On this episode of Ad Victoriam’s Salesforce Simplified, our topic is data security in the healthcare industry. Our guest is an AdVic® Healthcare & Life Sciences (HLS) expert, who helps us understand how the latest cyber threats affect the healthcare industry. We also discuss current-day examples of data breaches and the impact they are having, how to safeguard sensitive patient data, how Salesforce solutions are leading in data protection, and much more.
Speaker 1: This is Salesforce Simplified, the podcast from Ad Victoriam Solutions. Here’s your host, Mike Boyle.
Mike Boyle: Nice to have you with us, everyone. Thanks for being here on this episode of Ad Victoriam Salesforce Simplified. Our topic is data security… cybersecurity in the healthcare industry. And my guest is Marina Jackman. Marina is actually my colleague here at AdVic. Marina is an HLS AdVic Technical Account Executive. Welcome, Marina. Nice to have you on the podcast.
Marina Jackman: Hi, thanks for having me.
Mike Boyle: You know, Marina, I don’t know about you, but these days I am getting m more and more notifications from my monitoring service that yet another data breach has happened at a specific company. It’s a scary thing for sure, but it’s a different kind of scary when it happens in the healthcare industry. So, with all that said, we have a bunch of ground to cover here on the topic of data breaches, and cybersecurity. So let’s go right into it. First, I think it’s best maybe we start here. If you could just describe the current cybersecurity landscape as you see it in the healthcare industry.
Marina Jackman: Yes, and Mike, unfortunately, you and everybody else, I just got a notification from Ticketmaster yesterday, and I thought, I don’t even remember the last time I used Ticketmaster. But when talking about healthcare, it’s obviously a lot more sensitive and we’ll get into that a little bit more. But cybersecurity as it relates to healthcare has really become increasingly complex, and it’s really evolved quickly in recent years. Even only in the last year, there’s been over 145 attacks this year alone, and we’re only a little over halfway through. And the industry has become prime targets for cyber attacks for many reasons. It’s due to the valuable personal and medical data they hold. ransomware attacks, in particular, have surged, with cybercriminals exploiting vulnerabilities to lock systems and then demand payment for restoration. Phishing techniques have also been highly prevalent. Employees are often targeted through deceptive emails and communications that aim to steal credentials or deploy malware. There’s been long-term targeted attacks as well that infiltrate systems, but unfortunately remain undetected for extended periods. Breaches in healthcare are leading to the exposure of sensitive information, including patient records, financial data, and personal identification details, and the consequences are severe and, affect patient privacy and organizational credibility. On another front, the rise of devices in healthcare, such as wearables, has also introduced new security vulnerabilities, and they often lack robust security measures, making them susceptible to attacks. Healthcare organizations particularly have to comply with stringent regulations like HIPAA in the US. And these regulations mandate specific security and privacy measures to protect patient data. Add in complexity and mandatory efforts to deter cybersecurity efforts. So, overall, the cybersecurity landscape in healthcare is marked by increasing threats. And although there are constant technological advancements, the need for adaptive security measures to protect sensitive information are more important than ever.
Mike Boyle: Marina, why would you say that cyberattacks are particularly catastrophic for the healthcare industry as compared to other industries?
Marina Jackman: I’d say there are some factors that exist in healthcare versus other industries, and those include the sensitivity of the data, the impact on patient care. I mentioned the mandatory regulatory compliance before already. There’s a financial impact, there’s an operational disruption, there’s an impact on all the interconnected systems that are used within a healthcare organization, the supply chain. And then last but certainly not least, I’d say a change in an organization’s reputation and the trust that they have with their patients. And let’s expand on these a little bit on a few of these factors, particularly the sensitivity of the data and what’s being done with all this data. So why healthcare? For a little context, medical records sell for an estimated dollar 60, up to $250 on the dark web, while Social Security numbers sell for about dollar 15 and credit card information for $3. If you think about it, you can change your credit card number, but you can’t change who you are. So once those medical records are out there, they’re pretty much out. And there’s much more PII in a medical record than a financial record. So it’s big business sold. Medical records on the dark web are exploited in various ways. Identity theft, medical fraud, using it to craft personalized phishing attacks to make them more credible, and using the information to gain access to other accounts, and also blackmail and extortion. And I’ll talk about this a little bit more with some healthcare organizations that have felt this impact, but there’s patient care consequences. So those cyber attacks can disrupt medical Services, either delaying or halting critical patient care. There’s that, regulatory piece. So organizations being held to stringent regulations, and those can result in significant legal penalties, fines and compliance costs. There’s also a financial aspect to it. Those costs include incident response system restoration, legal fees, and record remediation comes in at about $157 a record. There’s an operational disruption. This includes shutting down entire hospital systems, delaying surgeries and recovery can be prolonged and resource-intensive. In regards to interconnected systems, there’s a lot of systems that are used within a healthcare organization. A lot of those involved electronic health records, or EHRs. So a cyber attack on one component can cascade and affect multiple systems, really amplifying the attack. So then there’s really a ripple effect. So, especially in the medical device and pharma sector, many of those companies operate globally. So the impact cybercriminals can have is pretty far-reaching. And the scale of consequences multiplies from there when you have multiple countries involved.
Mike Boyle: Well, you, alluded to this, during that answer. You just gave us recent examples of cyber attacks and their impact on those organizations. Can you talk about one or two?
Marina Jackman: Yes. This year has been particularly interesting. I feel like we recovered from a major one to then see another one happened. But let’s look at Change Healthcare first, which was in the news a ton this year. And they’re more in the business of revenue cycle management and payment management. But they’re a good example of how healthcare companies are being targeted. They process 15 billion transactions annually and about one out of every three healthcare claims. They were targeted by a ransomware group. In March, they paid 22 million in ransom but then dealt with another ransomware group, the original group’s rival, that demanded a payment as well. They threatened to sell their data to the highest bidder on the dark web, talking about four terabytes worth of data. And that whole situation caused a ripple effect in many other ways. So providers weren’t paid. Patients were forced to use cash to get their medication. Some were unable to use coupons. Some weren’t able to get refills at all. Pharmacies were forced to use offline resources to fill the prescriptions they could for weeks, and they still aren’t 100% recovered. The estimated cost of that cyber attack alone is estimated to be around 1.6 billion in the provider space. I’ll give an example of two smaller, healthcare organizations with not only these but larger companies. Fred Hutchinson Cancer Center in Seattle. Back in November last year, they were victims of a cyber attack but did not pay the ransom. Those cybercriminals directly emailed patients offering to remove their personal health information from the dark web for $50. And if they didn’t, they received a threat of swatting. Liberty Hospital. Last December, a ransom note was faxed to a hospital administrator, and as a consequence, the hospital closed to trauma patients certain codes and direct admissions, and so they had to discharge or transfer more than 50% of their patients. And that’s obviously not ideal and a burden shared by the surrounding healthcare network as they take on those additional patients on a larger scale. Again, we saw ascension in May. They’re one of the largest health systems in the US, with about 140 hospitals across 19 states. For them, unusual activity was first detected on multiple technology network systems, and then later learned that EHRs had been affected, along with the system used to order some tests, procedures, and medications. So phone capabilities were affected. With patients unable to access portals or even get in touch with their physicians, hospital staff have to go back to paper and order tests and prescriptions that way, delivering them in person. And this might not seem so bad at first, but it isn’t a workflow that people are used to anymore. And so it creates a lot of chaos and disorganization. It led to delayed or lost lab results, medication errors, and an absence of safety checks. That technology is relied on to prevent those errors, which in healthcare can turn fatal.
Mike Boyle: When people are investigating what’s going on in cybersecurity these days, they hear this term, diversification of technology. Can you talk a little bit about the diversification of technology and why it is critical for healthcare companies to diversify where they store all their sensitive data?
Marina Jackman: Diversification means really spreading sensitive data across multiple systems and locations, rather than relying on a single storage solution. And so this is important in healthcare for several reasons. Talking about risk mitigation, so reducing a single point of failure, it enhances resiliency. Different systems might have different vulnerabilities, and so by diversifying, healthcare companies can mitigate the risk that a single exploit or vulnerability can be used to, ah, access all of their sensitive data. And then I’d say it’s similar to the same reason you would diversify your financial portfolio. You manage and spread the risk so that the loss in one area can be offset. It also improves your security posture overall. So when you have some diversification, it creates some complexity for attackers, and so it makes it harder for attackers to plan and execute attacks. They would have to penetrate several different systems, each with their own defenses, and then access control. So diversification allows for more granular control over who has access to different types of data, reducing the risk of insider threats and then unauthorized access.
Mike Boyle: All right, so we understand the diversification of technology a little bit more. Let’s go a little deeper. How does diversifying data storage locations enhance healthcare organizations’ ability to continue serving patients even during a data breach?
Marina Jackman: I say it ensures the redundancy, it improves the resilience, and it facilitates quicker recovery. Also, when you’re storing data in multiple locations, organizations ensure that there are redundant copies of critical information. So if one storage location is compromised, other locations can provide the necessary data to maintain operations. This means that there’s still some things that can be up and running while other segments of the organization are shut down or have reverted back to pen and paper. And a lot of these organizations that have not been victims of a cyber attack are taking a deeper look at what platforms they use and for what. And so they’re asking staff to identify what would happen if they didn’t have that capability anymore and what exactly is affected by it. How does it affect their day-to-day? So I’d really urge organizations to look at what can be taken off of their EHR platform. For example, can they use Salesforce for scheduling in a call center so that patients can get in touch with their care teams? And I want to take this opportunity to talk about a company that has been a previous customer of ours that utilize traditional storage of data with off-site backup storage and disaster recovery. However, at an undetermined time, the backup data sets became corrupt. And of course, they were hit with a ransom attack and lost complete access to all of their data, except for the small portion that had been recently segregated and stored in their new Salesforce instance. So through a monumental manual effort, they were able to recover over about six to eight weeks. But the damage was done in terms of customer confidence and ability to generate new business. But with the team that used Salesforce, it was business as usual.
Mike Boyle: Talk to me about some of the common vulnerabilities within healthcare data management that make diversification of data storage a prudent strategy.
Marina Jackman: Diversifying healthcare companies can mitigate the risk that a single exploit can be used to access all of their sensitive data. So the concept of diversification refers to using a variety of systems, software, and protocols, rather than relying on a single type of brand. So this is particularly advantageous for companies that handle a vast amount of sensitive information, including patient records, financial data, and even proprietary research. It also reduces the overall attack surface of an organization. So an attacker would need to exploit multiple vulnerabilities across different systems to gain significant access. So this increases the complexity and costs of an attack, making healthcare companies less attractive targets. And I think that’s what we’ve seen lately, is the success of attacking one health organization has really motivated the continuation of these attacks. And so if a breach does occur, having that diversified system can contain the damage, and then different segments of data might be stored or managed by different systems. So a breach in one system might only affect a portion of the data rather than everything.
Mike Boyle: I want to go back, Marina, to some examples that you provided earlier, how did relying on a single data storage impact the incident? And how could diversification have helped in that situation?
Marina Jackman: I think of a quote that we all know, don’t put all your eggs in one basket. One system went down and there was a domino effect that impacted every aspect of the organization operationally and financially.
Mike Boyle: Let’s talk about recovery cost. How much does recovery cost versus a diversification strategy?
Marina Jackman: The costs are extraordinarily high, often far exceeding the initial investment required for a diversification strategy. Instead, these financial costs include engaging cybersecurity firms to contain the breach and investigate its scope, which can range from tens of thousands to millions of dollars. Ransom demands, if met, can cost anywhere from thousands to millions of dollars. Like for Change Healthcare. However, paying the ransom does not guarantee the recovery of the data or the prevention of future attacks. So there’s been a lot of conversation around this and whether paying the ransom, is really the way to go, there’s really no guarantee that they’ll do what they said they do. And so it also encourages more attacks. There is a rebuilding aspect of the it infrastructure. Restoring data from backups and reinstalling software can be costly. And then the average cost of each breach is about $10 million, making healthcare the largest and fastest-growing industry to experience multi-million dollar penalties with Change. Healthcare, particularly the American Healthcare Association, said that 94% of hospitals are signaling financial impact due to the incident, with some providers losing upwards of 1 billion per day in revenue. And so investing in a diversification strategy is a proactive approach that significantly mitigates the risk of incurring the high costs associated with data breach recovery. A diversification strategy instead includes your implementation setup. there’s maintenance, there’s updates and monitoring, and maybe any additional personnel needed to manage it.
Mike Boyle: Instead, let’s talk about the world that we live in and solutions here. I’m talking about Salesforce… How does Salesforce contribute to the security and diversification of data storage for health companies?
Marina Jackman: Salesforce includes features that help healthcare organizations manage, store, and protect sensitive patient data in compliance with industry regulations. Examples include data encryption at Rust and in transit, having access controls like role-based access controls, and then multi-factor authentication. Salesforce also maintains detailed logs of all access and activity within the system, providing an audit trail that can be reviewed for suspicious activity, as well as real-time monitoring. It operates multiple data centers across different geographic locations. And then Staying here with our Salesforce also has robust disaster recovery plans in place. It ensures a multi-tenant architecture with a strong isolation mechanism to ensure that each organization’s data is kept separate and secure from others. It has encrypted messaging for patient-provider interactions and also secure patient portals that allow patients to access their health information or schedule appointments. Last but not least, its cloud infrastructure can scale to meet the growing data storage needs of healthcare organizations.
Mike Boyle: My next question is actually a two-part question. Marina, how can healthcare companies effectively balance accessibility and security when diversifying where they store patient data? And two, what are the regulatory considerations healthcare companies should keep in mind when diversifying where they store patient data, particularly with platforms like Salesforce?
Marina Jackman: One way you can do that is role-based access controls, ensuring that only authorized personnel have access to sensitive patient data. And this ensures that employees access only the information necessary for their roles. You can even adjust permissions based on the contacts, such as location, device, and time of access. And it was mentioned earlier that it’s HIPAA compliant, so all three aspects of it, privacy, security, and the breach notification rule. And since Staying here with our Salesforce is committed to interoperability, it also adheres to the HL7 standard for transferring EHRs.
Mike Boyle: Two more questions for you. What steps should healthcare organizations take when developing a data protection plan that includes diversification of data storage?
Marina Jackman: I’d really encourage organizations to take a close look at what and how they use their current platforms. What would happen if they woke up tomorrow and they were the next Change Healthcare on the news or their CEO was testifying in front of Congress? And you don’t have to be as big as Change either. There might be a bigger payout or more records, but the track record is showing that all organizations throughout the healthcare sector have truly become a favorite target. I’d also encourage looking at a trusted platform like Staying here with our Salesforce to move some capabilities over into although there is much room for improvement, we’ve come a long way regarding the interoperability of systems in healthcare. And using a solution like Staying here with our Salesforce that can integrate with an EHR or an ERP in the device or pharma sector makes it a seamless part of the business. It’s not just another silo somewhere. Yeah, it has those independent aspects to it as well that makes it secure. For all the reasons mentioned today, this.
Mike Boyle: Maybe the most important question of all… After hearing all of, this information, the good, bad, and the ugly. Marina, right? Why is it important for the healthcare industry to prepare for this and protect themselves? Why, at the end of the day, does all this matter?
Marina Jackman: Healthcare is unique because of how we use it and the reason we use it versus my example of Ticketmaster and buying a concert ticket. It’s part of our daily lives. It’s something we really rely on for our own, personal health, for obvious reasons. And these healthcare organizations and providers have an ethical and legal duty to protect patient information and ensure it is used appropriately. So fulfilling this duty is fundamental to the practice of medicine. The rise of telehealth, for example, and the use of devices in healthcare increases the complexity and potential vulnerability of healthcare it systems. And so while all these advancements that we’ve made in medicine have really been phenomenal, they’ve increased access to care, they’ve made healthcare much easier to attain, and all these technological advancements have really just become a part of our daily lives. And those necessitate robust security measures. So it’s really important that these healthcare organizations are taking that into consideration because when these things don’t happen, results can be very severe versus other industries. And quite frankly, in healthcare, people’s lives can depend on it.
Mike Boyle: Truer words may never have been spoken. Marina Jackman, my colleague here at Ad Victoriam Solutions, thanks for being with us. This was great, information. I know I’m walking away with, a much deeper understanding of the need for data security in the healthcare industry and how it can benefit not only healthcare companies but their patients and customers too. And I’m sure our listeners did as well. So thank you, and we certainly will have you come back when we want to go even deeper on this subject. Marina, thank you.
Marina Jackman: Thank you for having me and for our audience.
Mike Boyle: If you would like to learn more about today’s topic, data security cyberattacks in the healthcare industry, I’m going to place several helpful links inside this show’s episode notes to guide you, so do look for those. I’m Mike Boyle from Ad Victoriam Solutions. Thanks for joining us for our latest Salesforce Simplified podcast. As always, our next episode is just around the corner.
Speaker 1: You’ve been listening to Salesforce Simplified, the podcast from Ad Victoriam Solutions.
Ad Victoriam Solutions
Ad Victoriam Solutions helps companies bridge the gap between technology and business insights for greater efficiencies. We can turn even the most complex problems into smart solutions that help businesses perform better and achieve more. We’re cloud and data experts who work across a spectrum of leading-edge applications and technologies to help companies solve critical IT problems - quickly, simply and efficiently.
