In February, Hollywood Presbyterian in Los Angeles paid a $17,000 ransom in untraceable bitcoin to hackers after they infected the hospital’s computer system with malware. The attack prevented hospital staff from being able to communicate through their computers, forcing them to rely on pen and paper for their recordkeeping until the hospital paid hackers for a code to disarm the malware.
In March, hackers requesting a ransom infiltrated the network of 10 MedStar hospitals in the Washington, D.C., area, crippling its IT infrastructure. Employees were unable to access emails or look up digital patient records, and some patients had to be turned away.
More recently, in May, Wichita-based Kansas Heart Hospital was the victim of a ransomware attack. After it paid the initial ransom, the attackers weren’t satisfied, demanding a second payment to decrypt files.
These are just some of the latest examples of healthcare facilities that have fallen victim to hackers. And cybersecurity experts say they won’t be the last.
Due to the proliferation of the Internet of Things (IoT)—the connection of every device with an on and off switch to the internet—and hospitals’ increasing reliance on connected devices, healthcare facilities are more vulnerable than ever to cyberattacks.
Connected devices help provide better care. Some allow pharmacists to research patients’ allergies or other drugs they’re currently taking before dispensing pharmaceuticals; others let nurses scan patients’ wristbands before administering medication. However, because hospitals have become dependent on electronic systems to coordinate care, communicate important information and avoid medical errors, there’s more than information at stake when a data breach occurs. Patient safety and lives are also on the line.
Gartner Inc., an IT research company, reports that more than 6.4 billion devices will be connected worldwide by the end of 2016, up 30 percent from 2015, and more than 20 billion by 2020. When it comes to the IoT for healthcare, networked devices such as wearable sensors and home monitoring systems designed to collect medical data can create dangerous scenarios if cybersecurity isn’t sufficiently strong.
“Those devices and the software that runs them are vulnerable to hackers,” says Jason Smolanoff, co-president of CISO Advisory and Investigations, an information security, risk management and investigative firm in Los Angeles. “A few years ago, the outcome of a computer intrusion was a data breach. But now, because of the Internet of Things, there can be physical, real-world business, health and safety impacts.”
“In the healthcare sector, it’s a common misconception that the only data that needs safeguarding is PHI, or protected health information,” says Doug Styler, vice president of Product Development and Operations at HealthTrust. “Hackers will steal whatever they can get their hands on and figure out if it’s valuable later. Whatever is not protected is a target.”
Health and Mobile Devices
The Office of the National Coordinator for Health Information Technology (ONC) offers seven ways to strengthen security of health information when using a mobile device.
Whether you’re at a large health system or a smaller hospital, and whether your devices are corporate or privately owned, discuss the following suggestions with your IT department to ensure these ideas are in line with company-mandated cybersecurity precautions.
- Use a password or other user authentication: A mobile device can be configured to require a password, personal identification number (PIN) or passcode to gain access to it. The password, PIN or passcode field can be masked to prevent people from seeing it.
- Install and enable encryption: Encryption protects health information stored on and sent by mobile devices. Mobile devices can have built-in encryption capabilities, or you can buy and install an encryption tool on your device.
- Install and activate remote wiping and/or remote disabling: Remote wiping enables you to erase data on a mobile device remotely. If you enable the remote wipe feature, you can permanently delete data stored on a lost or stolen mobile device.
- Disable and do not install or use file sharing applications: File sharing is software or a system that allows internet users to connect to each other and trade computer files. But file sharing
can also enable unauthorized users to access your laptop without your knowledge.
- Keep your security software up-to-date: When you regularly update your security software, you have the latest tools to prevent unauthorized access to health information on or through your mobile device.
- Research mobile applications (apps) before downloading: A mobile app is a software program that performs one or more specific functions. Before you download and install an app on your mobile device, verify that the app will perform only functions you approve of. Use known websites or other trusted sources that you know will give reputable reviews of the app.
- Maintain physical control: The benefits of mobile devices—portability, small size and convenience—also present a challenge for protecting and securing health information. They’re easily lost or stolen, and they also carry a risk of unauthorized use and disclosure of patient health information. Limit unauthorized users’ access, tampering or theft of your mobile device by physically securing the device at all times.
This story first appeared in the Q3 2016 issue of The Source magazine.
Types of Attackers
Cybersecurity experts typically encounter four major types of cyberattackers who target healthcare facilities:
- Organized cybercriminals. In this form of organized crime, the offenders steal information in order to monetize it. They may use ransomware, a type of malware that rapidly encrypts files and locks up a system when a user clicks an email link, says Scott Augenbaum, FBI special agent and cybercrime supervisor in the FBI’s Memphis, Tennessee, division. At that point, the thieves demand a ransom payment before they’ll unlock the system.
- “Hack”-tivists. These attacks, which can take a variety of forms, are performed by people with a social agenda. A hacktivist group might disagree with a position taken by hospital administration, for instance, or want to show that so-called private data is in fact accessible.
- Dishonest and honest insiders. Employees who feel wronged by their organization may choose to wage an “insider” attack. In many cases, they attempt to steal information in order to monetize it or with the intent to damage their employer. However, honest employees can also cause a breach in security, says Joey Tamboli, associate director of Information Security at HealthTrust. “Hackers manipulate honest insiders by sending them a malicious email with a link or document that when opened installs malware or locks up their computer. This is a common type of social engineering manipulation.”
- Intellectual property thieves. Though they’re a less common category of hacker, foreign governments or companies have been known to sponsor cyberattacks in the name of intelligence gathering. “Instead of doing their own research and development, some nations try to steal U.S. companies’ intellectual property,” Tamboli says.
How to Protect Against Cyberattacks
As cyberattacks become more sophisticated, providers must become more aware of the threats and better prepared to deal with potential damages. “The bad guys know how to manipulate the system to take security out of the equation,” Tamboli warns.
Phishing scammers, who aim to steal personal information like Social Security or credit card numbers, don’t even need sophisticated technology to be successful; they simply pose as a reputable company or individual. Look closely, though, and there might be just one small difference between their email address and the real one they’re trying to imitate. “A phishing email can easily bypass your anti-virus software,” Tamboli says. “That’s why everyone has to be aware of the tactics. Bad guys only have to be right once.”
The information security systems of healthcare facilities are starting to become more robust than other industries, such as banking and technology, Smolanoff says.
“Most hospital systems understand that they are not just protecting data, but they are also protecting the health and safety of their patients by mitigating cybersecurity risks.”
Traditionally, the task of safeguarding system data has fallen to the IT department, but the greater risks presented by the IoT require a different approach. Smolanoff says hospitals should adopt an information security strategy based on an “assumption of breach;” in other words, operate as if an attacker will find and exploit network vulnerabilities given enough time and resources.
A strong top-down governance structure is the most important component of a successful security strategy, says Smolanoff, who recommends that facilities form multidisciplinary information security teams composed of representatives from management, patient care and IT security.
“A strong governance structure should oversee and guide the operations of the hospital and the technical controls,” he says. “Many facilities do the opposite. They start with technical controls, and sometimes governance comes out of it. This is the primary reason attackers are successful.”
Once hospital leadership is on board and prepared to support cybersecurity efforts, hospital IT or a multidisciplary team should perform a risk assessment to identify potential threats.
“If you don’t understand what the threats are and what your risk is, you could never formulate a workable strategic plan,” Smolanoff says.
After performing a risk assessment, hospitals must develop sound strategies to combat potential breaches. The FBI’s Augenbaum recommends implementing two-factor authentication, which requires users to enter two levels of identifying information before signing onto a network—as opposed to just a single password. Hospitals can also implement proven security frameworks, such as the National Institute of Standards and Technology (NIST) Framework for Cybersecurity and the SANS Institute’s Critical Security Controls, a set of 20 actions for cyberdefense that provide specific, actionable ways to deter potential cyberattacks.
Whatever path is taken to strengthen information security, Tamboli underscores the importance of setting up multiple layers of security. “If one layer fails, another layer will hopefully catch the breach. The attacker might get past one of the layers, but he’ll have many others to contend with.”Share Email