As if to validate the rising alarm of many healthcare IT leaders, a report published in April by the Armonk, N.Y.-based IBM, through its IBM Security Services division, has confirmed what many already knew: this is a time of unprecedented data security threat in the healthcare industry. Indeed, “Reviewing a year of serious data breaches, major attacks, and new vulnerabilities” is the title of IBM researchers’ report on the situation.
As the report’s authors write in their introduction to the report, “The year 2015 was filled with serious data breaches, major attacks and an ever-flowing stream of new vulnerability reports—across the entire industry.” They go onto state that, “Looking at the big picture, it’s clear that virtually no industry was immune to the exploits of today’s attackers. However, some industries were targeted far more frequently than others. In 2015, the most targeted industries included healthcare, manufacturing and government organizations around the world—all of which found themselves featured in boldface headlines and scrambling to respond.”
What’s more, the authors write, “Healthcare broke back into the top five rankings for 2015” in the division’s annual review of cybersecurity across all industries, “shooting directly to the top spot. That comes as little surprise to us, after we coined 2015 ‘the year of the healthcare breach.’ The healthcare industry once sat firmly on the sidelines of the cyber war,” they note. But now, “Packed with a wealth of exploitable information, electronic health records fetch a high price on the black market. They typically contain credit card data, email addresses, Social Security numbers, employment information and medical history records—much of which will remain valid for years, if not decades. Cyber thieves are using that data to launch spear phishing attacks, commit fraud and steal medical identities.”
And, most dramatically, of course, launch ransomware attacks, in which malware programs allowed into hospital, medical group, and health system information systems primarily through end-users’ unsuspecting opening of e-mails and e-mail attachments leading to a chain of devastating developments.
A Series of Devastating, High-Profile Ransomware Attacks
As Healthcare Informatics’ editors have been reporting this spring in a series of articles, ransomware has become the hot topic in the healthcare data security world, and for good reason.
As HCI’s editors have noted in their reports, a series of rapid-fire developments took place this spring, several of which made local, regional, and national news headlines. The first nationally reported mainstream media news story in this drama was that around Hollywood Presbyterian Medical Center. On Friday, February 12, NBC4News, the local affiliate of the NBC network in Los Angeles, reported in its noon and evening broadcasts, and then online, this story: “Hollywood Hospital ‘Victim of Cyber Attack.’” As the online version of the story, by Jason Kandel and Robert Kovacik, stated, “A Southern California hospital was a victim of a cyber-attack, interfering with day-to-day operations, the hospital’s president and CEO said. Staff at Hollywood Presbyterian Medical Center began noticing ‘significant IT issues and declared an internal emergency’ on Friday, said hospital President and CEO Allen Stefanek. A doctor who did not want to be identified said the system was hacked and was being held for ransom.”
In the days that followed, more news reports appeared, confirming that, among other things, the electronic health record (EHR) and other clinical information systems at Hollywood Presbyterian Medical Center had been shut down for more than a week, and confirming that a ransomware attack had taken place, and stating that the cybercriminals behind it were demanding $3.6 million to restore the system. The hospital’s CEO ended up publicly conceding that he and his colleagues had paid the hackers 40 Bitcoins, or the equivalent of $17,000, and the cybercriminals had given Hollywood Presbyterian executives the key to restore their clinical information systems.
Then, on Monday, March 28, The Washington Post reported that the 10-hospital, Columbia, Md.-based MedStar Health integrated health system’s clinical information system had had to be shut down because of a virus-based hacking attack. Further, on Thursday, March 31, The Baltimore Sun confirmed that the attack reported on that Monday had included a digital ransom note. In the following days, additional news reports, as well as statements by MedStar Health officials, described MedStar staff members’ attempts to restore the full functionality of their clinical information systems, while working at the same time to maintain as high a level of patient care service as possible. That situation ended up involving weeks of work to restore full functionality of that health system’s core clinical IS. And the MedStar situation was followed in quick succession by reports of similar attacks on three hospitals in Southern California and one in Indiana.
An Underlying Lack of Preparedness for a New World Filled with Threats
Fundamentally, say industry experts and observers, healthcare and healthcare IT leaders nationwide are struggling to keep up with a surging wave of cybersecurity threats, the most dramatic of which has been the wave of recent ransomware attacks. What are the biggest challenges facing leaders in U.S. healthcare in this area right now? Among the greatest challenges are: