Healthcare Cybersecurity on Life Support / Could Raise Your Blood Pressure

It has been a rough first quarter of 2018 for the healthcare industry when it comes to cybersecurity. January kicked off with several high profile SamSam ransomware attacks on hospitals and EHR provider Allscripts, bringing computer systems down and forcing hospitals and practices across the nation back to pen and paper.
Last year was also a bad year for healthcare cybersecurity which saw a 211% increase in disclosed cybersecurity incident compared to 2016 and most of those incidents occurred because of failures to implement cybersecurity best practices or addressing known vulnerabilities. Plus, recent data breach statistics say that 70% of healthcare organizations around the world have experienced a data breach.
Hackers Love the Healthcare Industry
Healthcare suffers the greatest amount of cyber-attacks over other industries, twice the number of incidents over second place industry (education). In fact, healthcare has been at the top of the most hacked industries since 2015. Healthcare accounted for more than 23% of total data breaches in 2017 with more than 5 million patient records compromised.
Hackers have realized the reliance on and value of computer systems for the modern medical practice. High profile payments such as the $17,000 paid by Hollywood Presbyterian Hospital or more recently the $55,000 payment by Hancock Hospitals only reinforces the message to hackers that if they hit the right healthcare facility and cause enough disruption, they are likely to be rewarded with a payout for their nefarious activities.
The propensity for healthcare organizations to fall behind in patching and use older hardware or systems has resulted in 71% of hacks to occur through vulnerabilities that were present for at least three months or more. Additionally, many practices continue using default usernames & passwords or shared computer accounts which make the industry attractive to attackers looking for easy wins.
Lethal Effect of Bad Cybersecurity
Dr. Sung Choi, a researcher at Vanderbilt University’s Owen Graduate School of Management, has found that 2,100 deaths can be linked to hospital data breaches and lack of cybersecurity protections. The reason is that breaches “trigger remediation activities, regulatory inquires and litigation in the years following a breach…” and these activities affect the performance of the facility, leading to quality issues.
Thinking to the large-scale ransomware attack on Hollywood Presbyterian Medical Center in Los Angeles in February 2016 that brought their computer systems down for weeks, when the attack was at its worst, the hospital had to divert ambulances and even transfer patients to nearby medical facilities for treatment. When WannaCry ransomware hit 16 hospitals in May 2017, at least one facility had to cancel 10 scheduled operations due to computer system outages.
Add to this, the risks of hacked medical internet of things (IoT) devices delivering incorrect dosages of drugs in automated pumps or causing irregular heartbeats for pacemaker patients seems like the plot of a new Hollywood thriller movie but are unfortunate realities in today’s connected world.
Ransomware Woes
Healthcare continues to be the favored industry for ransomware attacks, accounting for 45% of ransomware attacks in 2017. The recent attacks with SamSam ransomware is particularly concerning because it requires the attacker to be inside the victim’s computer network to manually activate the ransomware. This means that the attacker(s) who held Hancock Health, AllScripts, the Colorado Department of Transportation, and most recently at the time of writing, the City of Atlanta, Georgia ransom had remote access to the computer systems of all those organizations.
But it is not just the recovery of the data from a ransomware attach that should cause concern for healthcare practices, there is also a compliance concern. According to guidance published by Health and Human Services in 2016, a successful ransomware attack is considered a HIPAA breach because “When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule.”
The onus to prove that the ePHI was not breached is placed on the healthcare provider who must undergo a thorough investigation to prove that:
“1. the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
2. the unauthorized person who used the PHI or to whom the disclosure was made;
3. whether the PHI was actually acquired or viewed; and
4. the extent to which the risk to the PHI has been mitigated.”
The middle two points are often the hardest to prove and require extensive, costly forensic investigations by certified professionals. Additionally, forensic investigation requires that the computers not be reverted from their compromised state. Salina Family Healthcare Center in Kansas found that dealing with their ransomware infection too quickly and failing to preserve at least one infected computer led to their inability to prove that the ePHI was not breached.
An all too often thought, and dangerous misconception, is that the hackers behind ransomware attacks only focus on large medical facilities. Unfortunately, that is simply not true and there have been successful ransomware attacks on many practices, compromising the data of hundreds to thousands of patients, current and former.
The Medical Internet of Things (IoT)
The advancement of technology in the medical field is astounding. With technology has come the benefits of better efficiency and accuracy but as we have come to know all too well, when it comes to technology, anything that can be hacked, will be hacked.
There have been demonstrations of devices being hacked to change medication levels in insulin pumps, having pacemaker functions altered, or devices being affected by ransomware which shows that hackers are approaching medical IoT devices from multiple angles. While it may be an inconvenience to have your favorite website shut down because of a cyber-attack, or have your credit card information stolen in a data breach, medical IoT threats are different because they can have real-life, physical repercussions – a far greater and more lethal risk than any other cyber-threat. And medical IoT devices can threaten not just the device and patient’s life, but it can also give hackers access to the entire medical facility’s network.
Medical IoT devices can be more difficult to protect because they do not run on standard computers so installing anti-virus is not an option. In fact, bad user practices led to 41% of medical IoT security issues in 20176 where something as simple as hardening the devices themselves by changing default username & password could have averted issues. But the best way to protect the medical IoT devices is to protect the computer network that they reside on and separate them from the rest of the facility’s network.
Employees: A Practice’s Greatest Weakness or Defense?
Answer: Yes.
60% of healthcare breaches occurred due to employee negligence yet only 38% of healthcare employees are aware of their organization’s cybersecurity policies. And only 30% of employees report having received any cybersecurity awareness training. If practices do not take the time to inform their employees how to protect patient data and explain data protection policies, how can the practice expect the employee to practice cybersecurity best practices? Taking an hour every quarter to inform employees about the latest cybersecurity threats they may face and how they can protect themselves, and the practice’s patients can turn the practice’s greatest weakness, the human factor, into one of its best defenses.
IT is Not Cybersecurity
While Information Technology (IT) professionals are excellent resources, they are unfortunately typically not cybersecurity experts. Thinking of it from a medical perspective, you would not visit your cardiologist for a root canal even though both are medical professionals. The same applies to cybersecurity and the skills required to know how to best provide protection. IT professionals are just that, professionals, but their daily duties consist mainly of configuration and maintenance of the practice’s computer networks (on premise or in the cloud) whilst the job of cybersecurity professionals is the ensure and verify the security of the practice’s networks. Combining the two functions is like asking your accountant to audit their own books, there is a conflict of interest.
What Can Practices Do for Protection?
The days of relying on free antivirus programs for cybersecurity protection are over. The modern medical practice needs to protect its computer networks, internet-connected devices, and patient data through at least a three-layered approach to cybersecurity.
Layer 1: Starting at the entrance to the internet, every practice should have a firewall that is regularly updated, patched, and monitored by a cybersecurity professional. Hackers are constantly scanning the internet looking for vulnerable networks and devices. Without a firewall protecting the network, the practice could be a virtual goldmine if a hacker is able to compromise computers or IoT devices.
And the firewall needs to be updated on a regular, frequent basis to ensure that any hardware vulnerabilities are patched and that the latest threats are being protected against. If a firewall is not regularly updated, it essentially is obsolete the day it is installed.
Layer 2: Every computer, laptop, and if possible, tablet should have next-generation antivirus installed that again is regularly updated, patched, and monitored. As part of HIPAA compliance, medical practices must be able to show the protection status of its endpoints. Centrally managed antivirus is the best route to ensure that the antivirus on individual machines is not disabled and provides a pain free way to provide compliance reports.
Layer 3: Backup, backup, backup. Backups are like kryptonite to ransomware when performed properly. Emphasis on the “performed properly”. Too often, practices have implemented backup solutions, seen that it was doing something, but never attempted to restore the backups until a true emergency has occurred only to find that the backups were worthless and recovery was impossible.
Additional Layers Optional: There are many other optional layers to cybersecurity that a practice can implement to better protect against today’s latest threats such as Endpoint Detection & Response (EDR) software and networking monitoring.
But there are also many things that practices can do that do not cost anything other than time such as requiring employees to have individual user accounts to log into computers and email accounts, requiring employees to change their passwords on a regular basis and making sure that the passwords complex.
There is one thing that industry experts agree on, and that is cybercrime is only going to increase over the next few years. Take time today to not only inventory what you have (because how do you protect something you don’t know you have?) and bring common sense cybersecurity best practices into your practice.

About The Author

Troy Wilkinson
Axiom Cyber Solutions

Troy Wilkinson began his career serving others as a Law Enforcement officer. He commanded a Joint Terrorism Task Force, was a lead bomb investigator, and violent crime and homicide detective however his greatest achievement in the field of law enforcement came from his ability and skill investigating and prosecuting child pornography and other electronic crimes.
Wilkinson was recruited by the U.S. State Department to train police officers in Kosovo on cyber investigations. Working under the George W Bush and Obama presidencies, he was a top U.S. cyber investigator seconded to the United Nations and European Union to lead investigations into political corruption, organized crime, war crimes, financial crimes and terrorism. Together with a team of international investigators, Wilkinson built the first IT forensics lab in the European Union Mission in Kosovo.

After returning home to the U.S, Wilkinson co-founded Axiom Cyber Solutions, with a mission to develop intelligent, automated, and self-healing cyber security platforms to help secure America’s businesses against cybercriminals. He is an international speaker on cyber security focusing on the topics of ransomware, DDoS, cyber-crime trends, and cyber security careers.