Analytics Brief: Cybersecurity challenges in our hospitals

When ransomware infects our healthcare systems and threatens our privacy

Hospitals jumped into the cybersecurity spotlight recently when hackers successfully gained access to Hollywood Presbyterian Medical Center’s network and made off with a $17,000 payday. This event raises the concern that holding data for ransom may become the norm for hackers, especially because experts have deemed healthcare organizations to be low-hanging fruit for cyber criminals to exploit.

And Hollywood Presbyterian is not alone. Hospitals in Germany also had their medical records held hostage by hackers. And researchers who studied a dozen US healthcare organizations discovered they are not prepared to fend off cyber attacks that are aimed at disrupting services or compromising patient health.

Getting expert weigh in

What should healthcare organizations be doing to prevent copycat attacks? What do these attacks mean for the future of healthcare, patient care and patient data privacy? How do we balance the need for connected medical devices and the demand for secure digital access to patient records? Cybersecurity and healthcare experts weighed in on these questions during the recent, inaugural Analytics Brief.

David Chou

CIO, Global Healthcare

The most important thing that the organization can do is to educate its staff on security and the measures that every employee must take to protect the institution. The majority of security threats happens internally within an organization, and it starts most commonly with an employee opening an email or file that they are not supposed to open, which allows the hackers access to the network.

Educating the staff has to be the top priority for an organization, and the once-a-year security assessment is not good enough. Cybersecurity has to be an organizational objective, and ownership needs to fall on the entire C-suite. Connected medical devices security is a tough one to tackle because manufacturing is not working with the healthcare organization’s technology department. We are buying a black box and expecting it to work and meet all of the security protocols. This expectation is an ongoing concern for healthcare security officers because the number of connected network medical devices increases, and the industry does not yet have a firm solution for this problem. The good part is that the medical devices companies are aware of the vulnerability, and security is also on the priority list.

Scott N. Schober

Cybersecurity expert and president and CEO, Berkeley Varitronics Systems, Inc.

The most important thing any healthcare organization can do to prevent hacking or copycat attacks is the same thing every end user should already be doing—back up all data daily or weekly at least. Whether it’s patient data, hospital admin data or payment data, if a recent copy exists on an outside server, the ransomware holds very little power over the healthcare organization.

The belief is that ransomware attacks originated with a targeted phishing attack on an employee with electronic medical record (EMR) system access who clicked a link in an email. Besides increasing the spam and malware filters, healthcare organizations also need to educate all employees on cybersecurity best practices to help avoid the most common human element weaknesses—specifically email phishing attacks.

Healthcare data is currently the most valuable data available for sale on the dark web because it leads to so many different kinds of money trails. By paying the ransomware, Hollywood Presbyterian Medical Center has legitimized these cyber thieves and made it easier for the next wave of healthcare ransomware. They’ve also set the minimum ransom price for a US hospital. While $17,000 is not much for a hospital budget, it’s highly unlikely that the price to get a hospital back online will ever go below $17,000. Ransomware, for lack of a better term, has become just another cost of doing business for healthcare.

As long as technological advances allow, we will be using connected devices more often in healthcare. This trend will not stop, but neither will the hacking and ransomware that will be attached to these devices and services. There needs to be a general Internet of Things standard for security and possibly an additional security layer for healthcare because of the sensitive and valuable nature of patient data. No good reason exists to ever deploy insecure devices, especially if the end user or the patients do not substantially benefit from the new technology. Technological breakthroughs are rapid, but medical testing and approval is a slow process. The two need to meet somewhere in the middle to ensure maximum effectiveness meets minimum security standards in all healthcare devices and networks.

Shahid Shah

CEO, Nespective Communications, and cybersecurity and risk management consultant

We need to treat cyber extortion—digital ransoming—as a continuity of operations (COOP) or disaster recovery (DR) incident. Extortions such as these are going to be more common, and the only way to reduce the costs and frequency of the ransom demands is to treat the incident as a breach. Responding to it by recovering data and replacing servers as we would for COOP or DR incidents makes a lot of sense. I think some institutions that can be held ransom may not have proper COOP or DR capabilities, which means they are vulnerable to more than just cybersecurity extortion events. By looking at immutable servers, immediate recovery, rapid COOP and DR responses, and related techniques, we can help our most vulnerable healthcare institutions be less susceptible to extortion demands.

Morgan Wright

Principal and owner, Morgan Wright LLC, and cyber terrorism and cyber crime analyst

We need to focus on prevention and not just an after-the-fact approach. The vast majority of ransomware attacks are successful because they use phishing or spear phishing techniques. Hospitals are easy targets. That’s why last year, one in three Americans was impacted by medical record breaches. I would bet the malware was through a spear phishing attack—the most successful path to exploits such as these. Response and recovery is half the conversation. Humans are still the weakest link, and spear phishing attacks are on the rise, especially business email compromise—7,600 victims and $747 million in losses during 2015. Social engineering and spear phishing are a deadly combination. Give me a choice between a tool and a tactic, and I’ll take spear phishing and social engineering any day of the week.

Sharing your thoughts

What’s your take on healthcare cybersecurity and ransomware? How can hospitals strengthen their cybersecurity to protect their networks and their patients from cyber criminals? Offer your thoughts and opinions in the comments, and join us as we work to stay ahead of cyber threats.

Follow @IBMAnalytics