Hospitals as Cyber-Targets: How to Prepare for the Inevitable Data Breach
Just a month after one California hospital paid a $17,000 ransom to end a cyberattack, three more medical centers in the state were hit by hackers. Some clinical systems, such as radiology, were down for days at three Prime Healthcare facilities—Desert Valley Hospital, Chino Valley Medical Center and Alvarado Hospital Medical Center—as the hospitals worked to contain the ransomware that infected their computers. Yet no patient’s safety or data were compromised, and no ransom was paid, says Prime spokeswoman Elizabeth Nikels.
“Prime Healthcare had various levels of protection and controls built into its systems, including multiple levels of backup,” Nikels says. “Our [chief information officer] and IT teams ... had an extensive cybersecurity strategy in place and were quickly able to execute their incident plans alongside national expert incidence response firms.”
Hospitals and healthcare organizations across the country are increasingly finding themselves the targets of hacks and ransomware attacks. In fact, 45 percent of healthcare organizations had more than five data breaches—though most were small, containing fewer than 500 records—in the past two years, according to a 2016 report by Ponemon Institute, a Michigan-based research organization focused on IT security. In 2016 alone, hacks of healthcare facilities were reported in California, Indiana, Kansas, Kentucky, New Jersey and the Washington, D.C., area.
While there has been no known patient injury stemming from a cyberattack, reports have indicated rescheduled appointments and delayed treatments. “There’s no evidence of any direct harm yet,” says Kevin Fu, PhD, director of the Archimedes Center for Medical Device Security at the University of Michigan. “It’s more about the safety net beginning to crumble.”
But even with patients out of harm’s way, the ramifications of a hack on a hospital can be severe. Healthcare hacks cost $355 per lost or stolen record—the highest of any industry—due to fines and a higher-than-average rate of lost business and customers, reports the Ponemon Institute. If the hack constitutes a breach, hospitals could face the added costs of credit monitoring for patients and media notification. And with that publicity comes another potential hit: a decline in reputation and loss of patient trust.
“How do you maintain continuity of operations?” asks Fu. “How do you have not just continuity, but assured continuity of operations? And then the follow-up is, how do you recover when you have a disruption to continuity of operations? Ransomware plays havoc with how things are done today in healthcare.”
Why hacks happen
Experts say the reasons for the surge in hacks are two-fold: there’s money in health data—and in the ransomware itself—and the healthcare industry is a particularly vulnerable cyber-target. While hospitals have paid thousands in ransom to get their medical records de-encrypted, perhaps more lucrative for hackers is the health information itself. A stolen medical record, which could be used to file false insurance claims or commit identity theft, could sell for five or 10 times more than a stolen credit card number.
“The data is much richer and, as a result, much more attractive” says Chris Paravate, MBA, chief information officer at Northeast Georgia Health System in Gainesville. “There are lots of different fraudulent activities you can do with that much data.”
As health data becomes more valuable, medical organizations are becoming more vulnerable to cyberattacks. Many factors make a typical hospital more likely to experience a breach, according to a report by Meditology Services, an Atlanta-based healthcare IT company. These include storing large volumes of medical data on a variety of systems with varying security, using legacy systems without routine security updates, allowing open physical security policies and connecting unsecure medical devices to the network. Healthcare organizations have made moderate improvements over the last few years, but “the industry still has a long way to go,” says Brian Selfridge, partner at Meditology Services.
Data sharing, which is key to providing patients with a continuity of care, also presents problems. The medical records of patients with cardiac conditions need to be available to their primary care providers, cardiologists and other specialists. “All that information has to be moved around so those people have access to the right information at the right time,” Paravate says. “Each one of those sharing opportunities creates a vulnerability.”
How to halt the hackers
While there’s no surefire way to prevent a cyberattack, experts offered a variety of tips to help healthcare organizations protect their medical data from hackers:
Update your software: Using commercial software that’s no longer maintained makes you more susceptible to malware. This is especially key to preventing ransomware attacks, which take advantage of missing security patches or technical breaches, Selfridge says.
Check your inventory: If you buy a security product before you understand what you’re protecting, you’ve made a bad purchase, Fu says. Hospitals need to have a good grasp on their clinical and IT inventory, so it’s clear which devices are on the network and at risk. Numerate these at-risk assets, deploy appropriate controls and continuously monitor the effectiveness of those controls. “People often don’t want to do that boring part,” Fu says.
Back up your data: Ransomware is largely ineffective if you can replace it with a back-up, Selfridge says. At Northeast Georgia Health System, the extensive back-up system is configured based on the critical nature of each application, Paravate says. The hospital’s electronic medical record system, for instance, is backed up nearly in real time. In contrast, other industries, such as food information technology, may back up periodically, over a span of hours or even a day.
Perform a risk assessment: A risk assessment is required for an organization to comply with regulatory requirements for securing information under HIPAA, Selfridge says. It evaluates security risks, such as areas that could create the possibility of a security breach and what standards could limit the likelihood of that breach.
Hire (ethical) hackers: An ethical hacking assessment, also known as penetration test, is an attempt to simulate the experience of a hack to find an organization’s exposures so they can be secured, Selfridge says. The assessment, which is typically performed annually, helps hospitals find simple, low-hanging security vulnerabilities that can be addressed quickly and inexpensively. Components include trying to hack into the hospital’s network using the external internet, attempting to hack from within the hospital and using social engineering, such as phone calls and emails that attempt to garner passwords.
Protect passwords—and against phishing: Almost two-thirds of confirmed data breaches involve weak, default or stolen passwords, according to Verizon’s 2016 Data Breach Investigations Report. What’s more, social engineering weaknesses, such as employees providing password information to phishing emails, are among the top 10 hacking exposure areas for healthcare organizations, Meditology found. “It’s basic stuff,” Selfridge says. “This isn’t sophisticated nation-state actors that need special technology. It’s very often simple passwords.”
Invest in insurance: With most commercial general liability policies excluding cyberattacks, many hospitals maintain separate cyber-liability insurance policies, says Reece Hirsch, JD, a healthcare attorney and co-head of the Morgan Lewis privacy and cybersecurity practice. Cyber-liability policies, which have grown in popularity over the last few years, can cover damage related to a data breach, such as ransom payments, credit monitoring for victims, notification letters and setting up a call center, Hirsch says.
Bone up on bitcoin: Hackers tend to demand ransom in the form of bitcoin, an online currency that’s designed to be anonymous and difficult to trace. Some hospitals have set up bitcoin accounts as part of their cyberattack response preparation, Hirsch says. “If it does happen,” he says, “you don’t want to waste time trying to figure out what bitcoin is and how to set up an account.”
How to respond to a hack
Despite the steps hospitals are taking to prevent attacks, experts say all healthcare organizations are vulnerable. “It’s not a question of if we’ll have a breach,” Paravate says. “It’s how will we respond.”
Organizations should first determine how they’ll handle a hack internally. Northeast Georgia Health System has a formal security incident response plan that includes stakeholders from IT security, compliance, risk, public relations and the executive team, Paravate says. Just like a fire, the first phrase of a hack response is to contain and extinguish, and then to understand the extent of the damage. Questions include: What data has been encrypted? How current are the back-ups? How do we communicate to end users that the system isn’t usable? What’s the process of restoring the system?
There’s also a risk management decision to be made, Fu says. Do we remove the system—interrupting clinical workflow—to prevent the malware spread? Do we pay the ransom? Do we try to clean the system, or just delete and restore? What happens to patients in the interim? “There is no perfect solution right now,” Fu says. “It’s kind of like handwashing in the 1800s. We don’t necessarily have the running water in the hospital.”
We’re only beginning to hear about hospital hacks and security breaches, Fu says. “One of the reasons you’re hearing about malware now is people are actually beginning to look,” he says. “Five years ago, there was a false sense of security.”