Healthcare Industry and Cyber Breaches
Guess what happens one day that a busy hospital stops functioning. All the data related to the patient and treatment details seize to work. There is no output, and they all stand still. Yes, the computerized system of the environment has choked, and all the electronic medical records are locked.
A hacker could barge into the hospital IT network and connect to their software that control patient medication procedure, and change the settings in a way that hospitals are never in a situation to deliver the correct dose of the medicine.
IT experts say the most worrying factor for the hospital administration is about going fully computerized, because the fear of getting the system hacked and all the details getting compromised is something they never want to happen. The cyber criminals main target is data and that is something vital for every organization
“We have seen in recent years an escalation in the risk to health-care organizations from cyber threats,” said Steve Curren, director of the Division of Resilience in the Office of Emergency Management, part of the U.S. Health and Human Services Department’s Office of the Assistant Secretary for Preparedness and Response. “Since 2014, we have had 10 distinct breach incidents of healthcare organizations where the breach resulted in the compromising of more than 1 million patient records.”
Ransomware attacks have “impacted health care directly,” said Monzy Merza, head of security research for Splunk, an enterprise software company. “There were several reports of UK hospitals unable to administer X-rays. The computer equipment attached to the X-ray machines was compromised and attacked by ransomware and rendered inoperable for some period of time.”
Experts say there are a number of reasons for the increased risk — and challenges, some unique to healthcare, in mitigating it.
“Cybersecurity is somewhat of a nascent discipline,” Merza said. “We’re still learning. Manufacturers are learning how to operate in this new world. The same is true for the operators and owners of these technologies, who are also learning what the best practices are and how to manage them.”
There are several reasons the healthcare industry makes an attractive target for cyber crimes:
“There’s a street value to people’s personal information, and the health-care sector is an excellent source of it,” Schneck said. Trade secrets can also be sold for profit.
Health-care organizations also have a lot of information that can be valuable to those who want to commit health insurance fraud, Medicare fraud or identity theft, Curren said.
Connections among diverse organizations. “The reason we’re seeing more of this now is because of the connectivity of networks and devices to the network,” Merza said. “There are clear advantages to connected devices — automation, information sharing, knowledge enrichment, contextualization. But with that network connectivity, you’re opening yourself up to attack.”
“We have a very diverse sector,” Curren said, ranging from large health insurance organizations with a lot of resources to very small clinical practices.
The results of a breach for everyone involved in the healthcare industry — hospitals, clinics, researchers and patients — can range from annoying to catastrophic.
Patients could be harmed or even die. Many people — both patients and health-care workers — could be inconvenienced by systems going down. And bad publicity could harm clinics and hospitals in areas where consumers have choices.
“It’s a competitive business — if a facility has gotten hit, that might influence where the public chooses to go,” Levy said.
Prevention is the best solution — but it, too, poses challenges. Experts offer these ideas for shoring up security to prevent or mitigate attacks:
Education and awareness. “In the past, it was much more challenging implementing cybersecurity features because people didn’t consider it a must,” said Idan Edry, CEO of Trustifi LLC. “They said, ‘I’ve never been hacked, nobody stole any of my information, so I’m fine.’”
Today, those on the front lines of using the more secure systems — including patients and medical professionals — are more aware of the importance of cybersecurity. Continued education will help ensure that the people who need to use the secure systems are on board.
Simplicity. The more complex a system is, the harder it can be to keep updated to guard against cyber attacks.
“Keep it simple: Don’t have too many disparate things where if you make one update it breaks everything else,” Schneck said. “The more hot, new devices that you have, the more openings you have.”
Backup systems. When cybersecurity systems fail to prevent an attack, good backups can make it easier to recover.
“In the case of ransomware, it’s important to have very good backups, so that when something is compromised, you’re able to get back up and running,” Merza said.
Emergency planning. Cybersecurity may be an emerging challenge, but emergency managers can tackle it by using strategies similar to those they use for other situations. “If a hospital gets disrupted by a cyber incident, it’s the same as if it was disrupted by a water main break or a tornado or anything else,” Curren said.
Constant vigilance. Both manufacturers and owners of devices bear some responsibility for preventing attacks. Users and operators should be prepared to follow best practices for installing and testing the updates.
“Start with the fundamentals,” Merza said. Manufacturers should be constantly evaluating bugs and vulnerabilities of their equipment and sharing that information with owners. “How quickly can manufacturers identify the problem, come up with the fix and distribute the fix to the users of those devices?”
Realistic regulations. Cybersecurity plans need to keep in mind the mission and culture of the health-care industry.
For example, it’s easy to say all operators should immediately install all patches. But “sometimes it is not feasible for any number of reasons,” Merza said. Government agencies that regulate the systems may be slow with their approval. “The regulatory space is not equipped today to handle the evolving nature of threats and the speed with which technological development is happening. There is an opportunity now for regulatory bodies to work with operators and manufacturers to understand the on-the-field requirements so people can implement them in a reasonable fashion.”
Healthy attitude toward risk. It’s easy to blame doctors for being reluctant to learn a new electronic medical record system, for example, or update their computers.
“Doctors are geniuses in how they figure out how to help people, but notorious for not being meticulous about cybersecurity,” Schneck said.
But it is important for those in charge of cybersecurity to keep the true goals of everyone who uses the systems in mind. Researchers need to be able to share information and produce new drugs. Health-care providers need to be able to exchange patient information. Some security measures may make it hard for health-care professionals to do their jobs. The key is to consider cybersecurity through the lens of risk management, Schneck said.
“It’s not the doctor’s fault that he is too busy and he thinks that he doesn’t have time for remembering a complicated password that cannot be hacked into, not the nurse’s fault that she is under so much pressure that she cannot read every email very carefully and figure out that it’s a phishing email,” Yaraghi said. “I do not blame physicians and people in the healthcare industry at all.”
Cooperation. So many of the players in the healthcare system are connected to each other — hospitals communicate with doctors’ offices, pharmacies and insurance companies, for example — that an attack on one entity with weaker security could threaten others.
“There’s a real strong sense developing in healthcare that we have to do this together, and we have to be committed to sharing information with one another to make this work,” Curren said. For example, hospitals need to notify each other of attempted attacks so other hospitals can prevent them.
In addition, a long-term solution would be for device manufacturers to “develop products and services that are hard to compromise,” Merza said. “The government, the manufacturers and the operators of these devices all really have to work together in the best interests of the public health-care population.”