“First, do no harm.”
The Hippocratic Oath is the North Star of medical treatment, guiding doctors to properly diagnose illness and injury, pursue the correct treatment, and prescribe the appropriate medication. But what about the harm that may come to patients whose medical records wind up on the “dark web”? How is patient care threatened when hospitals can’t access records because of a ransomware attack?
While the industry has made impressive advances in diagnosis, treatment, and prevention of countless physical maladies in recent years, there is still work to be done on healthcare’s cybersecurity posture.
In order to prioritize cybersecurity, it’s important to understand how systems have evolved, the unique challenges within the healthcare industry, and how to integrate security with patient wellness in 2020.
While other industries have kept pace – even set the pace – when it comes to securing sensitive data, healthcare has fallen behind. There are several reasons for this. One is that health data is highly valuable, and is, understandably, a primary target for cybercriminal activity. Second, healthcare’s top priority has always rightly been patient care, so the focus is hiring clinicians and investing in medical devices to aid patient care instead of dedicating additional resources to security teams. For many smaller and far-flung regional facilities, they’ve simply lacked the resources and infosec staff to follow well-established security best practices to protect their environments from serious threats. But the greatest challenge is the sheer number of healthcare staff, dozens in many cases, who can access a patient’s sensitive data. Because cybercriminals attack those with privileged access to sensitive documents, this presents an enormous attack vector to target.
And attack them they have. In just the first six months of 2019, there were 27 notable hospital and health system data breaches. Thirty-six percent of health institutions were unable to deliver patient care for at least five hours because of a cyberattack, according to a 2019 AMA Accenture Medical Cybersecurity Survey. Twelve percent required 1-2 days to get up and running. Four percent required more than 48 hours.
Most devastatingly, a recent study now draws a correlation between hospital downtime and actual patient deaths. Researchers at Vanderbilt’s Owen Graduate School of Management took the Department of Health and Human Services (HHS) list of healthcare data breaches and examined patient mortality rates at more than 3,000 Medicare-certified hospitals. Their findings showed that up to 36 additional deaths per 10,000 heart attacks occurred annually at facilities that had suffered a data breach in prior months. The additional deaths were attributed to hospitals spending time remediating the attack they had just experienced to the detriment of heart attack patients who were forced to wait 2.7 minutes longer for medication and EKGs. This is a dangerous and unsustainable violation of the Hippocratic Oath.
Not All Doom and Gloom
In more positive news, the percentage of insured Americans has increased in recent years. This helped usher in a focus away from “sick care” toward “wellness,” or preventive medicine. Instead of just reacting to illnesses, healthcare institutions seek to prevent them, whenever they can. Flu shots are a good illustration of this. By making simple lifestyle changes, patients can often avoid leading causes of death like heart disease and stroke.
Increasingly this holistic approach to patient wellness is being supported through healthcare cybersecurity efforts. By extension, in 2020 protecting patient data must now be considered a core component of patient safety. Anything less can expose patients to possible identity theft and blackmail – even bankruptcy. This would hardly constitute patient wellness and clearly violates the “do no harm” principle.
In addition to the obvious medical benefits, prioritizing cybersecurity saves healthcare providers millions of dollars a year by preventing lawsuits, deterring ransom payments, remedying data breaches, and avoiding downtime. Moreover, prioritizing cybersecurity improves patient safety.
So how can healthcare systems avoid these crippling attacks in the first place? After all, providers never want to re-route critically ill patients, delay lifesaving surgery, or provide substandard care because they’re trying to get computer networks up and running again.
To protect against advanced threats, it’s critical to understand where they’re coming from. Here’s what we do know: 93 percent of advanced cyberattacks arrive via email. They are typically targeted to specific individuals with specialized access to sensitive data. We call these people Very Attacked Persons, or VAPs. While VAPs are better at identifying phishing emails in recent years, they still have their work cut out for them. When surveyed as part of the 2019 HIMSS Cybersecurity Survey, 25 percent of hospitals/healthcare centers had click rates above 10 percent. Perhaps more frightening: 20 percent of hospitals/healthcare centers had no idea what the click rate is, and 10 percent do no penetration testing.
Here is an example of some of the top very attacked people (VAPs), broken down by category in a hypothetical organization:
This is quite a broad swath of people to potentially target. But as we’ve learned a broad swath of people can access health records.
When the cyberthreats arrive (almost always in an email directed at one of these categories), they still require the receiver to execute them to launch the attack. This might take the form of sending login credentials, clicking on a malicious link or sending patient records. Once the attacker has gained access, the real damage occurs.
Treatment in 2020
To defend against these threats, hospitals and healthcare facilities need to understand who within their organizations are being targeted and invest in a dedicated advanced email security gateway with data loss prevention (DLP) protection to stop threats from reaching these people in the first place. This solution should enact strict cybersecurity policies to let administrators know if, when, and how data is being exfiltrated. Because attacks overwhelmingly aimed at specific people, it’s crucial to conduct security awareness training for every staffer with access to medical records. Employee training will empower users to recognize and report suspicious emails and give them actionable steps to take should one get thru. Finally, facilities should deploy DMARC email authentication protocols and lookalike domain defenses to protect against today’s people-centric attacks.
Photo: ValeryBrozhinsky, Getty Images