When hackers target hospitals, the consequences can be dire. Yet hospitals have little help preventing or responding to such attacks.
The Erie County Medical Center serves as the Level 1 trauma center for all of Western New York. The 550-bed hospital hosts the region’s HIV care and burn units, and is the teaching hospital for the University of Buffalo.
In the early morning hours of Sunday, April 9, 2017 — a quiet time of day when large hospitals like Erie County’s are nonetheless buzzing with activity — hackers infiltrated the medical center’s computer systems. The screens went blank, replaced by a pop-up message that read, “What happened to your files?” Hospital staffers could get their data back, the message said, but it would cost them: 24 bitcoin, the cybercurrency that, at the time, was equivalent to about $30,000.
Hospital leadership acted quickly. They determined that they wouldn’t pay the ransom. Instead, they shut down the entire computer system, following protocol that had been put in place for a massive power outage. Doctors, nurses and other staffers relied on more rudimentary systems such as pen and paper until they could get back online safely.
That didn’t fully happen until six weeks later. Rebuilding the network — and suffering from some lost revenues during the recovery period — cost the hospital nearly $10 million.
Erie County wasn’t a sitting duck. In fact, the hospital had recently undergone a risk assessment for cyberthreats and had tweaked different parts of its system to make them more secure. It had upgraded its cybersecurity insurance from a $2 million annual plan to $10 million. (That insurance means the hospital wasn’t on the hook for most of the recovery costs after the attack.) In terms of security, the hospital was actually rather advanced, says CEO and President Thomas Quatroche. “Our cybersecurity team said they would have rated us above-average before the attack.”
Many other hospitals across the country have been victims of a similar hack. MedStar Hospitals — a Washington, D.C.-based chain — was forced to shut down its computer systems for days after getting hit by a cyberattack in 2016. Princeton Community Hospital in West Virginia had to revamp its entire network after a global cyberattack hit its medical records system. Hollywood Presbyterian Medical Center in Los Angeles decided to pay the $17,000 its hackers requested after the hospital’s computers were taken over.
Ransomware in general has rapidly become an extremely lucrative operation: In 2015, according to FBI reports, cybercrime victims paid about $24 million to unlock their computers after an attack. By 2016, that number had hit $1 billion. Cyberattacks have become an omnipresent threat. High-profile hacks of companies from Equifax to Uber to Target to Sony Pictures have made it clear that all sorts of data are vulnerable. Credit scores, Social Security numbers, email addresses, credit card numbers. Everything.
But the health-care sector finds itself in a special predicament. Health data can be extremely valuable: National reports suggest that while credit card numbers can be sold by hackers for 10 to 15 cents apiece, a medical record can fetch between $30 and $500. “People don’t think of their health data with the same urgency they would their checkbook,” says LeRoy Foster, chief security officer at Advocate Health, an Illinois-based health system. “But if I get your health-care data, I get everything. I get insurance information, I get part of your financial info and your pharmaceutical information.”
At the same time, health-care systems are often complex and fragmented, and the health sector in general lacks the kind of across-the-board standardization that, say, the banking industry has. Experts say most hospitals and health systems are trying their best. But as the threats keep shifting, health IT has had to get more nimble — something it’s not very good at.
If the spotty, halting implementation of electronic health records over the past decade has taught IT experts anything, it’s that health data is uniquely tough to lock down. If the industry can’t figure out an easy way to get health records online, then it also isn’t going to be easy to create systems that secure the data. “There is no standard for what health records look like. Every single different health records system has a different format and process,” says Teri Takai, the former CIO of California and Michigan, as well as the former CIO for the Department of Defense. (Takai is now the executive director of the Center for Digital Government at e.Republic, Governing’s parent company.) Takai recalls working once for a small insurance company focused on Medicaid, and she says she was struck by how many small, regional health-care firms were out there, each with their own way of doing things. “There’s such fragmentation,” she says.
Part of that fragmentation comes from just how sprawling health care is. Under the giant umbrella of health care are insurance companies, Medicaid, thousands of hospitals, private practices and health departments — each holding different bits and pieces of a person’s medical history. That sprawling nature is why getting health data online at all has been a struggle. Today, more than 80 percent of doctors and more than 90 percent of hospitals use electronic health records, but that’s largely attributed to financial incentives from the Obama administration. And moving records online is only the beginning: A 2015 survey from the American Medical Association found that only 34 percent of providers were happy with their own electronic health records.
Health data also doesn’t lend itself well to standard security measures like automatic logouts and two-step verification. Doctors already complain that accessing relevant information when they’re in front of a patient can take more than 20 clicks of a mouse. Adding more onerous security measures would require extra time that doctors and nurses often don’t have. “You have hundreds of people who need to access things fast,” says Andrew Boyd, an assistant professor of health information sciences at the University of Illinois, Chicago. “You can’t have automatic logouts after 15 seconds — you’re adding several minutes to a procedure. If you put up too many barriers, that can hurt patients.”
Health practitioners complain that there’s been little help from government, particularly from Washington, to protect health-care systems and help them stay in front of emerging threats. “The federal government is really good at helping the financial sector” on cybersecurity, says Quatroche in Erie County. “There really is no support system from the feds for hospitals. It’s quite the opposite.” He adds, “There needs to be some recognition that we were victims of a crime.”
State legislatures are slowly trying to address cybersecurity needs. But their efforts usually aren’t targeted to health care, and policy experts say they need to do more. A bill introduced in Ohio in October would offer businesses a legal safe harbor from penalties of a breach, as long as they had some kind of cybersecurity program in place. That’s a good first step, because “a large number of breaches go unreported or unresolved simply because providers do not know what steps to take,” says Mitchell Parker, executive director of information security and compliance at Indiana University Health. ZDNet, a business technology news site, reported in 2013 that about half of data breaches go unreported. The New York Department of Financial Services last year mandated that all financial institutions must have in place a cybersecurity program approved by the state. That requirement wasn’t directly related to health care, but it’s an approach that a state health department could copy, says Thomas MacLellan, director of policy and government affairs at Symantec. During their annual meeting in August, members of the National Association of Insurance Commissioners discussed adopting New York’s policy for every state, although it would have to be approved by state legislatures first.
A good place for states to start is just making sure they fund cybersecurity insurance and training in public hospitals and health departments. More than a dozen states require cybersecurity insurance, though there is currently no national or legal standard for what the policies should protect. Having an adequate insurance plan is what allowed the Erie County Medical Center to weather its attack last year. “Is it burdensome? Yes,” Quatroche says. “But it’s the reality now.”
The problems can be especially acute for rural hospitals. Many of those facilities have been struggling financially for the past decade, with declining populations, sicker patients and more people relying on Medicaid, which doesn’t pay as well as private insurance. It’s tough to tell small hospitals to maintain a million-dollar cybersecurity insurance plan when they can barely keep their doors open as it is. The attack that blindsided Erie County could have decimated other medical centers that didn’t have the same resources, Quatroche says. “If you’re a rural hospital, that could have closed you.”
MacLellan says he encourages health systems to contract IT work offsite through a cloud system if they can’t afford to hire someone on their own. “After all, what business are you in? Are you in health care or are you in cybersecurity?” he says. “When you look at some of these smaller hospitals, can they afford to bring someone on, or should you contract it out?”
The stakes are high in any data breach. But health-care attacks can be particularly scary. Along with putting sensitive health records information at risk, hospital cyberattacks could impact doctors’ ability to deliver care to their patients. Delayed surgeries, postponed tests and canceled prescriptions are all very real threats. As technology continues to evolve, health experts say there’s a new looming concern: the security of medical devices. Hacking into insulin pumps or anesthesia machines or a whole host of devices could have extremely dire consequences. “Ransomware of patient data is one thing,” says MacLellan. “But imagine you get a text saying your pacemaker is being held ransom in exchange for 100 bitcoin.”
Ultimately, says Takai, it’s an issue of proper management. “This isn’t a technology problem, it’s a business leadership problem” she says. “Think of it like a disaster plan. How would you recover? What will you tell people?”
And health-care departments can’t treat cybersecurity as an afterthought, says Boyd at the University of Illinois, Chicago. “There’s this permanent new cost that can be tempting to waive to balance a budget. But there will always be new threats,” he says. “Health-care IT needs to be a permanent line item.”
This story was originally published on Governing.