The State of Healthcare Cybersecurity Could Raise Your Blood Pressure

The past couple of years have been rough for the healthcare industry and so far 2019 has been no different when it comes to ransomware and data breaches. The healthcare industry spends approximately $5 billion annually to deal with data breaches, hacking, and poor cybersecurity practices.

Hackers Love the Healthcare Industry

Healthcare suffers the greatest amount of cyber-attacks over other industries, twice the number of incidents over second place industry (education). In fact, healthcare has been at the top of the most hacked industries since 2015. Healthcare accounted for more than 27% of total data breaches in 2018 and 70% of healthcare data breaches contain sensitive information such as demographic or financial information that could lead to identity theft.

Hackers have realized the reliance on and value of computer systems for the modern medical practice. In fact, there have been a handful of cases where medical practices have decided to close their doors following a ransomware attack that encrypted patient files. 

Lethal Effect of Bad Cybersecurity

Dr. Sung Choi, a researcher at Vanderbilt University’s OwenGraduate School of Management, has found that 2,100 deaths can be linked tohospital data breaches and lack of cybersecurity protections. The reason isthat breaches “trigger remediation activities, regulatory inquires andlitigation in the years following a breach…” and these activities affect theperformance of the facility, leading to quality issues.

Recent ransomware attacks on hospitals have resulted in the hospitals turning away non-critical patients, canceling surgeries, and reverting to manual systems to deliver services to patients.

Add to this, the risks of hacked medical internet of things(IoT) devices delivering incorrect dosages of drugs in automated pumps orcausing irregular heartbeats for pacemaker patients seems like the plot of a newHollywood thriller movie but are unfortunate realities in today’s connectedworld.

Ransomware Woes

Healthcare continues to be the favored industry for ransomware attacks, accounting for 79% of ransomware attacks in the first three quarters 2019.

DCH Health hospitals in Alabama and Campbell Country Health in Wyoming both were forced to turn away non-critical patients after their computer systems were taken offline by ransomware. And in 2018, several high profile SamSam ransomware attacks on hospitals and EHR provider Allscripts, brought computer systems down and forced hospitals and practices across the nation back to pen and paper.

An all too often thought, and dangerous misconception, is that the hackers behind ransomware attacks only focus on large medical facilities. Unfortunately, that is simply not true and there have been successful ransomware attacks on many practices, compromising the data of hundreds to thousands of patients, current and former. Recently, nearly 400 dental practices had their computer systems encrypted after a third-party software providers The Digital Dental Record and PerCSoft were compromised.

But it is not just the recovery of the data from aransomware attach that should cause concern for healthcare practices, there is alsoa compliance concern. According to guidance published by Health and HumanServices in 2016, a successful ransomware attack is considered a HIPAA breachbecause “When electronic protected healthinformation (ePHI) is encrypted as the result of a ransomware attack, a breachhas occurred because the ePHI encrypted by the ransomware was acquired (i.e.,unauthorized individuals have taken possession or control of the information),and thus is a “disclosure” not permitted under the HIPAA Privacy Rule.”

The onus to prove that the ePHI was not breached is placedon the healthcare provider who must undergo a thorough investigation to provethat:

“1. the nature andextent of the PHI involved, including the types of identifiers and the likelihoodof re-identification;

2. the unauthorizedperson who used the PHI or to whom the disclosure was made;

3. whether the PHI wasactually acquired or viewed; and

4. the extent to whichthe risk to the PHI has been mitigated.”

The middle two points are often the hardest to prove and require extensive, costly forensic investigations by certified professionals. Additionally, forensic investigation requires that the computers not be reverted from their compromised state. Salina Family Healthcare Center in Kansas found that dealing with their ransomware infection too quickly and failing to preserve at least one infected computer led to their inability to prove that the ePHI was not breached.

Employees: A Practice’s Greatest Weakness or Defense?

Answer: Yes.

21% of healthcare breaches occurred due to insiders or employee errors. And 25% of healthcare workers have never had any cybersecurity training and 34% of healthcare employees are unaware of their organization’s cybersecurity policies. If practices do not take the time to inform their employees how to protect patient data and explain data protection policies, how can the practice expect the employee to practice cybersecurity best practices? Taking an hour every quarter to inform employees about the latest cybersecurity threats they may face and how they can protect themselves, and the practice’s patients can turn the practice’s greatest weakness, the human factor, into one of its best defenses.

What Can Practices Do for Protection?

The days of relying on free antivirus programs forcybersecurity protection are over. The modern medical practice needs to protectits computer networks, internet-connected devices, and patient data through atleast a three-layered approach to cybersecurity.

Layer 1: Starting at the entrance to the internet, everypractice should have a firewall that is regularly updated, patched, andmonitored by a cybersecurity professional. Hackers are constantly scanning theinternet looking for vulnerable networks and devices. Without a firewallprotecting the network, the practice could be a virtual goldmine if a hacker isable to compromise computers or IoT devices.

And the firewall needs to be updated on a regular, frequentbasis to ensure that any hardware vulnerabilities are patched and that thelatest threats are being protected against. If a firewall is not regularlyupdated, it essentially is obsolete the day it is installed.

Layer 2: Every computer, laptop, and if possible, tabletshould have next-generation antivirus installed that again is regularlyupdated, patched, and monitored. As part of HIPAA compliance, medical practicesmust be able to show the protection status of its endpoints. Centrally managedantivirus is the best route to ensure that the antivirus on individual machinesis not disabled and provides a pain free way to provide compliance reports.

Layer 3: Backup, backup, backup. Backups are like kryptoniteto ransomware when performed properly. Emphasis on the “performed properly”.Too often, practices have implemented backup solutions, seen that it was doingsomething, but never attempted to restore the backups until a true emergencyhas occurred only to find that the backups were worthless and recovery wasimpossible.

But there are also many things that practices can do that donot cost anything other than time such as requiring employees to haveindividual user accounts to log into computers and email accounts, requiringemployees to change their passwords on a regular basis and making sure that thepasswords complex.

There is one thing that industry experts agree on, and that is cybercrime is only going to increase over the next few years. Take time today to not only inventory what you have (because how do you protect something you don’t know you have?) and bring common sense cybersecurity best practices into your practice.

Image by Gerald Oswald from Pixabay