By Devin Partida, technology writer and the editor-in-chief, ReHack.com.
The medical industry’s growing reliance on digital technologies has come with some increased risks. That became painfully evident for thousands of patients in the wake of a recent ransomware attack on CaptureRX, a healthcare administrative service provider.
On February 6, hackers accessed sensitive patient data from multiple CaptureRX clients, affecting at least 1 million people. The company started investigating after noticing unusual activity, and by February 19, it could confirm that someone had stolen patients’ personally identifiable information (PII). CaptureRX started alerting affected clients on March 30, and the full scope of the incident is still unclear.
Health IT’s Growing Ransomware Problem
This is far from the first instance of a ransomware attack on a health IT company. Ransomware as a whole has become much more common in the past few years, and medical businesses are more at risk than most. Hospitals have more to lose in these attacks, given the sensitive nature of their data, so a successful breach could be more profitable for hackers.
In 2020 alone, there were 92 ransomware attacks against healthcare organizations, affecting more than 18 million patient records. That represents a 60% increase over 2019 in the number of attacks and a 470% increase in records affected. Since 2016, these attacks have cost the industry more than $31 billion.
The CaptureRX attack is the latest in a troubling and growing trend of ransomware attacks against health IT. If industry leaders aren’t already aware of this problem, the sheer size of this incident will likely get their attention. With these attacks becoming more frequent and expensive, the sector will likely shift in response.
Increased Regulations Possible in the Future
As the CaptureRX attack brings more attention to health IT’s cybersecurity problems, industry standards will likely adapt. HIPAA already requires implementing security measures to prevent ransomware, but these stipulations are open-ended and minimal. The growing ransomware wave could influence more stringent and specific regulations.
Health IT has also undergone several other recent changes that could make it more vulnerable to attacks. For example, 57% of employees can now work from home, creating a wider, harder-to-secure attack surface. Healthcare organizations need new security controls to make this changing workforce safe, and additional regulations would encourage that.
Other industries have been adopting tighter cybersecurity regulations, so it’s not out of the question that health IT would do the same. The Health and Human Services Department could take inspiration from the Department of Defense’s policies, which they recently tightened.
Cyberattacks Unlikely to Slow Medtech Adoption
As these regulations grow, some industry insiders might be concerned that they’ll hinder medtech adoption. Healthcare organizations may worry about regulatory compliance and risk to the point that they deem new tech isn’t worth it. While some companies may follow this line of thinking, overall, these trends are unlikely to slow digitization.
Digital transformation is too valuable for healthcare organizations to abandon. Between 2016 and 2018, the electronic health record (EHR) market grew by $3 billion, despite rising cybercrime. Growing cybersecurity risks haven’t hindered medtech’s growth in the past, and they’re unlikely to do so now.
Digitization in healthcare skyrocketed amid the pandemic as more companies realized how much it could help them. These technologies’ benefits are more evident than ever, so organizations won’t likely reverse course because of rising risks. So while the CaptureRX attack may inspire more cybersecurity protocols, it won’t stand in the way of health IT’s growth.
The Healthcare Sector Needs Better Cybersecurity
The CaptureRX attack stands as a reminder that healthcare organizations need to keep cybersecurity in mind as they go digital. Since these incidents are becoming increasingly common, the industry will likely adopt new regulations, hopefully improving security. Health IT use will continue, ideally with more thought given to network security.