The timing of it all really did feel like some kind of Jungian synchronicity. I had just posted an interview I had conducted last week with Mac McMillan, the CEO of the CynergisTek consulting firm, and an industry thought-leader on healthcare IT security, when the news broke of another major hack of a U.S. hospital.
In the wake of the now-infamous ransomware incident that executes at Los Angeles’s Hollywood Presbyterian Medical Center had had to endure last month, McMillan had shared with me that he believed that the threats of attacks from cyber-criminals via ransomware and other forms of malware, as well as phishing and other schemes, was reaching such a fever pitch now, that he has come to the conclusion that virtually all hospital organizations need to hire external security operations centers, or “SOCs.”
As Mac told me, “Think of it this way: an average, medium-sized hospital probably is producing literally tens of millions of logs or events a month. There’s nobody on this planet that has a good enough calibrated eyeball to go through tens of millions of events and could figure out what’s going on. The problem is too big, you can’t do it yourself. This notion that we can test ourselves, that we can monitor our environment, has got to go away. We need those independent, objective experts to do this for us and identify issues, as well as bring the greater awareness. My guys do hundreds of risk assessments a year across the country and tests. Their depth of knowledge is so much broader than that of the guy who’s working at a single hospital. And to take advantage of that experience—that’s what we need to do.”
What’s more, Mac stated his belief that “I think that the threat is going to continue to increase in the next few years in a big way. As we become more of a knowledge-based society, more and more responsibility will fall onto technology and data. So this makes sense. And the one thing that healthcare fears more than anything else is not having their data. And ransomware attacks that very vulnerability, fear. So from an extortion perspective, it is the perfect vehicle for attacking vulnerability. And even if it’s not successful, it creates a tremendous amount of disruption.”
And then, just a few hours later, came the news of the hacking of the electronic health record (EHR) of the 10-hospital MedStar Health system, based in Columbia, Maryland, and which serves several hundred thousand patients across the region stretching from Washington, D.C. to Baltimore, Md., with 10 inpatient hospitals and more than 250 outpatient clinics.
As The Washington Post reported, a virus had infected the health system’s EHR, forcing its shutdown. “The FBI,” the newspaper reported, “is investigating the breach, which comes just weeks after similar cyber-attacks on two other medical institutions in California and Kentucky. Still, MedStar officials said they had found ‘no evidence that information has been stolen,” the newspaper reported.
Meanwhile, at around 4 PM eastern time on Monday, MedStar Health officials stated on their website that, “Early this morning, MedStar Health's IT system was affected by a virus that prevents certain users from logging-in to our system. MedStar acted quickly with a decision to take down all system interfaces to prevent the virus from spreading throughout the organization. We are working with our IT and Cyber-security partners to fully assess and address the situation.”
Of course, much about the MedStar crisis remains unknown—and that is totally understandable, as MedStar leaders doubtless are working assiduously behind the scenes to bring their EHR back up and restore normal, electronically facilitated operations. But this was a big hit—this is a very large, ten-hospital system with a teaching hospital, a large group of community hospitals, and 250 outpatient clinics—a much bigger and broader group than, for example, Hollywood Presbyterian Medical Center, the standalone community hospital hit by the ransomware attack last month. Perhaps we will never know all the details, but it is significant that a ten-hospital system has now been effectively hit by a cybercriminal virus.
Thu, the timeliness of the interview I had last week with Mac McMillan.
So, does it seem as though things are coming to a head these days with regard to these attacks? Yes, it absolutely does.
And the timing seems to be no mistake, as cybercriminals are glomming onto healthcare now mostly because the monetary value of the PHI (protected health information) of patients has become clearer to everyone—including, most importantly, the cybercriminals themselves.
As David Finn of Symantec told me recently, “I went directly to HIMSS from a week on the road, and my weeks on the road are typically with customers. And every customer that week before HIMSS had noted an uptick in ransomware attempts. And these are not purely Symantec customers, they also have other products. And they all made it through those ransomware attempts; one struggled, but they all made it through. And there was some bashing about Hollywood Presbyterian paying the ransom. But the thing is, this is not a security problem. When Hollywood Presbyterian paid the ransom, it wasn’t to get data back or turn systems on, it was because they couldn’t take care of patients. This is not a security issue, it’s a patient care issue. And this will continue to happen. And it really needs to become a concern of the c-suite—and CIOs need to communicate that to the c-suite.”