From the largest global meat producer to a major gas pipeline company, cyberattacks have been on the rise everywhere—and with copious amounts of valuable patient data, healthcare organizations have become a prime target.
The graphic above outlines the recent wave of data attacks plaguing the sector. Healthcare data breaches reached an all-time high in 2020, and hacking is now the most common type of breach, tripling from 2018 to 2020. This year is already on pace to break last year’s record, with nearly a third more data breaches during the first half of the year, compared to the same period last year.
Recovering from ransomware attacks is expensive for any business, but healthcare organizations have the highest average recovery costs, driven by the “life and death” nature of healthcare data, and need to quickly restore patient records. A single healthcare record can command up to $250 on the black market, 50 times as much as a credit card, the next highest-value record. Healthcare organizations are also slower to identify and contain data breaches, further driving up recovery costs.
A new report from Fitch Ratings finds cyberattacks may soon threaten hospitals’ bottom lines, especially if they affect a hospital’s ability to bill patients when systems become locked or financial records are compromised. The rise in healthcare hacking is shining a light on many health systems’ lax cybersecurity systems, and use of outdated technology.
And as virtual delivery solutions expand, health systems must double down on performing continuous risk assessments to keep valuable data assets safe and avoid disruptions to care delivery.
CFOs whose finance and accounting functions are built on legacy computer systems got a stark reminder last week from the Colonial pipeline hacking of what’s at stake if their system is breached.
The hack to Colonial’s system led to widespread gas shortages throughout the East and reportedly forced the company to pay $5 million in ransomware to get the instructions for reclaiming its data.
“For finance departments, the cybersecurity risk is huge,” Samir Jaipati, a finance solutions leader with EY Americas, told CFO Dive in an email. “Something built on outdated technology won’t be able to keep hackers out.”
Security specialists generally agree legacy, on-premises systems starting from about 10 years ago typically have solid cybersecurity features built in, but those that are older might require significant upgrades if they’re going to stand a chance against today’s sophisticated hackers.
The risk for CFOs who must manage their processes on an outdated system is they’ll try to get by with short-term fixes that won’t solve the systemic problems they face.
“These temporary fixes aren’t as dependable and in the long-term may cost more,” said Kaipati.
For CFOs who don’t have the time or budget to implement the system overhaul they need or to transfer their processes to a more secure on-premises system or to a cloud-based system, the best step is to do a comprehensive review of their end-to-end finance processes to audit for consistency and reliability, said Steve Adams, Gartner finance director.
He suggested reviewing the organization’s record-to-report process from start to finish to understand where non-secure platforms are used, whether there are audit trails that don’t exist, and if exogenous data is incorporated. By eliminating these and other red flags, CFOs can go a significant way to clean up their processes and reduce risk without making system changes, Adams said.
CFOs taking this approach should first engage their IT business partner and ask for a full audit of the cybersecurity capabilities of the suite of financial applications and to use that review as a starting point to making improvements, he said.
Legacy systems pose a broader problem than just security risk; they can impede company growth because CFOs aren’t generating the data or producing the analytics that can help them identify ways to make more money or reduce costs in the same way they can get from sophisticated cloud-based solutions.
Nor can legacy systems be expected to be as good at integrating data throughout the organization in the same way as cloud systems.
For CFOs who can do it, switching from an old on-premises system to the cloud can be a game-changer, said Manish Sharma, an Accenture operations group executive.
“CFOs that are agile and able to overcome these restrictions by scaling digital and cloud-powered technologies have been able to break down data silos and siloed ways of working to support the ever-evolving business strategy with speed and flexibility,” he said.
The importance of using up-to-date IT was emphasized in a recent Accenture report that found “future-ready” leaders are emerging ahead of the pack with higher efficiency and profitability by scaling digital capabilities in ways to improve operational maturity.
“These leaders use better, more diverse data to inform decision-making as part of a cloud-powered continuous feedback loop,” said Sharma.
Another benefit of moving to the cloud or a hybrid cloud-on-premises arrangement is cost flexibility.
On average, the cost of managing an outdated IT system can cost a business around $3.61 per line of code or over $1 million for an application with 300,000 lines of code, said Kevin Shuler, owner and CEO of the Quandary Consulting Group, a Denver-based IT firm.
“It accounts for customizations, maintenance, reporting, server and hardware, etc.,” he said.
While replacing the old with the new might appear to be prohibitively expensive at first glance, Shuler noted what can put a CFO more at ease is the costs are more transparent than maintaining a legacy system.
“Better, they can be categorized as either an operating expense or a capital expense since a lot of software is classified as a service rather than software,” he said.
This gives flexibility to the CFO’s finances and forecasting. It also means more resources can be available for modernized systems.
“That means you can get superior resources at a lower cost than trying to pull from a pool of highly specialized and competitive contractors who work mainly with legacy systems,” he said.
RWJBarnabas Health sued an insurance carrier for allegedly refusing to cover the West Orange, N.J.-based system’s pandemic-related losses, according to NJ.com.
The health system is suing Zurich American Insurance Co. for breach of contract, alleging the company refused to honor its obligations under a $2.5 billion “Zurich Edge Healthcare Policy.”
The health system, which treats 3 million patients annually, claims Zurich’s policy should cover losses caused by illnesses like COVID-19. The lawsuit, filed March 19, alleges Zurich failed to acknowledge COVID-19 caused property damage after employees and patients died from the virus in its facilities, according to Law360.
“Zurich has known, or should have known, for decades that its policy could be called upon to pay up to its full limits — here $2.5 billion dollars — to RWJBarnabas for losses associated with viruses and pandemics,” the lawsuit states.
Ridgewood, N.J.-based Valley Health System is also suing Zurich, alleging the insurance company wrongfully denied covering its losses tied to the pandemic under a $550 million policy, according to Law360.
A Zurich spokesperson declined to comment on RWJBarnabas’ lawsuit, telling NJ.com that it is not the company’s practice to comment on pending litigation.
In Virginia, Carilion Clinic filed a similar lawsuit against its insurance provider, American Guarantee and Liability Insurance Co., on March 18. The Roanoke, Va.-based system says it lost more than $150 million because of the pandemic, and the insurance company allegedly refused to provide coverage or properly investigate its losses.
“To cushion the impact of the coronavirus and COVID-19, Carilion Clinic turned to its property insurer, AGLIC, to whom Carilion Clinic had paid nearly $1 million in premiums in exchange for $1.3 billion in property damage and time element (also known as business interruption) coverage effective June 1, 2019 to June 1, 2020,” the lawsuit states. “AGLIC, however, declined to fulfill its obligations to Carilion Clinic under the policy.”
Carilion is seeking damages for breach of contract and a judgment declaring the scope of American Guarantee’s obligation to cover the losses under the policy.
Read the full NJ.com article here.
Read the full Law360 article here.
Change in new COVID-19 cases in the past week
Percent change of the 7-day average of new cases
on Feb. 23 and March 2, 2021
The U.S. may be on the verge of another surge in coronavirus cases, despite weeks of good news.
The big picture: Nationwide, progress against the virus has stalled. And some states are ditching their most important public safety measures even as their outbreaks are getting worse.
Where it stands: The U.S. averaged just under 65,000 new cases per day over the past week. That’s essentially unchanged from the week before, ending a six-week streak of double-digit improvements.
- Although the U.S. has been moving in the right direction, 65,000 cases per day is not a number that indicates the virus is under control. It’s the same caseload the U.S. was seeing last July, at the height of the summer surge in cases and deaths.
What we’re watching: Texas Gov. Greg Abbott on Tuesday rescinded the state’s mask mandate and declared that businesses will be able to operate at full capacity, saying risk-mitigation measures are no longer necessary because of the progress on vaccines.
- But the risk in Texas is far from over. In fact, its outbreak is growing: New cases in the state rose by 27% over the past week.
- Mississippi Gov. Tate Reeves also scrapped all business restrictions, along with the state’s mask mandate, on Tuesday. New cases in Mississippi were up 62% over the past week, the biggest jump of any state.
- The daily average of new daily cases also increased in eight more states, in addition to Mississippi and Texas.
How it works: If Americans let their guard down too soon, we could experience yet another surge — a fourth wave — before the vaccination campaign has had a chance to do its work.
- The vaccine rollout is moving at breakneck speed. The U.S. should have enough doses for every adult who wants one by May, President Biden said this week.
- At the same time, however, more contagious variants of the coronavirus are continuing to gain ground, meaning that people who haven’t gotten their vaccines yet may be spreading and contracting the virus even more easily than before.
What’s next: The bigger a foothold those variants can get, the harder it will be to escape COVID-19 — now or in the future.
- The existing vaccines appear to be less effective against two variants, discovered in South Africa and Brazil, which means the virus could keep circulating even in a world where the vast majority of people are vaccinated.
- And that means it’s increasingly likely that COVID-19 will never fully go away — that outbreaks may flare up here and there for years, requiring vaccine booster shots as well as renewed protective measures.
The bottom line: Variants emerge when viruses spread widely, which is also how people die.
- Whatever “the end of the pandemic” looks like — however good it’s possible for things to get — the way to get there is through ramping up vaccinations and continuing to control the virus through masks and social distancing. Not doing those things will only make the future worse.
- “Getting as many people vaccinated as possible is still the same answer and the same path forward as it was on December 1 or January 1 … but the expected outcome isn’t the same,” Shane Crotty, a virologist at the La Jolla Institute for Immunology in San Diego, told Reuters.
A New York physician has been charged with manslaughter in the second degree and is facing other felonies related to the overdose death of a patient, New York Attorney General Letitia James announced Feb. 19.
Sudipt Deshmukh, MD, allegedly prescribed a lethal mix of opioids and other controlled substances that resulted in the overdose death of a patient. The physician allegedly knew the patient struggled with addiction.
An indictment, unsealed Feb. 18, alleges that between 2006 and 2016, Dr. Deshmukh ignored his professional responsibilities by prescribing combinations of opioid painkillers and other controlled substances, including hydrocodone, methadone and morphine, without regard to the risk of death associated with the combinations of those drugs.
Dr. Deshmukh is facing several felony charges, including healthcare fraud, for allegedly causing Medicare to pay for medically unnecessary prescriptions.
The indictment comes after the attorney general’s office filed a felony complaint against Dr. Deshmukh in August. In 2019, the New York State Office of Professional Medical Conduct found that he committed several counts of misconduct.