Healthcare providers are still reeling from a record number of data breaches reported so far this year and several major outages, such as a defective Crowdstrike software update for devices running Microsoft Windows. These breaches and outages have cost healthcare providers millions of dollars in delayed care and related litigation fees.
For instance, St. Louis-based health system Ascension was hit with a ransomware attack in May, compromising patient data after an employee mistakenly downloaded a malicious file. In January, the occupational health provider Concentra reported a data breach affecting nearly 4 million people. The Addison, Texas-based company said the hack was tied to Perry Johnson & Associates, a third-party transcription service that experienced a cyberattack in 2023.
In February, a ransomware group hacked claims processing software from UnitedHealth Group’s Change Healthcare unit, sending a shock wave throughout the industry that sunk provider revenue.
The Change Healthcare disruption immediately knocked out Temple Health’s outpatient call center, which was dependent on the technology, said Deb Cancilla, chief information officer of the Philadelphia-based academic health system.
Temple was forced to set up a manual call center so patients could schedule appointments or ask about bills until the health system secured a contract with another vendor, Cancilla said. As a result, Temple now routes all calls through the health system rather than a third party.
In addition, Temple is requiring vendors to assume financial liability in case a software update leads to a breach, Cancilla said.
“We’re starting to feel the pain of how bad [these outages and breaches] can get,” she said.
Fighting phishing scams
Since most data breaches stem from phishing scams opened through employee emails, health systems have upped investment in training, software changes and awareness campaigns.
Community Hospital Corp., for instance, divided its email system between users who can only send internal emails and users who need to communicate with people outside the organization, significantly reducing the system’s exposure to phishing attacks, Doerr said.
It’s more cost-effective to train staff and implement IT safeguards than to risk the prolonged financial fallout that can stem from a data breach, said Deepesh Chandra, chief information officer at Montefiore Health System, a 10-hospital nonprofit based in New York.
Providers are also taking a different approach to software patches. Historically, many health system IT administrators would test patches to servers and other software for weeks before installing them to ensure they were safe and compatible with their networks. Increasingly, health systems are taking days, if not hours, to install what are deemed critical patches.
“If you get a critical patch, you need to act on that right away,” Cancilla said.
Rising IT costs add to financial challenges
Most of the cybersecurity changes health systems are implementing carry a significant cost, which may be untenable for smaller hospitals and systems.
More than 85% of health systems Modern Healthcare surveyed said rising healthcare expenses are among their top concerns. Some of those costs can be traced to growing IT expenses, including recruiting and retaining staff. More than 91% of systems reported overall workforce shortages and staff burnout remain top concerns.
Cybersecurity insurance rates have risen for many health systems, while the number of carriers has narrowed.
North Arkansas Regional Medical Center in Harrison has seen its cybersecurity insurance premiums jump 37% over the past 10 years, CEO Sammie Cribbs Roberson said.
“When you look at that number as a percent of the increase in reimbursement from payers, it shows that it doesn’t quite cover the cost,” she said.
For the full survey results, click here. See the 2023 operating revenue of 75 top health systems below.