Over the last decade there have been major studies done to calculate the monetary and reputational costs of data breaches in the healthcare industry. Recently however many healthcare leaders are paying more attention to how cyber attackers are threatening the lives of the very patients they trying to save.
Modern healthcare facilities operate on quick access to networked information such as diagnostic images, labs/test results, patient records, and case management information. The complexities of these systems coupled with thousands of unsecured networked medical devices increases the likelihood of hidden vulnerabilities to cyber threats. The fallout of cyber-attacks can prevent or delay timely lifesaving interventions that have devastating effects on patient care.
In 2017, the “WannaCry” ransomware unleashed chaos on hospitals and medical devices across the world with damage felt in Britain and the U.S. As computer systems were paralyzed from the attack, thousands of doctors were unable to access patient data, emergency rooms shut down, and in some cases critical X-rays, MRI’s, and CT scans were canceled causing doctors to treat patients without access to vital information. 2017 became the year that healthcare leaders realized the implication of cyberthreats on a scale not seen before.
This begs the question as to why healthcare entities are more susceptible to cyber-attacks as compared to other industries like financial services and banking?
Hospitals traditionally have been slower to dedicate adequate funding for areas of business operations, like IT that do not produce revenue. Health information has a greater value to hackers than just financial information alone, so there is greater incentive for hackers to target healthcare entities. Hackers exploit the path of least resistance which indicates why the healthcare industry needs greater awareness that cyber attacks on their facilities are not “random” and “benign”, but targeted and potentially deadly for their patients.
Doug Brown, Founder of Black Book states in the 2018 State of the Healthcare Cybersecurity Industry survey results
“Healthcare organizations are also more prone to attacks than other industries because they persist at managing through breaches reactively.”
That same report indicates these sobering results: (Survey of 2,464 security professionals from 680 provider organizations)
- 60% of healthcare enterprises have not formally identified specific security objectives and requirements in a strategic and tactical plan. Without a clear set of security goals, providers are operating in the dark and its impossible to measure results.
- 89% of CIO’s reported they bought their cybersecurity solution to be compliant, not necessarily to reduce risk when the IT decision was made.
- 58% of hospitals did not select their current security vendor in advance of a cybersecurity incident.
- 32% of healthcare organizations did not scan for vulnerabilities before an attack.
- 57% of IT management respondents report their operations are not aware of the full variety of cybersecurity solution sets that exist particularly mobile security environments, intrusion detection, attack prevention, forensics and testing.
While the 2017 WannaCry ransomware attack was not directed specifically toward healthcare providers, healthcare data analysts are seeing a growing trend of directed threats through e-mail phishing attacks, and ransomware. Healthcare organizations who operate aging and vulnerable operating systems are more attractive to attackers and despite the attack by the WannaCry ransomware, which targeted machines on Windows 7; according to Duo Security, healthcare was the slowest industry to upgrade to Windows 10.
Vulnerabilities are not only technical exploits like configurations and software patching, but each employee who is untrained to spot and avoid nefarious e-mails and hyperlinks leave each healthcare facility weak to cyber exploits. When patient lives are on the line, healthcare leaders need to re-think these scenarios to these threats as “it’s not a matter of if a cyber-attack happens, but when will an attack happen”.
In July of 2018, Cass Regional Medical Center in Harrisonville, MS, was attacked with ransomware and within 30 minutes of the attack they implemented their incident response protocol. The attack disrupted internal communication and their EMR system and they diverted emergency services for trauma and stroke victims to ensure optimal care for those patients. Because of the careful planning of the hospital staff, Cass averted true disaster. In the absence of such a response protocol, hospitals may be faced with the inability to render the best care to patients under these circumstances.
Failure to secure technology systems from cyber-attacks is a risk to patient lives and healthcare leaders should take all precautions to mitigate risks through the delivery of secured managed technology infrastructure and 24/7 compliance.