Blog Layout

Ransomware: Is Your Healthcare Organization Prepared For An Attack?

In Most Cases, Unfortunately The Answer Is No.

February 2023

By Jody Randall MSN, RN, CIC, HACP-CMS, HACP-PE

CEO and Founder

The impact of a cyberattack on any organization can be detrimental. The healthcare industry has become a popular target for ransomware attacks.


It is important to understand that these types of attacks are not typically done by random, tech savvy individuals. On the contrary, cyberattacks are executed by large corporations in a number of different countries across the world who orchestrate ransomware attacks on a daily basis.


Cyberattacks in the healthcare industry are becoming more common than every before:

  •  Listed as Number One hazard in Top 10 Health Technology Hazards for 2022 (ECRI 2022 - The Joint Commission Tabletop Exercise 1/31/23)
  • 555 Healthcare data breaches from hacking/IT incidents in 2022 (HIPPA Journal, 1/24/23 - The Joint Commission Tabletop Exercise 1/31/23)
  • Ransomware attacks on healthcare organizations increased by 94% year over year, according to the 2022 State of Ransomware Report from cybersecurity firm Sophos” (HIPAA Journal, 2022) .
  • 86% Increase against Healthcare Organizations in 2022 vs 2021 (Check Point Research, 1/5/23 - The Joint Commission Tabletop Exercise 1/31/23)


Impact of Cyber-attacks on Healthcare Delivery Organizations: (Ponemon, Sept 2021 - The Joint Commission Tabletop Exercise 1/31/23)

  • 70% Delays in procedures and tests have resulted in poor outcomes
  • 36% Increase in complications from medical procedures
  • 22% Increase in mortality rates


What makes healthcare organization a popular target is the knowledge that healthcare providers strive to keep patient records confidential. Additionally, providers are held accountable when protected health information is breached. In such cases, healthcare organization not only face legal and financial consequences and can suffer from bad press related to such events leading to loss of credibility in a highly competitive healthcare market.  


We may never be fully prepared to ward off these types of attacks but there are some measures that can be taken to reduce the risks associated with cyberattacks. Your IT Department is likely already knowledgeable of safeguards needed for protection but it is critical to ensure that software backups are in place and that devices and networks are protected.

 Education of staff is another key element to protecting your organization. Development of policies and procedures is a must when it comes to software security and safe practice. Another important consideration is to practice down-time drills. Training your staff to be able to continue care when systems are down will help to prepare for the real experience. It seems like a simple drill but it is important to consider that this can be anxiety producing for team members who have only been trained on to work on electronic devices.


Being held hostage by attackers is likely one of the most stressful events a healthcare organization can experience. The threat of breaching countless medical records containing personal and protected health information can create major anxiety for any healthcare facility or system. When this occurs, demands for astronomical payments for the release of records comes at an unaffordable cost to victims.


Aside from the unimaginable stress associated with these types of events, organizations should be prepared to ensure extended periods wherein they are forced to operate in down-time mode while recovery efforts are in progress.


 There are a variety of security risk assessment tools on the market today. Some are offered for a fee and others are available in the form of a free trial. HealthIT.gov offer this security risk assessment tool which can be easily downloaded.


Whatever method you choose, there is no time like to present to begin protecting your organization from a brutal ransomware attack. You can’t afford to get caught unprotected. Start planning today.

 

References:

https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool

https://www.hipaajournal.com/healthcare-ransomware-attacks-increased-by-94-in-2021/


The Joint Commission - Cybersecurity Tabletop Exercises, 1/31/23


HCE is Here to Help
Healthcare Consulting Experts LLC was built based upon our understanding of the challenges that all healthcare facilities are facing today. Healthcare professionals strive to deliver the best possible care to all patients. We can help your facility through the difficult times and put you back on track to a less stressful tomorrow.


Don’t take chances! Our experts can assist with regulatory compliance requirements for whether you are building a new, state of the art project or renovating an existing structure. Be sure to visit Our Website to see a full list of the services that we provide.
Contact us today at +1 (800) 813-7117 for a free initial consultation.

Please join us by clicking on any of the icons below to leave a comment or for more informati on and updates: 

Healthcare Consulting Experts LLC

NSHN and OSHA Reporting: Prepared to Meet the Deadline?

February 10, 2025
It is that time of year again. At least for acute care hospitals, long-term acute care (LTAC) hospitals and inpatient rehabilitation facilities (IRF) who report to The National Healthcare Safety Network (NHSN). If annual surveys are not reported by March 1 st , then your organization will not be permitted to enter monthly reporting plans until the annual survey has been completed. Although there are just a few weeks to go, early planning is the key. It is important to consider that responses to the Annual Survey questions are a collaborative effort. Planning a meeting in advance with key stakeholders will help to ease the stress of completing what some may consider to be a daunting task. Be sure to coordinate with Facilities Managers, Pharmacists, Laboratory, Nursing, Infection Prevention and Quality leaders on annual survey responses. Although individuals who are responsible for report submission may find that some of the data has not changed significantly from the previous year, we have identified that some questions have been removed while additional questions have been added. If you are new to NHSN reporting and have not yet completed an annual survey, you will find an alert reminding you on your dashboard upon logging in. Keep in mind that the survey you are completing requires data from the previous calendar year. You will be submitting data for 2024 due March 1 st , 2025. There are a variety of questions that will require information about metrics, facility type, infection prevention practices, laboratory testing methods, water quality management, and antimicrobial stewardship practices for example. Instructions on completing your organization’s annual survey click on the link below that corresponds with your facility type: Instructions for Completing Annual Hospital Survey Instructions for Completing LTAC Annual Survey Instructions for Completing IRF Annual Survey OSHA requires the following facilities to complete an annual occupational injury and Illness Report: Ambulatory Health Care Servies General Medical and Surgical Hospitals Psychiatric and Substance Abuse Hospitals Specialty Hospitals Skilled Nursing Facilities For a complete list of facilities required to report annually via electronic submission and for additional information on Standard 1904 Subpart E Appendix B click on the following link: OSHA Injury and Illness Reporting Requirements . Much like NHSN annual surveys, this reporting is also for the prior calendar year. Your deadline for submission is March 2, 2025. If your organization has not previously been reporting, please note that you will need to set up an Injury Tracking Application (ITA) account. For complete instructions, click on the following link User Guide . Individuals who are responsible for report completion and submission should have a clear understanding of criteria that constitutes a work-related injury. They will also need to know if the employee missed days of work because of injury or illness. If an employee was restricted from usual work activities or reassigned to a new role as a result of the injury or illness this information must be documented. If an employee required care beyond basic first aid, this will also need to be reported. Reporters should not include Protected Health Information (PHI). For a brief tutorial on OSHA annual reporting requirements, click on the following link OSHA Injury and Illness Reporting . Our experts understand the challenges that all healthcare facilities are facing today. Using a customizable approach, we will help you navigate through even the toughest of challenges. Whether you are in need of mock surveys, leadership training, corrective action plans or ongoing support services, we can help! We pride ourselves on helping our clients achieve and maintain a status of excellence in the healthcare industry. Be sure to browse Our Website for a full list of services we provide. Contact us today at +1 (800) 813-7117 to schedule a free consultation. References: https://www.cdc.gov/nhsn/forms/instr/57_103-toi.pd https://www.osha.gov/laws-regs/regulations/standardnumber/1904/1904SubpartEAppB https://www.osha.gov/sites/default/files/ita_user_guide.pdf https://www.osha.gov/sites/default/files/osha_rktutorial.pdf
A hospital room with a bed and a lot of medical equipment.

National Patient Safety Goals: A Glimpse At 2025

January 13, 2025
In 2002 The Joint Commission (TJC) first established the National Patient Safety Goals (NPSG) Program. In 2003, TJC rolled out the first set of NPSG’s. Each year, TJC prioritizes patient safety goals for various healthcare programs.
A surgeon is standing next to a patient in a hospital bed.

Radiologic Services: Refresher for Hospitals on CMS Conditions of Participation

December 9, 2024
When it comes to delivering radiologic and diagnostic services under The Centers for Medicare & Medicaid Services Conditions of Participation, hospitals need to have policies, procedures and safe practices in place that are centered around delivery of patient services, safety of patients and personnel, qualifications of personnel and record keeping practices.
Share by: