By Alexander Grijalva, CISO, VillageCare
Healthcare’s cybersecurity problem is a half-century old affliction that began with the first step towards digitization.
When hospitals introduced computerized systems in the late 1960s and 1970s, they also unwillingly exposed themselves to cyber threats. To cyber criminals, healthcare organizations were “no [longer] viewed as…sacrosanct institutions of mercy” and consequently not immune to computer crime, wrote Robert A. Hershbarger in 1977.
Some of the hospital information systems developed in the 1970s (such as the Dutch BAZIS system) incorporated high availability and strict access control requirements in their designs. The need to safeguard hospital information system software and hardware components—including the patient data stored in system databases—against unauthorized access and use (and computer crime) was understood.
Of course, the IT operational environment of the 21st healthcare industry is significantly larger, more complex, and interconnected.
In the United States, the use of information technology is ubiquitous in a healthcare industry comprised of over 119,000 entities:
- Long-term care facilities—65,000
- Independent pharmacies—22,000
- Urgent care centers—9,600
- Hospice care—4,300
- Freestanding emergency rooms—566
- Medical device companies—6,500
- Registered health insurance companies—5,600
This doesn’t include the numerous private practices, independent radiology centers, and state health information exchanges (HIEs).
If we incorporate the number of U.S. physician office visits (883 million in 2016) and emergency department visits (130 million in 2018) to the equation, the impact of a cyberattack can be much more considerable and frightening than anything imagined in the early years of healthcare’s digital transformation.
And while the attack surface of health IT has significantly grown, the weapons of choice have not really evolved. Malware and phishing emails remain the most popular and successful means of breaching healthcare organizations:
- Patient zero of Anthem’s 2015 data breach was the employee of a subsidiary who opened a phishing email with malicious content.
- The 2017 global WannaCry attack exploited Windows XP and Windows 2003 computers that were missing a critical Microsoft Windows security patch that had been released months before the attack. The attack crippled 70% of the U.K.’s National Health Service.
- New York’s Wyckoff Heights Medical Center and St. Lawrence Health System, and Pennsylvania-based Universal Health Services, Inc, (with over 400 acute hospitals across the United States) suffered crippling ransomware attacks in 2020. Security firm Mandiant told NPR that such attacks typically start as “corporate communications containing Google Docs and PDFs with malicious links.”
In response to the affliction of cyberattacks, numerous public and private partnerships between healthcare organizations and with government agencies have developed. There has never been a more cooperative and educational environment in health IT security.
Additionally, sophisticated security tools and services have come to the marketplace. However, these solutions—for example, endpoint detection and response (EDR) systems, cloud access security brokers (CASBs), user behavior analytics (UBA)—are beyond the means of a multitude of healthcare organizations. And integrating them to existing security portfolios isn’t seamless.
However, responding to cybersecurity threats does not necessarily require sophisticated or expensive solutions. Some studies have shown that practical cyber hygiene practices can stop 95% of cyberattacks.
Organizations like the Healthcare and Public Health Sector Coordinating Council Joint Cyber Security Working Group and the DHS Cybersecurity and Infrastructure Security Agency have promoted cyber hygiene in the healthcare industry. Among their recommendations include:
- Using strong passwords.
- Employing anti-virus.
- Backing up critical data.
- Ensuring computer operating systems are regularly patched.
- Employee training and awareness.
Add to this mix multi-factor authentication, offered for free to Microsoft 365 and Google G-suite customers.
Nevertheless, much like healthcare clinicians’ struggle with hand hygiene compliance, the adoption of basic cyber hygiene is seemingly poor in the industry.
The Ponemon Institute’s sixth annual study, “Privacy & Security of Healthcare Data,” found that many healthcare organizations and business associates didn’t have the financial or human resources to address cybersecurity threats, even those considered preventable mistakes.
The study, however, also found that many of the study participants were “negligent in the handling of patient information.” 50% of the participants said they weren’t attentive to ensuring partners and third parties safeguarded patient information.
There is a considerable risk of non-compliance with even basic cyber hygiene. Successful and disruptive cyberattacks may increase clinicians’ reported stress levels when using health IT systems, leading to underutilization or even the cessation of further technology investments. There are already public reports of clinicians lacking confidence in electronic health record systems, because of design flaws that have allegedly led to patient deaths and other adverse health outcomes.
The public’s confidence in health IT systems is also at risk. Taxpayer-funded incentives to use technology to efficiently manage patient care, reduce medical errors, produce better health outcomes, and effectuate cost savings could be questioned if health IT systems are unreliable and easily disrupted by cyberattacks.
Despite continuing and significant challenges with health IT interoperability, healthcare services are coordinated (perhaps sometimes haphazardly) using a web of interconnected IT systems and devices that involve explicit and implicit data sharing agreements. And often the contractual and technical relationships and data flows between parties aren’t clear. Consequently, the risks and security gaps of one can be shared by all. Sometimes unknowingly.
The specter of cyber threats is clearly not neoteric. It has been the monster in the closet and under our beds for over 50 years.
Obviously, cyber criminals have never hesitated to attack healthcare institutions. They have not cared that crippling a hospital—including safety net hospitals that serve the uninsured and low-income communities—may risk lives. They have not cared that stealing and selling the records of a breast cancer research project and registry can adversely affect the lives of hundreds of thousands of women.
Cyber criminals are a malady that target all the organs of the healthcare system. No organization is immune. And successful cyberattacks can have residual effects with no effective treatment. But the industry has acquired the knowledge—painfully and traumatically—that can protect all tiers of the healthcare system, albeit not 100%.
We know that 95% of cyberattacks can be prevented if healthcare organizations—no matter their size or role—implement and adhere to basic cyber hygiene practices.
And we know that it is important that clinicians and the public have faith in the reliability and availability of the systems used to provide and manage care.
More importantly, we know that lives are literally at risk if we all don’t do a better job of safeguarding health IT systems.