The timing of it all really did feel like some kind of Jungian synchronicity. I had just posted an interview I had conducted last week with Mac McMillan, the CEO of the CynergisTek consulting firm, and an industry thought-leader on healthcare IT security, when the news broke of another major hack of a U.S. hospital.
In the wake of the now-infamous ransomware incident that executes at Los Angeles’s Hollywood Presbyterian Medical Center had had to endure last month, McMillan had shared with me that he believed that the threats of attacks from cyber-criminals via ransomware and other forms of malware, as well as phishing and other schemes, was reaching such a fever pitch now, that he has come to the conclusion that virtually all hospital organizations need to hire external security operations centers, or “SOCs.”
As Mac told me, “Think of it this way: an average, medium-sized hospital probably is producing literally tens of millions of logs or events a month. There’s nobody on this planet that has a good enough calibrated eyeball to go through tens of millions of events and could figure out what’s going on. The problem is too big, you can’t do it yourself. This notion that we can test ourselves, that we can monitor our environment, has got to go away. We need those independent, objective experts to do this for us and identify issues, as well as bring the greater awareness. My guys do hundreds of risk assessments a year across the country and tests. Their depth of knowledge is so much broader than that of the guy who’s working at a single hospital. And to take advantage of that experience—that’s what we need to do.”
What’s more, Mac stated his belief that “I think that the threat is going to continue to increase in the next few years in a big way. As we become more of a knowledge-based society, more and more responsibility will fall onto technology and data. So this makes sense. And the one thing that healthcare fears more than anything else is not having their data. And ransomware attacks that very vulnerability, fear. So from an extortion perspective, it is the perfect vehicle for attacking vulnerability. And even if it’s not successful, it creates a tremendous amount of disruption.”
And then, just a few hours later, came the news of the hacking of the electronic health record (EHR) of the 10-hospital MedStar Health system, based in Columbia, Maryland, and which serves several hundred thousand patients across the region stretching from Washington, D.C. to Baltimore, Md., with 10 inpatient hospitals and more than 250 outpatient clinics.
As The Washington Post reported, a virus had infected the health system’s EHR, forcing its shutdown. “The FBI,” the newspaper reported, “is investigating the breach, which comes just weeks after similar cyber-attacks on two other medical institutions in California and Kentucky. Still, MedStar officials said they had found ‘no evidence that information has been stolen,” the newspaper reported.
Meanwhile, at around 4 PM eastern time on Monday, MedStar Health officials stated on their website that, “Early this morning, MedStar Health's IT system was affected by a virus that prevents certain users from logging-in to our system. MedStar acted quickly with a decision to take down all system interfaces to prevent the virus from spreading throughout the organization. We are working with our IT and Cyber-security partners to fully assess and address the situation.”
Of course, much about the MedStar crisis remains unknown—and that is totally understandable, as MedStar leaders doubtless are working assiduously behind the scenes to bring their EHR back up and restore normal, electronically facilitated operations. But this was a big hit—this is a very large, ten-hospital system with a teaching hospital, a large group of community hospitals, and 250 outpatient clinics—a much bigger and broader group than, for example, Hollywood Presbyterian Medical Center, the standalone community hospital hit by the ransomware attack last month. Perhaps we will never know all the details, but it is significant that a ten-hospital system has now been effectively hit by a cybercriminal virus.
Thu, the timeliness of the interview I had last week with Mac McMillan.
So, does it seem as though things are coming to a head these days with regard to these attacks? Yes, it absolutely does.
And the timing seems to be no mistake, as cybercriminals are glomming onto healthcare now mostly because the monetary value of the PHI (protected health information) of patients has become clearer to everyone—including, most importantly, the cybercriminals themselves.
As David Finn of Symantec told me recently, “I went directly to HIMSS from a week on the road, and my weeks on the road are typically with customers. And every customer that week before HIMSS had noted an uptick in ransomware attempts. And these are not purely Symantec customers, they also have other products. And they all made it through those ransomware attempts; one struggled, but they all made it through. And there was some bashing about Hollywood Presbyterian paying the ransom. But the thing is, this is not a security problem. When Hollywood Presbyterian paid the ransom, it wasn’t to get data back or turn systems on, it was because they couldn’t take care of patients. This is not a security issue, it’s a patient care issue. And this will continue to happen. And it really needs to become a concern of the c-suite—and CIOs need to communicate that to the c-suite.”
David Finn has been very involved in these issues, especially of late. In fact, he had released the results of a new study, “Healthcare IT Security and Risk Management Study,” cosponsored by HIMSS Analytics (a division of the Chicago-based Healthcare Information & Management Systems Society), and Finn’s company, the Mountain View, Calif.-based Symantec. The survey-based study found a rather worrisome level of preparedness of cyberattacks, meaning, a very low level of preparedness for such attacks.
The low percentages of their IT budgets being spent on data security, the very small number of IT specialists focused on data security, the relatively low level of prioritization of data security in their organizations, based on frequency of discussion of the subject in board meetings—all those elements speak to a significant lack of preparedness for this onslaught of cyber-attacking and criminality that is ramping up now daily.
So the crisis afflicting the MedStar Health system is symptomatic of a broader issue. As Mac and David and others keep pointing out, the senior leaders in patient care organizations need to get proactive—now—about what is happening, and need to approach this U.S. healthcare system crisis (for it is a crisis) strategically. And they need to get serious about devoting the funding needed to get ahead of the challenge.
Or, as Mac so aptly put it, “I think it really does come down to the fact that we just have to make security a priority. And for what it’s worth, I don’t believe you can say it’s a priority in your organization until you resource it properly. Having platitudes and making speeches, doesn’t mean something is a priority. When an organization puts resources to something, that’s when it’s a priority. So show me the resources, and I’ll believe you.”
So only time will tell. But what is becoming clearer by the day is that things are accelerating now—in a bad way—and there isn’t much time left for healthcare IT leaders, in particular, to rise up to meet the challenge. Because the hacker roulette wheel seems to be spinning faster now every week.