The past couple of years have been rough for the healthcare industry and so far 2019 has been no different when it comes to ransomware and data breaches. The healthcare industry spends approximately $5 billion annually to deal with data breaches, hacking, and poor cybersecurity practices.
Hackers Love the Healthcare Industry
Healthcare suffers the greatest amount of cyber-attacks over other industries, twice the number of incidents over second place industry (education). In fact, healthcare has been at the top of the most hacked industries since 2015. Healthcare accounted for more than 27% of total data breaches in 2018 and 70% of healthcare data breaches contain sensitive information such as demographic or financial information that could lead to identity theft.
Hackers have realized the reliance on and value of computer systems for the modern medical practice. In fact, there have been a handful of cases where medical practices have decided to close their doors following a ransomware attack that encrypted patient files.
Lethal Effect of Bad Cybersecurity
Dr. Sung Choi, a researcher at Vanderbilt University’s Owen Graduate School of Management, has found that 2,100 deaths can be linked to hospital data breaches and lack of cybersecurity protections. The reason is that breaches “trigger remediation activities, regulatory inquires and litigation in the years following a breach…” and these activities affect the performance of the facility, leading to quality issues.
Recent ransomware attacks on hospitals have resulted in the hospitals turning away non-critical patients, canceling surgeries, and reverting to manual systems to deliver services to patients.
Add to this, the risks of hacked medical internet of things (IoT) devices delivering incorrect dosages of drugs in automated pumps or causing irregular heartbeats for pacemaker patients seems like the plot of a new Hollywood thriller movie but are unfortunate realities in today’s connected world.
Healthcare continues to be the favored industry for ransomware attacks, accounting for 79% of ransomware attacks in the first three quarters 2019.
DCH Health hospitals in Alabama and Campbell Country Health in Wyoming both were forced to turn away non-critical patients after their computer systems were taken offline by ransomware. And in 2018, several high profile SamSam ransomware attacks on hospitals and EHR provider Allscripts, brought computer systems down and forced hospitals and practices across the nation back to pen and paper.
An all too often thought, and dangerous misconception, is that the hackers behind ransomware attacks only focus on large medical facilities. Unfortunately, that is simply not true and there have been successful ransomware attacks on many practices, compromising the data of hundreds to thousands of patients, current and former. Recently, nearly 400 dental practices had their computer systems encrypted after a third-party software providers The Digital Dental Record and PerCSoft were compromised.
But it is not just the recovery of the data from a ransomware attach that should cause concern for healthcare practices, there is also a compliance concern. According to guidance published by Health and Human Services in 2016, a successful ransomware attack is considered a HIPAA breach because “When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule.”
The onus to prove that the ePHI was not breached is placed on the healthcare provider who must undergo a thorough investigation to prove that:
“1. the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
2. the unauthorized person who used the PHI or to whom the disclosure was made;
3. whether the PHI was actually acquired or viewed; and
4. the extent to which the risk to the PHI has been mitigated.”
The middle two points are often the hardest to prove and require extensive, costly forensic investigations by certified professionals. Additionally, forensic investigation requires that the computers not be reverted from their compromised state. Salina Family Healthcare Center in Kansas found that dealing with their ransomware infection too quickly and failing to preserve at least one infected computer led to their inability to prove that the ePHI was not breached.
Employees: A Practice’s Greatest Weakness or Defense?
21% of healthcare breaches occurred due to insiders or employee errors. And 25% of healthcare workers have never had any cybersecurity training and 34% of healthcare employees are unaware of their organization’s cybersecurity policies. If practices do not take the time to inform their employees how to protect patient data and explain data protection policies, how can the practice expect the employee to practice cybersecurity best practices? Taking an hour every quarter to inform employees about the latest cybersecurity threats they may face and how they can protect themselves, and the practice’s patients can turn the practice’s greatest weakness, the human factor, into one of its best defenses.
What Can Practices Do for Protection?
The days of relying on free antivirus programs for cybersecurity protection are over. The modern medical practice needs to protect its computer networks, internet-connected devices, and patient data through at least a three-layered approach to cybersecurity.
Layer 1: Starting at the entrance to the internet, every practice should have a firewall that is regularly updated, patched, and monitored by a cybersecurity professional. Hackers are constantly scanning the internet looking for vulnerable networks and devices. Without a firewall protecting the network, the practice could be a virtual goldmine if a hacker is able to compromise computers or IoT devices.
And the firewall needs to be updated on a regular, frequent basis to ensure that any hardware vulnerabilities are patched and that the latest threats are being protected against. If a firewall is not regularly updated, it essentially is obsolete the day it is installed.
Layer 2: Every computer, laptop, and if possible, tablet should have next-generation antivirus installed that again is regularly updated, patched, and monitored. As part of HIPAA compliance, medical practices must be able to show the protection status of its endpoints. Centrally managed antivirus is the best route to ensure that the antivirus on individual machines is not disabled and provides a pain free way to provide compliance reports.
Layer 3: Backup, backup, backup. Backups are like kryptonite to ransomware when performed properly. Emphasis on the “performed properly”. Too often, practices have implemented backup solutions, seen that it was doing something, but never attempted to restore the backups until a true emergency has occurred only to find that the backups were worthless and recovery was impossible.
But there are also many things that practices can do that do not cost anything other than time such as requiring employees to have individual user accounts to log into computers and email accounts, requiring employees to change their passwords on a regular basis and making sure that the passwords complex.
There is one thing that industry experts agree on, and that is cybercrime is only going to increase over the next few years. Take time today to not only inventory what you have (because how do you protect something you don’t know you have?) and bring common sense cybersecurity best practices into your practice.