Hospices Striking Back Against Cyberattacks

Hospices are seeking solutions to protect themselves and their patients against cybercrime.

Data breaches can have widespread implications, including violations of patients’ privacy and substantial financial losses for providers. In the United States, the average cost of a cyberattack on a health care provider reached $15 million in 2019, a study in the journal Healthcare found.

In light of these risks, hospices must be ready to adapt their procedures, policies and technology to a changing environment.

Advertisement

Adaptability is the greatest weapon a hospice can have in its arsenal of patient data protection strategies, according to Arthur Clark, vice president of information technology of the Florida-based nonprofit Empath Health.

“The threats we face change daily, which means our focus, defenses and responses must change along with those threats,” Clark told Hospice News. “This takes everyone within the organization understanding the need to stay vigilant — no matter what the task. We believe that any organization should have some standard approaches to staying focused on data security.”

Data breaches a threat to patients, providers

For more than a decade, unauthorized access to data and improper disclosures of information have been the most common cyber threats plaguing health care providers, the U.S. Department of Health & Human Services (HHS) reported. Nearly 164.4 million individuals were affected by health care data breaches between Jan. 1, 2010 and March 9, 2023, according to HHS records.

Advertisement

Hospices are among the providers seeing an increase in cyberattacks, including incidents that have exposed private information belonging to thousands of patients.

Arizona-based Hospice of the Valley in February experienced a breach that impacted 3,840 patients. In another case late last year, a cyberattack on Legacy Hospice in Alabama exposed information pertaining to 21,102 people. Significant breaches have also occurred at The Elizabeth Hospice in California and Idaho’s Heart ‘n’ Home Hospice, among others. 

In some instances, cyberattacks have exposed health care providers to potential legal liability. For example, an incident at Advocate Aurora Health that compromised roughly 3 million records resulted in a pending class action lawsuit.

Regulators stepping in

Regulators have been taking action to help providers protect and safely share patient data.

On May 1, 2020, HHS and the Office of the National Coordinator for Health Information Technology (ONC) issued a final rule designed to give patients easier access to their own health records, foster greater interoperability and instill safeguards to protect data.

Balancing regulatory protections with the need to share patient information has health care providers walking a compliance tightrope, according to Dr. Ittai Dayan, co-founder and CEO of Rhino Health. The Massachusetts-headquartered software company develops health care artificial intelligence (AI)-based systems.

“In addition to the cost that will be levied upon providers who do not comply with the final rule of the 21st Century Cures Act, the costs of failing to protect the privacy of patient data are substantial,” Dayan told Hospice News. “On one hand, hospices want to prove with data that they can improve patient outcomes and quality while reducing costs. On the other hand, that can create risks and issues around protecting data security and privacy.” 

Hospices build up defenses

Some hospices are working to build stronger barricades around their data.

A key first step is to identify which systems house sensitive patient information, according to Clark. Protecting those systems is essential and defense measures can include encryption tools, limits on data access privileges among staff, multi-factor authentication and strong password requirements, he said.

Providers can also conduct internal audits to find areas where their data are vulnerable, Clark added.

“It’s always having a multi-tiered backup strategy that includes onsite, offsite and replication of backed-up data to give your organization the best possible chance of restoring data, as current as possible, when the need arises,” Clark said. “[A] key that we’ve found to be useful is to use the best deskside defense, like virus protection, and keep up to date with all operating system and software patches.”

Other hospices have implemented a system of technical checks and balances to secure patient data.

Case in point, Amedisys Inc. (NASDAQ: AMED) has developed systemic processes aimed at protecting personal health information, including mandatory employee training, annual penetration testing and external auditing.

Mitigating IT risks represents ongoing and sometimes hefty investments for home health and hospice providers, the company indicated in a U.S. Securities and Exchange Commission (SEC) filing .

“As cyber threats continue to evolve, we may be required to expend significant capital and other resources to protect against the threat of security breaches or to mitigate and alleviate problems caused by security incidents, including unauthorized access to protected health information and personal information stored in our information systems and the introduction of computer viruses or other malicious software programs to our systems,” the SEC filing indicated.

Companies featured in this article:

, ,