What Are the Effects and Costs of Downtime to Healthcare Organizations?

Any break in the standard flow of a business can result in severe financial losses. Where do these losses stem from? One of the most expensive business interruptions is IT or system downtime. What is system downtime? It's when a technological "glitch" shuts down production. For healthcare companies, it's when servers shut down and your electronic health records become unavailable. No appointment scheduling. No access to patient records. No processing of payments.

There are some estimates that downtime costs range from $427 per minute for small businesses to as high as $9,000 for large enterprises.

According to Bleuwire, the usual suspect causes of downtime in any business are:

• Human error

• Internet outage

• Malfunctioning hardware

• Cybersecurity threats

• Server instability

• Software updates

In the world of healthcare, however, IT downtime can result in patients missing critical appointments, the loss of sensitive personal health information (PHI), and providers receiving fines in the thousands or even millions of dollars for non-compliance. When server downtime strikes, every minute counts. Will you be ready?

When it comes to healthcare organizations, ransomware is by and large the greatest threat to loss of PHI and cause of significant EHR downtime. Ransomware is a form of malware that places encryption on the files of its victim. In order to restore access to the data a ransom payment is required, usually in the form of Bitcoin. The amount can range from hundreds to even thousands of dollars or more.

Downtime Statistics and Effects in Healthcare

Whether it is through data backups or cloud infrastructure, there are ways that organizations can better prepare for potential server downtime. The healthcare industry in particular is highly coveted by cybercriminals. Sensitive data targeted by ransomware can often yield large financial gains for the perpetrators.

Downtime in the healthcare industry is a critical situation. It goes beyond lost revenue but can be a life-or-death situation for patients relying on results or treatment powered by modern technology. It can also render feelings of uncertainty for both patients and providers who wait, not knowing how bad the potential damage on the other side of the attack may be.

Though large healthcare organizations can produce an extensive library of PHI and perhaps even larger ransom payout, smaller providers are not off the hook.

According to The Secretary of the U.S. Department of Health and Human Services (HHS), between January 2022 and July 2023 there have been 798 breaches of unsecured PHI affecting 500 or more individuals with the number continuing to grow year over year. Data breaches of this scale almost always contribute to downtime as reaction and recovery commence. One of the best ways to avoid downtime is to protect against cybercrime. It is the one area that most organizations, including those in healthcare, can control (to a certain degree).

What is EHR Downtime?

When it comes to downtimes in healthcare, the most significant instances are those referred to as electronic health record downtime (EHR). This refers to any period in which an EHR system is either partially or fully unavailable. Not only is this disruptive to day-to-day operational flow, but it also poses risks to patient reporting. Believe it or not, most hospitals are not adequately prepared for such a situation.

3 Examples of Healthcare Downtime from Cyberattacks

In late 2020, several U.S. hospitals, health systems, and other providers were attacked by ransomware, now being investigated by the FBI, called Ryuk. At its earliest point of attack, three systems went into EHR downtime, including the University of Vermont Health Network, New York-based St. Lawrence Health System, and Sky Lakes Medical Center in Oregon. Access to programs like MyChart Patient Portal went down, meaning patients and providers could not access results. In some cases, elective procedures had to be postponed. IT departments reacted by disconnecting all impacted systems to avoid further damage. This example demonstrates how a cyberattack can severely impact healthcare organizations that are not prepared for this scenario.

Ryuk is ransomware that primarily targets businesses, hospitals, and government branches. In circulation since 2018, Ryuk impacts about 20 organizations each week, with its most specific focus being those in healthcare. Like most ransomware, it usually finds its way onto a system via phishing emails with malicious attachments. It relies on open source tools and existing system administration utilities to bypass detection. This means that Ryuk can conduct malicious activity without ever triggering any security alerts. By the time a user finds it, it is too late. This form of ransomware encrypts all files, except for those with extensions: .dll, .lnk, .hrmlog, .ini, and .exe. It also skips over files stored in internet browsers, likely so that the victim can still utilize those systems for payment. In addition to encrypting files, Ryuk will also steal credentials stored on compromised computers. If that was not bad enough, there is currently no publicly available tool that can decrypt this ransomware without first posting payment.

You can read more about this incident affecting healthcare organizations at HealthITSecurity.

What Might Downtime Look Like at Your Organization and How Do You Calculate Its Loss?

According to OpsWorksCo, downtime can cost an organization more than just money, but it can also damage reputations, productivity, opportunities and data. Organizations can calculate the cost of their downtime using the following equation:

Lost Revenue + Lost Productivity + Recovery Costs + Intangible Costs

According to the most recent data found in a study by the Ponemon Institute, and shared by Summit Healthcare, the average cost of downtime in healthcare is $7,900 per minute. This does not include any fines related to HIPAA.

The Bottom Line: Minimize Downtime

Cyberattacks can wreak havoc on an organization, regardless of the industry. However, in healthcare, besides financial and data losses, the downtime created by these types of attacks can inconvenience both clients and patients, many of whom require access to critical services or who have paid for services in advance.

The best way to minimize downtime at a healthcare organization is to develop and fund an effective cyberattack response plan. Educating employees on best practices and investing in modern technology, such as cloud solutions, can also protect organizations from costly cyberattacks.