As a relentless swarm of successful cyber attacks severely disrupt companies in every industry and require enormous expenditures to repair the damage, what typically gets lost in the shuffle is that some industries are victimized more than others — sometimes far more. The corporate victim that almost always grabs this dubious spotlight is the healthcare industry — the second-largest industry in the U.S. and one in which hacker meddling of operations not only costs lots of time, money and operational downtime, but threatens lives.
The healthcare industry itself is partly responsible. In a seemingly admirable quest to maximize the quality of patient care, tunnel vision gives short shrift to other priorities, specifically cybersecurity.
In aggregate, healthcare organizations on average spend only half as much on cybersecurity as other industries. For this and other reasons, such as the unusually high value of stolen patient records on the black market, attracting extra-large flocks of hackers, hospitals especially find themselves in a never-ending cyber war zone. FortiGuard Labs, a major security protection firm, reports that in 2017, healthcare saw an average of almost 32,000 intrusion attacks per day per organization as compared to more than 14,300 per organization in other industries.
Some attacks are outright deadly. For example, MedStar Health, a huge, Maryland-based healthcare system, was severely incapacitated by a ransomware attack that made national headlines when, among other things, it threatened lives. Compromised by a well-known security vulnerability, MedStar Health was not only forced to shut down its email and vast records database, but was unable to provide radiation treatment to cancer patients for days.
Such trouble typically starts when a doctor or other healthcare worker is persuaded to open an email sent by an attacker and click a link or attachment that downloads malware to his computer, a so-called “phishing” attack. The attacker can then use this software to gain access to the healthcare organization’s financial, administrative and clinical information systems.
Attackers also can use the health network to spread into connected medical devices and equipment, such as ventilators, X-ray and MRI machines, medical lasers and even electric wheelchairs.
Any medical device connected to a network is potentially at risk from being taken over and exploited by hackers.
Compounding the threat are prevalent and vulnerable Internet of Medical Things (IoMT) devices, which integrate components and software from dozens of suppliers with minimal concern for security. Even individual patients can be targeted. A few years ago, former U.S. Vice President Dick Cheney’s doctors disabled his pacemaker’s capabilities because there were concerns about reports that attackers could hack such devices and kill the patient.
It’s a dire situation that must be addressed. Hospitals and other healthcare providers must practice better cybersecurity hygiene. For starters, healthcare organizations must improve the speed and thoroughness of software patching and update processes. As much as possible, organizations also need to use threat intelligence and automation, as well as institute cyber-awareness training programs to protect against social media attacks and other attack vectors.
As IoMT devices proliferate, more elaborate network segmentation and inspection is required. A segmented strategy enables organizations to institute checks and policies at various points of the network to control users, applications and data flow and to more quickly identify and isolate security threats. And on the network visibility front, healthcare organizations need more insight throughout the network, including the cloud.
Hospitals and other healthcare organizations must do a better job of protecting patient’s records, as well. Since the transformation from paper records to digitized Electronic Health Records (EHRs), records are commonly updated and then sent by doctors to specialists in other hospitals. The problem is that hospitals are not banks, where financial information is locked up and not shared. This unencrypted information is vulnerable to profit-hungry hacker attacks.
A solution to this is likely to be homomorphic encryption, an impressive technology that allows for the encryption of data-in-use and that has tremendous potential to lock down the most valuable medical information. Specifically, this technology can secure and protect sensitive medical records and personally identifiable information (PII), often the target of cyber thieves.
Notwithstanding the fact that data-rich healthcare records are worth more than 10 times a credit card on the black market,this would shut down the most aggressive “data-focused” hackers.
These improvements will not occur without substantial monetary investment and effort. It’s commendable that hospitals focus overwhelmingly on day-to-day quality of care, but times change, and they must look at their mission with a broader perspective. Because they fail to do so, hospitals typically pay up in almost non-stop ransomware attacks, minimizing the possibility of additional health threats while systems are down.
Among the obstacles that hospitals face in pursuing the path toward change is intensifying merger and acquisition activity in the healthcare sector. IT integration challenges, including different medical technologies, create additional vulnerabilities, as does the need to share information between newly merged organizations.
The reputation of and trust in healthcare organizations depends on their understanding of the true extent of threats and taking sufficient measures to guard against them. The healthcare industry has no choice but to improve its capabilities regarding security. Nothing short of our lives are at stake.