healthcare: myClinicalExchange Discussion with CommonSpirit Mt Region and UW Health

< HealthStream Resources

blog

Asset 6 (1)

The True Cost of Healthcare Cyber Risks

September 17, 2024
September 17, 2024

Cyber risks are among the most significant and costly risks facing healthcare organizations today. Recovering from a cyberattack can be costly financially and in terms of the organization’s reputation. To make matters worse, falling victim to a cyberattack makes it more likely that there will be future attacks. So, how do healthcare organizations protect themselves from this costly threat?

In a recent HealthStream webinar entitled “The True Cost of Healthcare Cyber Risks,” subject matter experts quantified the real cost of such attacks and offered practical advice on how organizations can protect themselves against such attacks. The webinar was moderated by Amelie Smith, HealthStream’s Marketing Manager, Quality and Compliance and featured presenters:

  • Mac McMillan, Founder and CEO Emeritus, CynergisTek
  • Karin Balsley, AVP, Information Security, HealthStream
  • Mary Soldswisch, PMP, Governance, Risk and Compliance Manager, HealthStream

The Problem is Real and Costly

Smith set the stage by describing the scope of the problem. Sixty-seven percent of C-Level executives feel that their organization is unprepared for cyberattacks. The problem is widespread and increasing. The FBI logged 300,000 phishing complaints in 2023. That number represents a 38% increase in the attempts reported in previous years.

The cost of a healthcare breach averages $10,000,000.00, an amount that does not include damage to the organization’s reputation. Healthcare organizations need a proactive approach to thwarting these attacks. What steps can they take right now?

Is Your Organization Prepared?

Balsley encouraged healthcare leaders to clearly categorize organizational roles and responsibilities to ensure that at-risk groups (IT staff, information security staff, executive team, etc.) receive additional training as these groups are often targeted due to their levels of access and power. She also encouraged regular risk assessments for applications and the organization as a whole. She also urged staff to follow industry boards to keep up with the latest tactics being used by hackers and to ensure that the organization’s systems are updated regularly.

McMillan encouraged leaders to create a mindset of zero trust. Staff should be encouraged to be suspicious of everything – systems, software, people, and access — until those things are proven safe. Staff should ask questions, test systems, and regularly conduct recovery exercises.

Cyber Risks – What Are the Hidden Costs?

Soldswisch shared that Hospitals are currently the number one target for ransomware attackers. In 2023, the healthcare sector experienced the largest share of ransomware attacks. In addition, there was an 18% increase in the number of attacks from 2022.

Reported losses also increased 74% now between 34.3 and 59.6 million dollars. To make matters worse, paying a ransom does not always ensure that an organization will regain access to its data. Incompetent hackers may accidentally or deliberately destroy and/or share that data on the dark web even after the ransom is paid.

In addition, there are other costs associated with a cyberattack.

  • Downtime is expensive and impossible to recover.
  • Purchasing brand reputation software and the other efforts required to protect the organization’s brand are also costly.
  • Staff can become exhausted during recovery efforts.
  • Additional data security resources may be required during this time.

And lastly, McMillan shared that up to 85% of organizations paying ransoms will fall victim to another attack.

Risk Education for Healthcare Staff – Where to Start?

The experts agreed that healthcare staff need to be educated on how to recognize a scam. Balsley encouraged leaders to provide staff education on scam recognition. Staff should recognize things like unexpected or unsolicited contact as a potential scam. Urgent requests for money or gift cards for the executive team or others are another clear indication of a scam.

Emails with spelling, grammar, and syntax errors along with those with generic greetings should be treated with suspicion. Staff should also be trained to look carefully at the sender’s email address and to be cautious about removable media such as USB drives that may be used to introduce malware.

Physical safety is also important. Staff should know what to do when equipment is lost or stolen and to be cautious when using devices in public where the wi-fi connection may not be sufficiently secure to protect data. Staff should also be required to lock their computer screens before leaving their desks and to use rigorous password protection.

Staff also need to understand the importance of time in cybersecurity. Should they notice anything odd about their computer’s performance or receive a suspicious email, those things should be reported to security at once as a timely response to the threat can help mitigate risk.

What Key Elements of Might You Be Overlooking?

Staff also need to be aware of social engineering, which Balsley defined as the tactics that criminals use to persuade people to do things that they should not by exploiting their good nature. This technique may be particularly useful when directed at an industry largely populated by people with a genuine desire to help others.

Leaders are also encouraged to follow their own organization’s best practices and operate within their cybersecurity framework. Regular education and communication on the topic along with tabletop exercises in support of disaster recovery plans should also be included. The leadership team should also be educated about sensitive data, where it is, and how it is being protected.  

McMillan also encouraged healthcare leaders to be aware of mistakes. “If we constantly question what we are doing, rigorously test before implementation, and engage in thoughtful change management strategies, we can avoid the kinds of mistakes that put organizations at risk,” said McMillan.

To learn more, you can access the webinar here. You can also reach out to HealthStream today to learn more about how to prepare your organization to prevent cyberattacks.

Request Demo