The potential harm of ransomware attacks on hospitals goes beyond lost network connectivity. Health systems may face millions of dollars in lawsuit settlements or lost revenue after a cyberattack.
Becker's Hospital Review spoke with Sergio Melgar, the CFO and executive vice president at Worcester-based UMass Memorial Health on the financial effects of cyberattacks.
Editor's note: Responses were lightly edited for clarity.
Question: Medical malpractice lawsuits stemming from cyberattacks are becoming more common. What do you think the effects on hospitals will be if hospitals don't enhance their cybersecurity?
Sergio Melgar: Cybersecurity and ransomware events to hospitals and healthcare facilities are becoming more common and, as we have seen, have contributed to or been solely responsible for patient injuries. Disabling the EHR, hacking of critical medical devices and the overall disruption caused by a cyber event have been shown to increase the probability of medical error.
Hospitals that have significant vulnerabilities to their IT systems face the potential for significant malpractice claims in a climate where we are already seeing a record number of seven and eight-figure verdicts. This new area of liability, compounded by the strain of COVID-19, has the potential to increase both frequency and severity of medical malpractice claims against healthcare facilities, leading to financial concerns.
In a time when staffing is lean due to COVID-19, retirements, and provider burnout, the ability to efficiently access the EHR and reliance on medical devices is paramount. A cyber event would have a chilling effect on the provision of care and undoubtedly lead to medical error.
Q: Why do you think hackers are still able to breach hospitals' networks?
SM: The adage that an attacker must be right once while the defender must be right every time is still appropriate. The complexity of modern IT creates myriad opportunities for misconfiguration. One of the biggest reasons attackers continue to succeed is because IT resources don't recognize protecting technology resources and information is as much their job as maintaining them.
We continue to increase the points of entry as more things have an IT component to them: We create more windows into the organization, so always creating a bigger-size opportunity that you have to continue to safeguard. So it becomes that much more difficult to keep every area secured because it only takes one person clicking on a bad link.
Q: What advice would you give IT execs, CFOs or other hospital execs to protect themselves against cyberattacks?
SM: The damage can be administrative. These are all hypothetical exposures, all the way up to the ransomware attack on the University of Vermont, where the system lost $50 million in revenue. Hospitals should recognize that even if there is no direct damage, a hospital system gets taken to its knees due to the mere administrative hassle where someone clicks on the wrong links;it's still months of work.
Hospital executives should recognize that implementing cybersecurity controls is a continuous process rather than an outcome. There is no "done." Hospitals should hire a dedicated chief information security officer that can focus on these issues and allow them to staff and lead an exceptional team.