As if to validate the rising alarm of many healthcare IT leaders, a report published in April by the Armonk, N.Y.-based IBM, through its IBM Security Services division, has confirmed what many already knew: this is a time of unprecedented data security threat in the healthcare industry. Indeed, “Reviewing a year of serious data breaches, major attacks, and new vulnerabilities” is the title of IBM researchers’ report on the situation.
As the report’s authors write in their introduction to the report, “The year 2015 was filled with serious data breaches, major attacks and an ever-flowing stream of new vulnerability reports—across the entire industry.” They go onto state that, “Looking at the big picture, it’s clear that virtually no industry was immune to the exploits of today’s attackers. However, some industries were targeted far more frequently than others. In 2015, the most targeted industries included healthcare, manufacturing and government organizations around the world—all of which found themselves featured in boldface headlines and scrambling to respond.”
What’s more, the authors write, “Healthcare broke back into the top five rankings for 2015” in the division’s annual review of cybersecurity across all industries, “shooting directly to the top spot. That comes as little surprise to us, after we coined 2015 ‘the year of the healthcare breach.’ The healthcare industry once sat firmly on the sidelines of the cyber war,” they note. But now, “Packed with a wealth of exploitable information, electronic health records fetch a high price on the black market. They typically contain credit card data, email addresses, Social Security numbers, employment information and medical history records—much of which will remain valid for years, if not decades. Cyber thieves are using that data to launch spear phishing attacks, commit fraud and steal medical identities.”
And, most dramatically, of course, launch ransomware attacks, in which malware programs allowed into hospital, medical group, and health system information systems primarily through end-users’ unsuspecting opening of e-mails and e-mail attachments leading to a chain of devastating developments.
A Series of Devastating, High-Profile Ransomware Attacks
As Healthcare Informatics’ editors have been reporting this spring in a series of articles, ransomware has become the hot topic in the healthcare data security world, and for good reason.
As HCI’s editors have noted in their reports, a series of rapid-fire developments took place this spring, several of which made local, regional, and national news headlines. The first nationally reported mainstream media news story in this drama was that around Hollywood Presbyterian Medical Center. On Friday, February 12, NBC4News, the local affiliate of the NBC network in Los Angeles, reported in its noon and evening broadcasts, and then online, this story: “Hollywood Hospital ‘Victim of Cyber Attack.’” As the online version of the story, by Jason Kandel and Robert Kovacik, stated, “A Southern California hospital was a victim of a cyber-attack, interfering with day-to-day operations, the hospital’s president and CEO said. Staff at Hollywood Presbyterian Medical Center began noticing ‘significant IT issues and declared an internal emergency’ on Friday, said hospital President and CEO Allen Stefanek. A doctor who did not want to be identified said the system was hacked and was being held for ransom.”
In the days that followed, more news reports appeared, confirming that, among other things, the electronic health record (EHR) and other clinical information systems at Hollywood Presbyterian Medical Center had been shut down for more than a week, and confirming that a ransomware attack had taken place, and stating that the cybercriminals behind it were demanding $3.6 million to restore the system. The hospital’s CEO ended up publicly conceding that he and his colleagues had paid the hackers 40 Bitcoins, or the equivalent of $17,000, and the cybercriminals had given Hollywood Presbyterian executives the key to restore their clinical information systems.
Then, on Monday, March 28, The Washington Post reported that the 10-hospital, Columbia, Md.-based MedStar Health integrated health system’s clinical information system had had to be shut down because of a virus-based hacking attack. Further, on Thursday, March 31, The Baltimore Sun confirmed that the attack reported on that Monday had included a digital ransom note. In the following days, additional news reports, as well as statements by MedStar Health officials, described MedStar staff members’ attempts to restore the full functionality of their clinical information systems, while working at the same time to maintain as high a level of patient care service as possible. That situation ended up involving weeks of work to restore full functionality of that health system’s core clinical IS. And the MedStar situation was followed in quick succession by reports of similar attacks on three hospitals in Southern California and one in Indiana.
An Underlying Lack of Preparedness for a New World Filled with Threats
Fundamentally, say industry experts and observers, healthcare and healthcare IT leaders nationwide are struggling to keep up with a surging wave of cybersecurity threats, the most dramatic of which has been the wave of recent ransomware attacks. What are the biggest challenges facing leaders in U.S. healthcare in this area right now? Among the greatest challenges are:
> A lack of awareness of the degree of magnitude of the intensity of the ransomware challenge in healthcare, which is surging, as cybercriminals see the vulnerabilities in the healthcare industry relative to those in other U.S. industries.
> A relatively low level of investment in data security in U.S. patient care organizations relative to the level of investment in data security, as a percentage of overall IT budgets, that has been present for decades now in such industries as banking and financial services, manufacturing, energy, transportation, and retailing.
> A lack of commitment on the part of hospital and health system c-suites and boards of directors to addressing the threat of ransomware—as well as other cybersecurity threats, including generally malicious hacking that does not involve attempts at the hostage-taking of information systems—head-on.
> Insufficient staffing of information security departments within the broader IS departments in patient care organizations.
> Insufficient training, preparedness, and expertise of those assigned to manage cybersecurity and data security in patient care organizations.
> A lack of data security strategic planning and execution of strategic plans.
> A rapidly surging threat that is exposing more hospitals, medical groups, and health systems to ransomware and other malware and hacking threats daily.
What can the leaders of U.S. patient care organizations do? One area in which some progress is being made is in the hiring of more chief information security officers (CISOs), a phenomenon that is ramping up quickly. At the same time, say industry experts, simply naming someone in a patient care organization that organization’s CISO, without providing that individual with a capable team, funding, and c-suite- and board-level support for the mission of data security, will not lead to success, in the short or the long run.
What’s more, patient care organizations have been deeply vulnerable to these kinds of attacks for a long time now. Mac McMillan, CEO of the Austin, Tex.-based CyergisTek consulting firm, notes “the report that Verizon put out at the end of last year.” That report, he says, noted that “some 90 some odd percent of breaches that occurred involved vulnerabilities that were more than a year old, and more than half involved ones that were 5 or 6 years old. It is a very common occurrence in healthcare today to find unpatched systems and misconfigured systems,” he says.
“Basically,” McMillan continues, healthcare still lacks mature practices around IT maintenance and administration as it relates to security. It is becoming our Achilles’ heel; it is killing us right now. The bad guys know that we are not hardening our systems appropriately, not patching systems as quickly as we could, not exercising discipline around our change management processes, not monitoring our systems closely, not testing as often as we should be to find new vulnerabilities, and they are counting on that and taking advantage of that.” And the ransomware surge, he says, “has shone a bright light on the lack of preparedness in the industry for these kinds of attacks.”
Fernando Blanco, who ten months ago joined the 50-plus-hospital Christus Health system, based in Irving, Tex., was a CISO in the consumer products industry prior to coming into healthcare. His perspective? “I think that information security was neglected for many years in hospitals, and investment was associated with perceived risk; and healthcare was considered a low-risk industry,” Blanco says. “Everyone thought that there was more risk related to financial information of consumers. Healthcare has been a little bit late to the game; but the high-profile hacks are changing that.”
What’s more, says Natalie Lehr, vice president of analytics and co-founder of the Silver Spring, Md.-based TSC Advantage consulting firm, which advises organizations in several industries, including the energy industry, manufacturing, the mergers and acquisitions area, and healthcare, “I think that what is most disturbing about this trend is that it is not a classic attack against patient records or customer records, for purposes of fraud. Most people in America have come to accept that that type of attack is going to happen,” she says, referring to individual cases of identity theft and fraud. “In this case, with ransomware, the very system by which care is delivered, is under attack. So it’s not like you can protect one type of data and consider yourself sufficiently protected. Now, it is systemic.”
Time to Ramp Up Good Data Security Practices
Lehr, Blanco, McMillan, and other industry experts agree that there are several key elements to any successful data security/cybersecurity plan (see box below for highlights). These include obtaining buy-in and support from the CEO, c-suite, and board of directors of the organization, to seriously take on the cybersecurity threat, and sufficient funding to develop and execute a comprehensive cybersecurity plan; the use of external services, as needed, to support internal efforts; frequent, probably daily, backups, of the organization’s entire electronic health record (EHR) and core clinical information systems, and of core financial and operational systems; tighter, role-based controls on access to data by end-users; and above all, ongoing, thorough training of end-users, who are the most vulnerable points to the entry of malware and other intrusions in any patient care organization.
How will things play out over time? “I’m optimistic in the long term,” says Blanco. “The industry is moving in the right direction. But I think we’re going to get worse before we get better; I think we’re going to see a lot more of these cases.”
And Ron Mehring, CISO at the 20-plus-hospital Texas Health Resources, also based in Irving, Tex., says, “We have a lot of different threats” in healthcare IT, “but I’m concerned because this type of threat comes to the top because of the amount of ransomware we’ve seen. My concern isn’t what’s happening today, but what’s next, and will it evolve and evade the security controls that we have in place? The adaptation of the malware is probably my biggest concern.”
What Are the Key Elements in Any Good Cybersecurity Plan?
Industry experts urge healthcare IT leaders to:
> Get buy-in and support from executive management and the board of directors
> Develop a comprehensive strategic cybersecurity plan
> Obtain sufficient funding and staffing for execution of the plan
> Staff up with a CISO and a highly skilled, specialized IT security team
> Back up core information systems, including EHRs, very frequently, most likely, daily
> Test backups at least twice a year, perhaps quarterly
> Make wise use of external services, such as security operations centers (SOCs), and other consulting and vendor services, as needed
> Engage in continuous behavioral monitoring
> Review data end-user data access and implement tighter, role-based access systems
> Above all, require regular, robust training of all IS end-users, enterprise-wide