This is Part 1 of a 2-part series addressing cyber attacks in the healthcare industry and key strategies to employ in ensuring that your systems are protected.

As the world becomes more technology driven, there has been a corresponding rise in cyber attacks on technological systems, and cybersecurity has become of paramount importance. The healthcare industry is no exception, experiencing attacks from ransomware, data breaches, distributed denial of service (DDoS) attacks, insider threat, and business email compromise and fraud scams, according to an article by the Center for Internet Security.

The prevalence of these attacks in healthcare is increasing, with a Cylance Annual Threat Report noting that for 2017, ransomware attacks were the major cause of cyber attacks, increasing 3-fold during the year and impacting the healthcare industry the most.According to the Health Information Trust Alliance (HITRUST), the number of ransomware families has been increasing since 2012 with an over 700% increase from 2015 to 2016, and a further 32% increase in 2017 over 2016 (Figure 1).

Data from the Privacy Rights Clearinghouse showed that for hack breaches that were publicly reported in 2018, the healthcare industry was significantly more affected than other Industries (Figure 2).

BSF: Businesses – Financial and Insurance Services
BSO: Businesses – Other
BSR: Businesses – Retail/Merchant – Including Online Retail
EDU: Educational Institutions
GOV: Government and Military
MED: Healthcare, Medical Providers and Medical Insurance Services

In May of 2017, the now infamous WannaCry ransomware was unleashed globally, attacking and locking down data and/or shutting down computers in countries around the world. Hospitals across the National Health Service (NHS) in the United Kingdom were significantly impacted with at least 80 of the 236 trusts across England affected and infecting another 603 primary care and other NHS organizations, according to an investigation carried out by the National Audit Office.

Today, WannaCry is still active and unmanageable as found by a survey conducted by internet of things security company Armis:

  • 103 countries are still impacted
  • Over 145,000 devices worldwide are compromised
  • At least 3,500 successful WannaCry attacks per hour, worldwide
  • 22% of Internet service providers (ISPs) have customers impacted by WannaCry
  • 60% of manufacturing organizations and 40% of healthcare organizations suffered a WannaCry attack in the past six months

Why is the Healthcare Industry being Targeted?

As previously stated, the healthcare industry is being increasingly targeted in cyber attacks and this is primarily because of the information available in the industry. The main motivation behind cyber attacks in healthcare is financial gain as patient medical information is very lucrative on the Dark Web. According to reports, medical records can be much more valuable to criminals than financial data and can be worth ten times more than credit card numbers. A global study conducted between February 2017 and April 2018 by the Ponemon Institute on behalf of IBM Security found the highest data breach resolution costs were for healthcare data breaches, costing an average of $408 per record compared to $206 per record for financial services data breaches.

“Healthcare providers such as hospitals are highly visible targets and attacks against them will be high impact, which in itself is a key motivator for many of these perpetrators. Disruptive attacks can disable, sabotage, or knock offline critical systems inside a hospital. The health and safety of vulnerable patients suffer as a result.”

HITRUST Report

Stolen patient information can be used to create fake credit cards, obtain medical services, and commit insurance fraud, among other things. It also usually takes some time for a patient to realize their identity has been stolen which gives criminals time to carry out their nefarious activities. This contrasts with stolen financial data which is most times quickly realized.

The unique nature of healthcare also makes it an easy target for quick money as some leaders prefer to pay the ransom demands to get their systems back online after a ransomware attack, as the inability to access systems and patient data can be literally a matter of life and death.

What makes the Healthcare Industry so Vulnerable to Cyber Attacks?

Healthcare organizations are particularly vulnerable to cyber attacks for various reasons. Coventry and Branley (2018) in a review of trends and threats to cybersecurity in healthcare, noted that traditionally no one believed that healthcare systems would be attacked and as such, protective measures were not seen as important. In their study they found that vulnerabilities in the healthcare industry originate from increase in technological connectivity, more continuous monitoring of patients outside of the clinical environment, and the widespread use of mobile consumer devices. Vulnerabilities exist due to other factors such as increased use of technology in healthcare, legacy systems with non-supported versions of Microsoft Windows, systems not updated to plug known vulnerabilities, and inadequate security mitigation policies.

Increased use of Technology in Healthcare

Traditionally, healthcare was mainly paper based with health records kept in a file room only accessible by authorized personnel. However, healthcare is following the lead of other industries and is increasing its use of technology. Additionally, the Health Information Technology for Economic and Clinical Health (HITECH) Act which was signed into law in 2009, promotes the adoption and meaningful use of health information technology, particularly electronic health records (EHR) whose adoption has been incentivized. Federal policies like these are driving technological advancement in healthcare. While this is great for improved patient care, it also opens the door for security vulnerabilities and possible hacking by unscrupulous individuals.

Increase in Technological Connectivity

The healthcare landscape is becoming more and more connected technologically as providers seek better ways of caring for patients, especially those with chronic conditions. There is a myriad of medical devices being used to monitor and care for patients, extending lives and improving quality of life. In the past these devices were stand-alone systems but are now becoming interconnected through an organization’s network, making them potential points of vulnerability for cyber attacks.

Growth in use of Mobile Consumer Devices

The use of mobile technology in healthcare is increasing with smartphones and wearable devices being used by individuals to monitor medical conditions or just general health status. This presents another area of vulnerability as these general-purpose devices now hold important personal health information (PHI) that could be easily exposed in a breach.

90% of healthcare IT decision makers “plan to implement or are currently implementing a mobile device initiative as a way to improve patient care, facilitate efficiencies within care teams or both.”

HIMSS

Legacy systems with outdated, non-supported versions of MS Windows

The rapid rise in the use of technology in healthcare has led to many healthcare organizations struggling with old legacy systems as investment in cybersecurity has not kept up with emerging technologies. Additionally, the focus of healthcare is on patient care which at times cause other areas such as technology to be left lagging. In the WannaCry attack, most, if not all, of the systems affected were operating on outdated versions of Windows that are no longer supported by Microsoft. A cybersecurity survey by Infloblox found that 22% of healthcare IT professionals reported having Windows 7 in their organizations and 20% reported that Windows XP was operating on their network, both of which are no longer supported by Microsoft. The survey also found that medical equipment such as MRI scanners were operating on these outdated systems. Equipment operating on vulnerable operating systems can be easily exploited and attacked by malware introduced into the network.

Systems not updated with required patches to plug known vulnerabilities

Even where the systems being used are supported by Microsoft, updating and plugging known vulnerabilities is often a challenge. In our experience, businesses routinely scan their network and systems for vulnerabilities but fail to apply required fixes or patches in a timely manner. Several patches or updates can be applied automatically, but in many instances on some networks or systems, this has to be done manually. Also, specific remediation steps must be followed at times which require appropriate staff with the proper knowledge to execute.

Inadequate security risk mitigation policies or procedures to follow in order to address current or emerging IT threats

Maintaining a secure cyber environment is a huge task especially in the current environment of new and varied threats. This is another area that some healthcare organizations struggle with as shown by the Infloblox survey which found that 15% of UK healthcare IT professionals and 11% of their US counterparts did not believe that their current security policy for newly connected devices was effective. This led the authors to surmise that hospitals and health centres may be rapidly adopting new connected devices without due care and attention being paid to security policies.

The threat to the healthcare industry from cyber attacks is real and growing. Healthcare organizations need to understand these threats, realize what is at risk, know where their vulnerabilities are, and take proactive steps to protect themselves.  There are many innovations on the market to help healthcare organizations continuously monitor and protect their systems from cyber attacks, as well as to help them recover in the event of a breach. Part 2 of this blog series (Addressing Cyber Attacks: 10 Key Strategies to Cyber Secure your Healthcare Organization) will explore key strategies and practical how-to solutions that can better prepare your healthcare organization from cyber attacks, ransomware, and data theft.

Download the Playbook for Corporate Compliance in Healthcare for a step-by-step guide for compliance and data risk security.