The U.S. news media have been filled with reports and commentary this week about the cyber-attack campaign against Sony Pictures, related to the anticipated release of a new film, “The Interview.” The story is a bit tangled, but in essence, someone or a group of someones hacked into the computer systems of Sony Pictures, leaking a huge amount of confidential, proprietary information about the company, including e-mails, information on upcoming movie projects, etc., and also wiping out a quantity of unspecified data on the company’s information systems.
Then, after the hacking was reported publicly, the North Korean government hinted strongly at its involvement and threatened movie theater chains planning to show the film (which was to open commercially on Dec. 25) with some unspecified physical harm or attack. If so, the cyber attack apparently related to the fact that the film, ostensibly a comedy, portrayed an attempted assassination of North Korean dictator Kim Jeong-Eun. In response to the threats, movie theater chains announced they would not show the film, and Sony pulled it from being shown. Needless to say, nothing exactly like this has ever happened before, and the film industry and the policy world in Washington have been thrown into considerable disarray over this series of unprecedented developments.
Then, this morning (Dec. 19), the F.B.I. announced that it had extensive evidence that the North Korean government had organized the cyber attack, marking the first time the United States has explicitly accused the leaders of a foreign nation of hacking American targets. As reported in a news story Friday morning in The New York Times, “The bureau said that there were significant ‘similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks’ to previous attacks by the North Koreans. It also said that there were classified elements of the evidence against the North that it could not reveal.”
After Sony Pictures executives released a statement indicating that they shut down the theatrical opening of “The Interview” only because the movie theater companies had refused to show the film—“The decision not to go forward with the December 25 theatrical release was made as a choice of the majority of the nation’s theater owners not choosing to release the film… we had no choice,” Sony executives aid in a statement—President Obama said Friday afternoon, “I wish they had spoken to me first. I would have told them, do not get into a pattern in which you’re intimidated by these kinds of attacks.” The North Koreans: “They caused a lot of damage. We will respond proportionally, and we will respond at a place and time and in a manner, that we choose.”
So what does this have to do with healthcare? A lot, actually. A number of senior industry leaders in the data security arena have been speaking out very forthrightly about the potential for hostile foreign governments, as well as organized foreign and domestic crime syndicates, to begin to target the U.S. healthcare sector, in order to steal the intellectual property of academic medical centers, for example, and to take information from electronic health records (EHRs) and other information systems that might yield for them ill-gotten financial gain.
Among the experts I’ve heard from on this subject are PriceWaterhouseCoopers’ Chris Van Pelt, and CynergisTek’s Mac McMillan. Back in October at the CHIME Fall Forum in San Antonio, PwC’s Van Pelt told me that it has been clear for a few years now that the healthcare industry would soon be hit by cyber attacks coming from hostile foreign governments and other entities, as the financial services sector has been. “We could have gotten ahead of what we knew to be coming,” he said. “The financial services sector was attacked very purposely by foreign countries—actual governments including China and Russia, as well as organized crime syndicates in African countries—and the federal government has had to intervene to help all the banks and financial institutions. There are now weekly conference calls involving federal officials and senior IT managers at all the major banks, to combat what’s going on.
And logically, we all knew that the healthcare and energy industries should have been next in line to be targeted by these very major entities. And as it turns out, both are now being hit.”
What’s more, he added with regard to a cyber attack from a foreign government or sophisticated crime syndicate, “It’s totally different from the level of an intrusion from an individual. If a foreign government breaches your security, they don’t want you to know what’s going on; they’re very sophisticated, and they’re going after your data. So during a two-year period, would a single hospital or health system know that was happening? By and large, the answer would be no.”
Meanwhile, Mac McMillan, speaking earlier this month at the Health Information executive’s Guide to Cyber Security, a CHIME LEAD Forum in collaboration with iHT2, said that “The events of this past year have begun to show what’s going on, that the folks who want to do harm to us in healthcare have absolutely found us, and they’re not going away.” As I wrote on the day of his presentation, “McMillan cited and briefly summarized 12 different, very serious, data breaches in 2014 that in a variety of ways are illustrative of all the threats facing patient care organizations in the U.S. What’s more, as he pointed out, the external threats—from hostile foreign governments, foreign-based criminal syndicates, and other entities—are beginning to emerge as potentially devastating for the U.S. healthcare system.”
So the reality is that what has happened to Sony Pictures may, horribly, only be the beginning of worse to come. And healthcare IT leaders are going to need to work with federal authorities, cooperate with each other, and read up the developments that have taken place and are now emerging, in other industries. Because the kind of problem that Sony Pictures is currently experiencing is not the kind of problem that any one organization can solve on its own.
Only time will tell how this particular set of developments ultimately shakes out. In the meantime, healthcare IT leaders need to begin now to prepare for a scary, unpredictable future, because what has happened to Sony Pictures is beginning to look more like the future than anything anyone in healthcare would ever want to imagine.