In 2020, the Dental Care Alliance (DCA) experienced a significant cyberattack on its systems, which lasted approximately an entire month. This gave the threat actor an extended period to compromise the healthcare organization’s servers and extract the private and confidential information of around one million patients.
This is just another example of how vulnerable the healthcare industry is to cyber criminals looking to exploit security weaknesses. Healthcare organizations are prime targets for threat actors who are fully aware that their targets are invested in keeping their systems and businesses up and running efficiently and securely. This is especially critical in protecting patient privacy and data, particularly when it comes to impacting life-saving information and equipment.
The cyberattack on the DCA was launched between Sept. 18 and Oct. 11, 2020. During the month of the breach, a cybercriminal was able to access various confidential files, including patient data such as names, contact details, treatments, diagnoses, patient account numbers, their dentist’s names as well as billing details and health insurance data. In 10 percent of the cases, bank account numbers also were compromised, making this the second-largest reported attack that year.
The attack resulted in a class-action lawsuit, which ended in a $3 million settlement against the DCA. The DCA was accused of negligence for its failure to protect and maintain its systems and infrastructure against breaches, and for failing to implement proper security monitoring. It also was cited for neglecting to upgrade its security measures and to implement proper cybersecurity hardware and software, as well as adequately train its employees. As a result, patients feared an increased risk of fraud.
While it was not publicized how the attacker gained initial access to the company’s network, plaintiffs argued that it was the DCA’s poor cybersecurity practices that exposed them to the risk of identity theft and fraud.
Unfortunately, this is not the only case in which an organization has been sued over alleged negligence. Eye Care Leaders was accused of concealing multiple ransomware attacks in 2021, which resulted in a provider-led lawsuit. Not only does this highlight the frequency of attacks on healthcare organizations, but it also underscores the immense cost that is associated with failing to understand risk and provide adequate cybersecurity protocol and measures. Just a single security incident can lead to reputational damage and significant financial losses. This is further exacerbated by the consequences of breaches of confidential patient and client information.
Both cases are windows into the high-stakes cyber risk landscape for healthcare providers and payers, particularly when it comes to an organization’s being fined by the federal government for HIPAA violations.
Cyber risk in healthcare
In 2021 alone, the healthcare industry was hit with 849 cyber incidents, with 571 of these confirmed that private data had been accessed, according to the Verizon Data Breach Investigations Report. This placed healthcare in eighth place for industries targeted by attacks, and in third place for number of data breaches, out of a total of 21 categories in the Verizon report.
By using past cyber events and parameters such as revenue, number of employees and number of database records, it is possible to estimate a quantified value of risk to which companies are exposed. By using benchmark values, one can deduce that the healthcare industry shows relatively higher rates of reported breaches in comparison to other sectors (though that is in part driven by stronger data privacy policies and required reporting for smaller incidents to meet federal regulations). There is a 9.3 percent overall probability of an annual incident targeting this industry.
The probability of incidents happening in a year and the estimated cost by risk category within healthcare is as follows:
- Insider Error: Probability: 29.95 percent, cost: $73.6 million
- Insider Misuse: Probability: 24.99 percent, cost: $47.2 million
- Basic Web Application Attacks: Probability: 9.19 percent, cost: $42.1 million
- System Intrusion: 4.83 percent, cost: $5.4 million
- Social Engineering (Phishing, etc.): Probability 3.80 percent, cost: $6.6 million
- Denial of Service (DoS): 2.19 percent, cost: $7.5 million
- Ransomware: 3.85 percent, cost: $929.9 thousand
In quantifying the risk, healthcare organizations can better calculate their risk appetite and allocate spending more efficiently to bolster security where needed. This not only will increase overall cybersecurity, it also will reduce wasted spending on protecting infrastructure that isn’t as vulnerable or may not need as strong measures as other areas.
In order to prevent falling victim to a cyberattack and avoid being entangled in costly lawsuits, organizations should foster a strong cybersecurity culture and be aware of the risk to which they could be exposed as well as the potential value associated with it. In addition to increasing overall visibility over devices on and connections to the network, expanding cyber threat awareness training for staff and implementing multi-factor authentication, organizations should know their risk.
What does this mean? Understanding risk can best be done by quantifying its value. By using an international standard, such as FAIR (Factor Analysis of Information Risk™), organizations can estimate their risk financially, which allows them to better implement cybersecurity strategies according to where higher risk exists. They can allocate budgets and understand their risk appetite more thoroughly as it allows them to see how much different risks could cost the business.
Ultimately, quantifying risk would allow organizations to understand what’s at stake and to prepare and invest accordingly.
About Bryan Smith
Bryan Smith is the CTO of RiskLens, which helps organizations make better cybersecurity and technology investment decisions with software solutions that quantify cyber risk in financial terms. Smith is a broad technologist with over 20 years of software engineering experience. His expertise includes building enterprise scale web applications, cybersecurity, and big data. Smith led the development of RiskLens’ enterprise cyber risk quantification and management platform. Prior to RiskLens, Smith helped build the nation’s first digital archives enabling it to scale 3400% over five years.