The scenarios are chilling: A busy hospital suddenly cannot use any of its electronic medical records or other computerized systems. The victim of a ransomware attack, the hospital will not regain access without paying those who locked down the records — if at all.
At another hospital, hackers find a way to connect to the software that controls IV pumps, changing their settings so they no longer deliver the correct doses of medication.
Cybersecurity experts say these are among the situations they worry about when they consider the health-care industry — which, with its reliance on technology and a wealth of data, is increasingly a target of cybercrimes.
“We have seen in recent years an escalation in the risk to health-care organizations from cyberthreats,” said Steve Curren, director of the Division of Resilience in the Office of Emergency Management, part of the U.S. Health and Human Services Department’s Office of the Assistant Secretary for Preparedness and Response. “Since 2014, we have had 10 distinct breach incidents of health-care organizations where the breach resulted in the compromising of more than 1 million patient records.”
And starting around 2016, attackers ramped up ransomware attacks against health-care systems. “That has been very disruptive,” Curren said, sometimes forcing hospitals to implement emergency procedures.
Ransomware attacks have “impacted health care directly,” said Monzy Merza, head of security research for Splunk, an enterprise software company. “There were several reports of UK hospitals unable to administer X-rays. The computer equipment attached to the X-ray machines was compromised and attacked by ransomware and rendered inoperable for some period of time.”
Experts say there are a number of reasons for the increased risk — and challenges, some unique to health care, in mitigating it.
“Cybersecurity is somewhat of a nascent discipline,” Merza said. “We’re still learning. Manufacturers are learning how to operate in this new world. The same is true for the operators and owners of these technologies, who are also learning what the best practices are and how to manage them.”
There are several reasons the health-care industry makes an attractive target for cybercrimes:
Lots of data. People launch cyberattacks for a variety of reasons, said Phyllis A. Schneck, managing director and global leader of cybersolutions for Promontory Financial Group, an IBM Company, and former chairman of the National Board of Directors of the FBI’s InfraGard program. Some are simply having fun; others are deliberately trying to destroy infrastructure. But a common reason is to steal intellectual property or personal information for financial gain. The health-care sector is “a resource-rich environment” for those looking for information due to the wealth of information health-care providers store: family history, medical history, financial information.
“There’s a street value to people’s personal information, and the health-care sector is an excellent source of it,” Schneck said. Trade secrets can also be sold for profit.
Health-care organizations also have a lot of information that can be valuable to those who want to commit health insurance fraud, Medicare fraud or identity theft, Curren said.
Ransomware attacks are yet another way to make money.
“A lot of the bang for your buck is in locking up the system: Send in malware that freezes all the computers in the hospitals, then say, ‘I’ll send the code to unlock this if you send money,’” said Deborah A. Levy, a retired captain with the U.S. Public Health Service and currently professor and chair of the epidemiology department at the University of Nebraska Medical Center’s College of Public Health. With the move toward electronic health records, the industry has become a bigger target.
Individual medical records may also be attractive if they include sensitive information about celebrities, for example, though in general there is less of a market for them.
Connections among diverse organizations. “The reason we’re seeing more of this now is because of the connectivity of networks and devices to the network,” Merza said. “There are clear advantages to connected devices — automation, information sharing, knowledge enrichment, contextualization. But with that network connectivity, you’re opening yourself up to attack.”
Organizations within the health-care sector also need to communicate with each other, so even if a large insurance company or hospital is able to secure its data, it may still be vulnerable when it shares connections with smaller organizations that have fewer resources for cybersecurity.
“We have a very diverse sector,” Curren said, ranging from large health insurance organizations with a lot of resources to very small clinical practices.
An open culture. “Health care has an open, sharing culture — as is appropriate to support its primary mission — but this culture also complicates the issues of security and privacy,” said the June 2017 Report on Improving Cybersecurity in the Health Care Industry, produced by the Health Care Industry Cybersecurity Task Force of the U.S. Department of Health and Human Services.
This means it has been harder for health-care organizations to secure their data than some other industries.
“They do not have really good security technologies and privacy policies in place,” said Niam Yaraghi, a nonresident fellow with the Brookings Institution’s Center for Technology Innovation and assistant professor of operations and information management at the University of Connecticut’s School of Business. “They are like the only house in the very affluent neighborhood that doesn’t have a security system.”
“The first and foremost mission of every health-care organization is to cure the sick and help the patient,” Yaraghi said. “If you’re being rushed to the emergency department, the first thing in your mind is, ‘I hope the physicians at this hospital are really good doctors.’ Whether they’re going to keep your blood pressure and drug allergies confidential — that’s not the first thing you care about. They are in the business of providing medical care to patients; they are not in the business of technology.”
The results of a breach for everyone involved in the health-care industry — hospitals, clinics, researchers and patients — can range from annoying to catastrophic.
Patients could be harmed or even die. Many people — both patients and health-care workers — could be inconvenienced by systems going down. And bad publicity could harm clinics and hospitals in areas where consumers have choices.
“It’s a competitive business — if a facility has gotten hit, that might influence where the public chooses to go,” Levy said.
Prevention is the best solution — but it, too, poses challenges. Experts offer these ideas for shoring up security to prevent or mitigate attacks:
Education and awareness. “In the past, it was much more challenging implementing cybersecurity features because people didn’t consider it a must,” said Idan Edry, CEO of Trustifi LLC. “They said, ‘I’ve never been hacked, nobody stole any of my information, so I’m fine.’”
Today, those on the front lines of using the more secure systems — including patients and medical professionals — are more aware of the importance of cybersecurity. Continued education will help ensure that the people who need to use the secure systems are on board.
Simplicity. The more complex a system is, the harder it can be to keep updated to guard against cyberattacks.
“Keep it simple: Don’t have too many disparate things where if you make one update it breaks everything else,” Schneck said. “The more hot, new devices that you have, the more openings you have.”
Backup systems. When cybersecurity systems fail to prevent an attack, good backups can make it easier to recover.
“In the case of ransomware, it’s important to have very good backups, so that when something is compromised, you’re able to get back up and running,” Merza said.
Emergency planning. Cybersecurity may be an emerging challenge, but emergency managers can tackle it by using strategies similar to those they use for other situations. “If a hospital gets disrupted by a cyberincident, it’s the same as if it was disrupted by a water main break or a tornado or anything else,” Curren said.
Constant vigilance. Both manufacturers and owners of devices bear some responsibility for preventing attacks. Users and operators should be prepared to follow best practices for installing and testing the updates.
“Start with the fundamentals,” Merza said. Manufacturers should be constantly evaluating bugs and vulnerabilities of their equipment and sharing that information with owners. “How quickly can manufacturers identify the problem, come up with the fix and distribute the fix to the users of those devices?”
Realistic regulations. Cybersecurity plans need to keep in mind the mission and culture of the health-care industry.
For example, it’s easy to say all operators should immediately install all patches. But “sometimes it is not feasible for any number of reasons,” Merza said. Government agencies that regulate the systems may be slow with their approval. “The regulatory space is not equipped today to handle the evolving nature of threats and the speed with which technological development is happening. There is an opportunity now for regulatory bodies to work with operators and manufacturers to understand the on-the-field requirements so people can implement them in a reasonable fashion.”
Healthy attitude toward risk. It’s easy to blame doctors for being reluctant to learn a new electronic medical record system, for example, or update their computers.
“Doctors are geniuses in how they figure out how to help people, but notorious for not being meticulous about cybersecurity,” Schneck said.
But it is important for those in charge of cybersecurity to keep the true goals of everyone who uses the systems in mind. Researchers need to be able to share information and produce new drugs. Health-care providers need to be able to exchange patient information. Some security measures may make it hard for health-care professionals to do their jobs. The key is to consider cybersecurity through the lens of risk management, Schneck said.
“It’s not the doctor’s fault that he is too busy and he thinks that he doesn’t have time for remembering a complicated password that cannot be hacked into, not the nurse’s fault that she is under so much pressure that she cannot read every email very carefully and figure out that it’s a phishing email,” Yaraghi said. “I do not blame physicians and people in the health-care industry at all.”
Cooperation. So many of the players in the health-care system are connected to each other — hospitals communicate with doctors’ offices, pharmacies and insurance companies, for example — that an attack on one entity with weaker security could threaten others.
“There’s a real strong sense developing in health care that we have to do this together, and we have to be committed to sharing information with one another to make this work,” Curren said. For example, hospitals need to notify each other of attempted attacks so other hospitals can prevent them.
In addition, a long-term solution would be for device manufacturers to “develop products and services that are hard to compromise,” Merza said. “The government, the manufacturers and the operators of these devices all really have to work together in the best interests of the public health-care population.”