Hackers see too many hospitals and other healthcare facilities the way a car thief sees a parking lot full of unlocked vehicles.
How pervasive is the cybersecurity problem in health care? A Ponemon Institute study found that in the previous two years, 89% of healthcare organizations had dealt with data breaches, and 79% had had two or more. Most, the study found, were the result of criminal attacks.
For a variety of reasons, healthcare facilities are a comparatively easy target, and a very attractive one. As John Halamka, the chief information officer of Boston’s Beth Israel Deaconess Medical Center in Boston, puts it, “If you’re a hacker, you’re going to go where the money is and the safe is the easiest to open.”
But they don’t have to be that easy. There are steps organizations can and should take to effectively lock the doors and take the keys.
Health care is a popular target for three reasons, says the Harvard Business Review:
- Healthcare data is sure money. Medical information can be used to steal identities or create fake ones. And a complete medical record — one that includes a Social Security number, a driver’s license, credit card details, health plan information and prescriptions — can fetch as much as $1,000 on darknet sites, say experts. If nothing else, data can, and often is, used for extortion — a way to force organizations to pay ransom to regain access to their compromised and encrypted data.
- Health care has lagged behind other industries in taking steps to secure data. Many medical staff members still don’t understand the risks, and healthcare organizations tend to devote fewer resources to cybersecurity than do other industries. A 2017 survey by the Healthcare Information and Management Systems Society found that nearly three-quarters (72%) of healthcare organizations dedicated only 6% or less of their budgets to cybersecurity, and shockingly, well over a third (40%) dedicated 2% or less.
- Other industries, most of which devote much greater resources, have gotten better about detecting and blocking cyberattacks, forcing criminals to look for new sources of data.
One result of the scant attention paid is that healthcare organizations simply haven’t kept up with security demands. Last year’s devastating WannaCry 2.0 attack could have been largely thwarted by a security patch released by Microsoft several months earlier. But many providers were still using devices that hadn’t been updated.
At Banner Health, which operates 29 hospitals in Arizona, hackers managed to access millions of healthcare-related records by getting in through the hospitals’ food and beverage outlets. Those, of course, should have been controlled by a completely separate network.
And there are plenty of low-tech issues, too. Ransomware typically finds its way to victims in three ways, according to the Center for Internet Security: phishing emails that contain malicious attachments; malicious links opened by unwitting users; and viewing of advertisements that contain malware.
More “Things” to worry about
The increasing number of devices and objects connected to the Internet — the so-called Internet of Things — compounds the challenge for healthcare providers, since each is another potential access point for hackers.
“On average a hospital bed has about 10 to 15 medical devices connected to it at one time,” says Maryanne Woo, a partner at the Reed Smith law firm. “They all need to be able to talk to each other. They all need to be able to share data, share information.”
But that interoperability may be achieved at the expense of security. “If someone from the outside can hack into the MRI machine, hack into the X-ray machine, or can hack into your blood gas analyzer — because none of them are set up to detect malware — then they can go anywhere into the hospital,” says Ms. Woo.
That challenge, she says, has gotten the attention of the FDA, which is increasingly focused on potential hackability in its approval process for medical devices.
Most users know and understand basic precautions, like keeping operating systems up-to-date, using strong passwords, employing anti-virus and anti-spam applications, and regularly backing up data. Still, it’s a good idea to require training for personnel to helps ensure they won’t fall prey to phishing schemes, or open malicious attachments.
But instead of fighting the same battles in the same ways to try to stay ahead of hackers, organizations should consider fortifying themselves with newer, more sophisticated approaches, such as behavior analysis, tokenization and, perhaps down the road, biometric-based security.
Behavior analysis strengthens security by establishing user patterns and flagging behavior that deviates from the usual, such as logging in from a new location or accessing parts of a system the user doesn’t normally go to. Flagged users may be required to provide further authentication or even get booted from the system until a system administrator can investigate and allow access.
With tokenization, data is stored in the databases of third-party providers, instead of in the systems of healthcare providers. Its big advantage is that it isn’t reversible. As opposed to encrypted data, which can be cracked if a hacker gets his hands on the encryption key or somehow determines the algorithm used to create it, “tokens” are randomly generated and irreversible, so they’re worthless to hackers.
Biometric-based security, which relies on identifying users via unique personal characteristics such as voice patterns, fingerprints, or patterns of the iris or retina, is currently being tested and may turn out to be the ultimate safeguard for medical data.