The stakes are particularly high for New York hospitals. According to industry standards, on average every bed in a hospital uses 15 devices that are often interconnected, including monitors and IV pumps, according to Chad Holmes, a product specialist at Cynerio, a cybersecurity company on the Upper West Side. A 1,000-bed hospital could have 15,000 devices that could all be impacted by an attack, he said.
“If a city like New York lost access, that would be really bad for ERs and could have a really bad cascading effect,” Holmes said. If patients had to be diverted from a city health system location but all sites were impacted by a breach, it could have a domino effect, he said.
Healthcare organizations are more vulnerable to cybersecurity attacks than other systems are because hackers know they are impacted more when technologies aren’t working, Kessem said. Such downtime costs organizations financially, but it also can cost lives if medical systems are disrupted.
The complexity of the technology infrastructure healthcare systems tend to use also makes them more vulnerable to attacks, Kessem said, and many organizations run outdated programs on devices they use every day, exacerbating the issue.
According to IBM’s report, highly regulated environments such as healthcare systems wind up paying for data breaches for longer compared with less-regulated industries. Typically a healthcare organization can take more than 10 months to recover from a data breach.
Download Modern Healthcare’s app to stay informed when industry news breaks.
Cynerio released a report last week that shows hospitals typically have to pay $250,000 to $500,000 to recover access to their technology after a ransomware attack, and there is no real way to recoup those costs, Holmes said. The firm asked 517 hospital leaders about the frequency of attacks; leaders reported that once their system was hit, they got hit many more times afterward. Overall, 11% of the time, healthcare systems were attacked 25 or more times.
Almost a quarter of cyberattacks Cynerio studied led to increased patient mortality, Holmes said, because attacks disrupted lifesaving medical treatment.
Sher Baig, who works in global cyber commercialization at GE Healthcare, said big hospitals can see losses of up to $50 million in a single quarter because of cyberattacks. The losses are so large they could force hospitals out of business, Baig said, punctuating the need for hospital leaders to have a defense plan in place.
“I highly recommend having an incident response plan, a team in place to carry out the response, and drilling that plan to improve over time,” Kessem said. “A special playbook for ransomware cases can not only save costs for the hospital—about 58% of the breach’s cost—but it can also save lives.”
IBM has released annual reports on the cost of data breaches for nearly two decades.
This story first appeared in our sister publication, Crain’s New York Business.