Low-cost strategies can help healthcare organizations avoid the high price of a data breach.
Technology has radically transformed health care, allowing physicians to conduct examinations by mobile phone, hospitals to share patient records electronically, medical devices to be monitored using wireless connectivity, and autonomous robots to perform surgeries.
But health care’s growing use of IT also has exposed hospitals, clinics, and physicians to a rising number of cybersecurity threats. Healthcare providers are increasingly targeted by hackers because they not only possess valuable patient information but also tend to lack sufficient safeguards against cyberattacks.
More than one in four of all data breaches occur in the healthcare industry, according to the Identity Theft Resource Center, a not-for-profit that tracks cyberattacks. a Of the record 1,339 data breaches in 2017, 374 occurred in health care.
The healthcare industry is among the most challenging when it comes to cybersecurity strategy because employees across an organization from clinical to administrative functions have access to sensitive patient data and because there exist multiple points of entry, presenting ample opportunity for hackers. A cyber-criminal might launch an attack on a hospital system’s mainframe computer but may find it easier to gain entry through the desktop PC in a small health clinic. It might be even simpler to steal a nurse’s laptop or a physician’s mobile phone.
Once a computer system has been breached, a hacker can mine the files for patient information, including Social Security numbers and birth dates, sensitive data that can be used to access bank and credit card accounts.
Moreover, thieves aren’t satisfied just stealing patient information. They also hold healthcare providers hostage by refusing to unfreeze locked computers until a ransom is paid, often by untraceable bitcoin. In such cases, lives can hang in the balance with the potential malfunctioning of vital medical equipment, such as heart monitors or IV infusion pumps. In extreme cases, procedures may have to be postponed, also putting patients’ lives at risk.
Now more than ever, it is imperative for healthcare organizations to develop strategies to protect themselves from cyberattacks. By developing a cybersecurity policy, regularly performing risk assessments to ensure the organization’s computer system is secure, and training employees to prevent and detect breaches, healthcare organizations can significantly reduce their risk of being hacked.
The Cost of Cyberattacks
If healthcare organizations don’t catch up with hackers soon, the number of breaches—and people affected by them—is likely to grow exponentially. If such breaches of patient data grow at their current pace, by 2024, every person in the nation will have been affected. b
Providers absorb the costs of cyberattacks in a number of ways, including investigating the breaches, fixing the problems and preventing them from happening again, providing credit monitoring services to affected patients, paying damages and government fines related to HIPAA violations, and losing future revenue because of loss of patient trust. Altogether, health system cyber-breaches cost the industry $6.2 billion each year. c These costs can be significant and even damaging to a large health system, but a small clinic could be put out of business after a major breach.
One of the main reasons hackers target healthcare providers is that patient records contain such a the wealth of information patient. Healthcare organizations are repositories not only of protected health information but also of sensitive financial and personal information such as Social Security numbers, birth dates, and bank and credit card information, which can be used to drain bank and credit card accounts. Cyber-criminals might use the information themselves or sell it to someone else. In the latter case, healthcare information can be among the most lucrative information to sell: While a Social Security number could sell for 10 cents on the black market, a patient’s electronic health record (EHR) could be worth thousands of dollars. d
A hacker might also use ransomware to hold the information hostage, refusing to release data back into an organization’s hands until a ransom has been paid. This approach often is a double whammy because the hacker not only gets paid a ransom but also retains the downloaded patient information for future criminal activity.
The breaches are becoming more frequent and problematic as hackers get smarter and have access to more sophisticated equipment. There are international criminal networks that send millions of phishing and spam emails—some with malicious links or attachments—to gain access to healthcare computer systems. Even more menacing are nation-states, such as China and Russia, that have the intelligence apparatus and the infrastructure to carry out massive cyberattacks.
The growing threat of knowledgeable cyber-attackers, coupled with the premium price of healthcare information on the black market, make health systems a very attractive target—especially given healthcare organizations’ lack of adequate preparation for such attacks.
Consider all the computers in hospitals, clinics, labs, and physician offices that are used to gather patient information, and how those data are shared. There are great vulnerabilities in the operating systems, with some physicians’ offices using outdated Windows operating systems for which Microsoft no longer provides security support. In some cases, these operating systems were installed in the 1990s and are older than the people using them. Although a health system might spend thousands of dollars on computer security, a physician’s office may have a patchwork system. Because EHRs are linked, a hacker can infiltrate the physician’s computer to gain access to the hospital’s system.
Employees with EHR access also pose a risk to data security. An employee might inadvertently give a hacker access by opening an email attachment that contains malware or ransomware. A physician might use a mobile phone to send a patient’s X-rays and medical records to a colleague for a second opinion, allowing a hacker to intercept the material. A nurse might leave a laptop unattended, only to have it stolen, along with hundreds of patient records. The ramifications of such breaches can be devastating, as shown in the following recent examples:
- When the WannaCry ransomware hit 81 U.K. hospitals, almost 7,000 patients went untreated, as hackers demanded ransom to release frozen medical records. Refrigerators and MRI machines were shut down as well. e
- A Los Angeles medical center was crippled for more than a week after a ransomware attack locked up computers in 2016. The hospital paid hackers $17,000 in bitcoin to have service restored. f
- A New York hospital system agreed to a $3.9 million settlement after the records of roughly 13,000 patients were compromised following the theft of a hospital laptop. g
- A Philadelphia health system paid $650,000 in HIPAA violations after an employee’s mobile phone was stolen and hackers gained access to the records of more than 400 patients. h
- In 2015, the FDA issued an alert about software vulnerabilities in a brand of infusion pumps, warning that hackers could access the pumps remotely and alter the doses, with potentially life-threatening consequences. i
Incidents like these illustrate the real-life costs of cyberattacks, which could include the price paid to unlock a ransomware attack, the cost of upgrading computer security, losses related to government fines and patient lawsuits, and lost business and brand reputation.
There are several ways for healthcare providers to improve their cybersecurity, and some of these measures cost little or no money.
Provide employee education and training. A relatively quick and inexpensive security method is to provide education and training to employees. Hospitals, clinics, and physician’s offices can teach employees how to identify suspicious email files that might contain a malicious link or attachment, including photos and videos. Offering quarterly training sessions keeps the information fresh and on the minds of employees.
Monitor social media. Healthcare employees also need to be educated to understand how their mobile devices and social media can add to the vulnerability of their employer. Most mobile devices contain both work and personal email accounts. A hacker can gain access though a personal email account and use the mobile device to penetrate the user’s business email or other company files. The social media on a mobile device also can serve as an entry point for hackers to invade the business accounts.
Strengthen password protection. Healthcare providers can easily add a layer of security by requiring employees to log in using two-factor authentication. This system requires users to log in using not only their password, but also a second method to confirm the identities of the users. A familiar example is where a user enters a password on a mobile device, and then is sent a dynamic passcode by email, which must be entered as the second form of authentication.
Establish a cybersecurity program. A healthcare organization should develop a cybersecurity program to establish a framework to govern security. The program should address procedures, personnel, and training, providing an organized and methodical approach for understanding the organization’s risk and security and creating a hierarchy of responsibility. At the center of such a program there should be policies and procedures that govern the protection of information. Such policies and procedures provide employees and customers with guidance on controls surrounding information and access to that information. Written policies provide accountability and guidance.
Perform regular risk assessments. Healthcare providers need to regularly perform a risk assessment to ascertain the strength of their cybersecurity systems. Cyber-threats are changing constantly, and the methods and tools necessary to detect and defend against attack are being updated just as fast. Therefore, a regular reassessment must occur to ensure that new and emerging threats are mitigated or identified before they cause irreparable harm.
A Proactive Stance
Healthcare cybersecurity threats have become a high-stakes enterprise that have quickly moved beyond the simple work of the rogue hacker to sophisticated operations involving criminal syndicates and nation-states. Fortunately, there are signs that healthcare providers are becoming more proactive in responding to these threats. Although the vast majority of healthcare organizations continue to wait until they are attacked before taking action, there is a growing trend of healthcare providers working to strengthen their security and prevent a cyberattack.
This trend is encouraging, because it shows providers are increasingly realizing the vulnerabilities and are taking steps to correct them. It also makes sound business sense, because a strong cybersecurity strategy not only protects patients, but also is less costly in the long run.
Robert E. Anderson, Jr., is a former national security executive with the FBI and currently a managing director, Navigant, Washington D.C.
a. “ 2017—Data Breach Category Summary,” Identity Theft Resource Center, Dec. 27, 2017.
b. Sweeney, B., “The Frightening New Frontier for Hackers: Your Medical Records,” Crain’s Chicago Business, April 8, 2017.
c. Cost of a Breach: A Business Case for Proactive Privacy Analytics, Protenus, Sept. 23, 2016.
d. Yao, M., “Your Electronic Medical Records Could Be Worth $1,000 to Hackers,” Forbes, April 14, 2017.
e. Lanxon, N., and Ross, T., “U.K. Blames North Korea for WannaCry Attack on Health Service,” Bloomberg Politics, Oct. 26, 2017.
f. Winton, R., “Hollywood Hospital Pays $17,000 in Bitcoin to Hackers; FBI Investigating,” Los Angeles Times, Feb. 18, 2016.
g. LaMantia, J., “Major Health System’s Research Arm Pays $3.9M to Settle Data Breach,” Crain’s New York Business, March 18, 2016.
h. Monegain, B., “Catholic Health Care Services to Pay $650,000 HIPAA Fine for Business Associate Incident,” Healthcare IT News, July 5, 2016.
i. FDA, “Symbiq Infusion System by Hospira: FDA Safety Communication—Cybersecurity Vulnerabilities,” Safety Alert, fda.gov, July 31, 2015.