“Hello, Grey-Sloan Memorial. Currently, we control your hospital. We own your servers. We own your systems. We own your patients’ medical records. To regain access to your medical records, you need an encryption key which only we have. You will need to pay us exactly 4,932 Bitcoin to retrieve the key. Failure to pay this ransom in a timely manner will cause your records to be destroyed and your systems to be rendered inoperable.”
Fans of Shonda Rhimes’ hit drama will recognize the hospital name right away – and maybe even be able to recall the referenced episode. But this fictional data breach on Grey’s Anatomy isn’t the first case of art imitating life.
In fact, by the time this episode aired in 2017, over 400 real healthcare data breaches had occurred resulting in the theft or exposure of more than 5.5 million records. And that number isn’t getting smaller, even as compliance laws like HIPAA and extra security measures like multi-factor authentication have gone into mass effect.
“Last year, the number of attacks grew to 712 – an average of 59 per month.”
The hospital data breach plotline is so well known now that it’s almost hard to be invested in the episode unless you’re waiting to see if there might be a fresh take on the familiar trope. Nearly every hospital procedural in recent memory has tried its hand at the storyline. Grey’s Anatomy and Chicago Med in 2017. The Resident in 2018. The Good Doctor and New Amsterdam in 2021. And there’s plenty of time for those who haven’t incorporated a security breach into the cadence to get in line (looking at you, Transplant).
So what’s the draw? Why are they so focused on breaking into hospital systems where the stakes seem high, even for cybercriminals?
The easiest answer is money. While credit cards and social security numbers go for anywhere from $1 to $5, a person’s medical record can fetch as much as $1,000 on the dark web. From all those breaches last year, 50 million Americans reported their sensitive health information had been compromised. If all of those records had then been sold, that’s a lot of zeros.
The secondary answer is that it’s easier than we’d like to think it is to hack into these systems. The internet hadn’t yet been born when electronic health records became standard practice, and that’s made for a rocky integration.
Fast forward to the COVID years which saw a swift move to digital care and an explosion in remote device activity. Now add the global tensions amid Russia’s invasion of Ukraine – a battle that started in cyberspace long before it hit the ground. The healthcare industry is ripe for the picking.
But it’s not all doom and gloom. Just like every episode ends with the hospital successfully navigating the breach and saving lives in the process, there’s hope for real-world organizations, too.
To bolster your security, remember the five pillars: EHR systems, connected devices, payers, providers, and government regulators. Data breaches can happen in any one of those with the effects trickling across the rest. Here are some measures that can make your organization less of a target:
- Analyze: Conduct an annual security assessment to check for vulnerabilities
- Plan: Create and implement a response plan that has clear guidelines to follow in the event of a breach
- Educate: Ensure that your staff is aware of cyber security policies and alert them any time a change in the response plan has been made
- Protect: Encrypt sensitive data and keep your network infrastructure secure by limiting personal devices, restricting access to PHI, and updating your systems regularly
- Invest: Allot a healthy budget for network security including staff and the tools they require