According to the American Board of Professional Liability Attorneys (ABPLA), “medical malpractice occurs when a hospital, doctor or other health care professional, through a negligent act or omission, causes an injury to a patient.” Under the law, the malpractice claim must be a violation of the standard of care, result in an injury due to negligence, or involve an injury that results in significant damages. Common medical malpractice lawsuits include unnecessary surgery, misdiagnosis, surgical errors and premature discharge.
In addition to malpractice concerns, the proliferation of cyber attacks on the healthcare industry could soon make hospitals and health care professionals legally liable for data breaches that compromise patient information, quality of care and safety. According to IBM’s 2016 Cyber Security Intelligence Index, cybercriminals attacked the healthcare industry more than any other sector last year. In fact, it was a record year for the healthcare industry, with more than 100 million medical records compromised.
Unfortunately, the industry has only seen an increase in cyber attacks on hospitals and healthcare systems in 2016, with the majority of hackers demanding ransom. With the threat of exploiting patient data and the potential to shut down medical records systems, lawsuits resulting from data breaches may soon surpass malpractice claims in both frequency and financially.
Rising Cyber Attacks in Healthcare
The healthcare industry is hit with 88 percent of ALL ransomware attacks. Nicknamed “cyber blackmail” by Kaspersky Lab, ransomware attacks block access to the victim’s computer until a sum of many is paid. A type of malware used in 86 percent of phishing attacks, ransomware attacks are so prevalent and sophisticated that even the FBI advises organizations to just pay the ransom.
In February, Hollywood Presbyterian Medical Center paid hackers a ransom of $17,000 in bitcoins after the hospital lost control of its computer systems. While physicians and medical staff were locked out of their computers, they were forced to revert to using a paper trail of patient information, as they were no longer able to communicate electronically with each other or with referring providers. In addition to communication limitations, because medical records are now stored and accessed electronically, shutting down the computer system also prevented doctors from viewing patients’ historical records.
A month later, Washington, D.C.-based MedStar Health Inc., one of the largest hospital chains, was a target of a cyberattack that forced medical record systems offline, which prevented patients from booking appointments and left staff unable to access electronic health records (EHRs). Because of multiple ransomware attacks on individual hospitals in the area, MedStar’s medical director suspected it to be a ransomware attack. However, the FBI declined to report how the hackers broke into the vulnerable computer servers.
Also in March, Alvarado Hospital Medical Center in San Diego reported a ‘malware disruption,’ making it the third hospital owned by Prime Healthcare Services to be hit with a cyber attack in the same month.
In May, Kansas Heart Hospital was a victim of a ransomware attack that prevented physicians and medical staff from accessing files. The hospital paid the undisclosed ransom amount, yet the attackers did not fully return the files. Instead, they demanded a second ransom – though they refused to pay this time, claiming it was “no longer a wise maneuver or strategy.”
Data Breaches are the New Malpractice Threat
These incidents are only a small glimpse into the data breaches hospitals are facing every day. In fact, attacks on hospitals are becoming the new normal, leaving patients’ sensitive medical records vulnerable to exploitation. Not only that, a ransomware attack that shuts down a hospital’s system could result in surgery delays or misdiagnosis – all of which would likely result in a bigger lawsuit than a traditional malpractice claim. While once sent en masse to unsuspecting victims, phishing attacks, such as those packed with ransomware, are now sophisticated and highly targeted – with a focus on healthcare networks.
Historically, a primary concern to hospitals and doctors was medical malpractice lawsuits, which affected patients’ health and doctors’ reputation. As hospitals shifted towards EHRs, cyber security vulnerabilities were introduced that never existed with paper medical records – bringing a new concern to focus on. Similar to medical malpractice claims, cyber attacks targeting hospitals can result in injury to patients. Unlike them, however, data breaches can exploit highly sensitive patient information, which could result in high profile lawsuits – potentially causing more financial and reputational damages to hospitals than malpractice claims.
While medical malpractice payouts in 2015 reached nearly $4 billion, recent estimates report data breaches could be costing the healthcare industry $6.2 billion annually. However, a survey released earlier this year reflects that, despite being the most targeted industry, healthcare providers are behind other industries when it comes to protecting their data. While the first step is certainly recognizing the increasing threats facing hospitals and healthcare systems, the investments in cybersecurity and healthIT resources must focus on phishing mitigation. If phishers can be stopped – then ransomware attacks can be prevented and hospitals can avoid any lawsuits as a result. With hospitals facing ransomware attempts on a weekly basis, hospitals must take cyber attacks seriously, or risk incurring both significant HIPAA fines and lawsuits as a result of a successful cyber attack.