Author
Jennifer Wessel, JD, MPH
Senior Policy Analyst and Data Privacy Officer
Contact
ACHI Communications
501-526-2244
jlyon@achi.net
Cybersecurity and the threat of hospital cyberattacks are growing concerns for rural Arkansas hospitals, according to a report commissioned by the Arkansas Department of Finance and Administration to assess hospitals’ financial challenges. Although designed to examine the potential risk for hospital closures in Arkansas and needed funding to prevent such closures, the June 2023 report also reveals hospitals’ concerns related to healthcare cybersecurity.
The healthcare industry increasingly relies on digital systems, making it a lucrative target for hackers. Hospital cyber threats pose risks to patient privacy, delivery of care, and overall organizational trust. The complexity of securing sensitive data requires healthcare organizations to develop a multifaceted approach to cybersecurity. Rural Arkansas hospitals may face particular challenges due to limited resources and expertise in advanced cybersecurity technologies.
Hospital Cybersecurity Areas of Concern
The Arkansas Rural Hospital Assessment Report cites several areas of concern, including lack of leadership and expertise (e.g., the absence of a chief information officer), aged and outdated IT systems, cybersecurity incidents and risk management, electronic medical record and software challenges, limited investments in security and equipment, and regulatory compliance. Hospitals had varying approaches to cybersecurity insurance coverage — a form of insurance designed to protect organizations against the financial losses associated with cybersecurity incidents and breaches — with several noting the high cost to obtain coverage.
Some notable healthcare cybersecurity incidents in Arkansas include:
- UnitedHealthcare Student Resources incident (2023). UnitedHealthcare Student Resources, an Arkansas health insurer, was affected by the MOVEIt software breach. The MOVEIt breach exploited a file-transfer service and reached across multiple healthcare organizations, including Medicare and Johns Hopkins, exposing sensitive patient information. Upon discovery of the event, a forensic investigation was initiated and law enforcement was notified. Student Resources confirmed that its MOVEIt software was up to date and subsequently applied fixes to vulnerabilities in the software. The incident highlights the importance of securing third-party software programs used within the healthcare industry, as they can become gateways for hospital cyberattacks.
- Methodist Family Health data breach (2022): Methodist Family Health, a healthcare provider in Arkansas, experienced a cybersecurity incident involving unauthorized access to patient information. According to the official notice from Methodist Family Health, an unauthorized individual gained access to a limited number of employee email accounts, potentially exposing patient information, including names, dates of birth, and treatment information. Methodist Family Health conducted a comprehensive investigation, terminated unauthorized access, and implemented additional cybersecurity measures specifically designed to safeguard patient information. The incident illustrates the risks associated with email security and emphasizes the importance of robust cybersecurity measures within healthcare organizations.
- Howard Memorial Hospital (HMH) cyberattack (2022): On Dec. 4, 2022, HMH became aware of suspicious activity within its computer network, according to the hospital’s official notice. Data may have been stolen, affecting both patients and employees. HMH promptly secured the network and initiated a comprehensive review with the assistance of cybersecurity specialists. Measures taken included notifying all potentially impacted individuals, reviewing and implementing additional safeguards, and providing guidance for affected individuals on protecting against identity theft and fraud.
- Arkansas Department of Human Services (DHS) data breach (2022): DHS reported a data breach affecting 925 Medicaid clients. An employee mistakenly sent spreadsheets containing limited client data, including dates of birth, ZIP codes, and Social Security numbers, to her personal email. DHS notified the affected individuals and has taken steps to prevent future incidents.
- Mena Regional Health System incident (2021): Mena Regional Health System detected a security incident involving unauthorized access to certain employee email accounts, as detailed in the health system’s official notice. The accounts may have included patient names, dates of birth, Social Security numbers, and medical information. In response to the breach, the health system initiated a review of its existing security measures. It also offered those affected complimentary credit monitoring and identity protection services.
Developing Hospital Cybersecurity Resources
Despite the high incidence of cyber threats, less than half of U.S. hospitals have opted for cybersecurity insurance coverage. Reasons for this include lack of standardized underwriting procedures for these policies, making it difficult for healthcare organizations to evaluate the cost-benefit accurately. Additionally, these policies may have exclusions for specific types of cyber incidents, such as ransomware attacks, which could leave organizations exposed to financial losses. Both federal and state governments are attempting to address these challenges in obtaining cybersecurity insurance for the healthcare sector.
Federal efforts focus on providing threat intelligence, offering grants to states for cybersecurity improvements, and fostering public-private partnerships to enhance cybersecurity and influence the cyber insurance landscape.
New York has provided regulatory guidance for healthcare institutions on what to consider when choosing cyber insurance. Several states have enacted the National Association of Insurance Commissioners’ Insurance Data Security Model Law, which establishes data security standards for regulators and insurers in order to mitigate the potential damage of a data breach. These measures create a more consistent environment for underwriting cyber insurance policies, thereby aiding healthcare organizations and other entities in evaluating the cost-benefit of such coverage.
Lawsuits against several Arkansas hospitals due to data breaches demonstrate the legal ramifications of failing to protect patient information. Act 1188 of 2015 amended the Arkansas Multi-Agency Insurance Trust Fund Act of 2003 to allow the purchase of cyber liability insurance. However, participation is limited to government entities including state agencies, public institutions of higher education, boards, commissions, and departments.
In light of hospitals’ cybersecurity concerns, healthcare providers, lawmakers, and other stakeholders should continue to collaborate on comprehensive cybersecurity strategies. By addressing critical vulnerabilities such as leadership gaps, outdated systems, lack of cyber insurance coverage, and legal compliance, the state can work towards fostering a secure healthcare environment that safeguards patient privacy and maintains public trust.