Recent cyberattacks have targeted hospitals, crippling systems for weeks and disrupting patient care. Over the past several weeks, hospitals in Ireland, New Zealand, and San Diego have been hit by ransomware attacks that have disrupted systems for periods lasting as long as several weeks. Ransom demands for healthcare breaches currently average $4.6 million.
Why are healthcare organizations being targeted by ransomware attacks? Below, we'll discuss why the healthcare sector is vulnerable and what it can do to protect itself.
Technical Challenges
- The rapid transition to the cloud: The healthcare industry was relatively slow to move its systems from on-premise data storage to a cloud-based alternative. Despite this initial hesitation many healthcare organizations eventually began embracing hybrid cloud environments.
However, before the pandemic, many healthcare organizations were storing their data entirely on-premise. When the pandemic struck, healthcare organizations that had not previously moved to the cloud or were using a hybrid model of on-premise and cloud-based storage were forced to move to the cloud rapidly. The rapid transition left them vulnerable to attacks. Those organizations started falling victim to ransomware attacks because their security controls were not up to date, such as vulnerability patching and password security, so cyber criminals viewed them as soft and potentially lucrative targets.
- The infrequent cadence of security updates and vulnerability patching: Unfortunately, healthcare providers do not always keep up with vulnerability patching. A study from Vanderbilt University found that approximately 39% of healthcare companies have some kind of port or sort of service that they're providing to external parties. These ports are often vulnerable because they’re not updated or patched properly.
The Unique Value of Healthcare Data
- Sensitivity of patient data: Healthcare organizations are prime targets for hackers due to the valuable protected health information (PHI) they store and the vital role they play in our nation’s critical infrastructure. Stolen health care data fetches a smaller price than financial records, so the motivations behind stealing and selling bulk medical data are unclear. However, a “Health Warning” report by the Intel Security McAfee Labs revealed that cybercriminals are putting more time and resources into exploiting and monetizing healthcare data. Financial data can quickly become unusable after being stolen because people can quickly change their credit card numbers. But medical data is not perishable, which makes it particularly valuable. Some in the medical industry speculate that medical data could grow to rival or surpass financial data in value on the black market.
- Medical devices and telemedicine introduce new IoT concerns: These forms of technology are changing the way that care is delivered and breaking down the traditional IT barriers which existed within an organization. As the Internet of Things grows, and we collect health data on everything from our FitBits, to our smart scales, to the phones we carry 24/7, the potential for interaction between our medical providers and this technology increases. These new technologies also introduce a multitude of vendors and new security concerns that healthcare organizations are working to control.
- Healthcare is a heavily regulated industry: Healthcare is one of the more regulated industries, and many regulations are what lead to the digital transformation of this change adverse industry. For example, in the USA, the US Department of Health and Human Services (HHS) and Center for Medicare and Medicaid Services (CMS) are the entities that create government regulations across healthcare. Some of their key compliance standards include HIPAA which focuses on protecting PHI and HITECH which is focused on enforcing the use of Electronic Health Records or EHRs, which moved the foundation of medical records from paper to digital - a huge digital transformation for healthcare.
While regulations have often both introduced new technology and forced digital transformation in healthcare, many have also restricted the capabilities of the technology it has introduced.
The Effects of the Pandemic:
- Telemedicine and remote working: The pandemic has led to a surge in telemedicine and remote access, which creates extra vulnerability due to the increased surface attack area. 56% of patients have used telemedicine alternatives to in-person healthcare visits during the pandemic and while this has been a huge benefit for both patients and healthcare providers, it has left more people open to attacks. This is partially due to relaxed HIPAA restrictions on telehealth to accommodate the use of tools like Zoom and due to the fact that many healthcare providers need to conduct telehealth visits from unsecured networks in their homes.
- Budget impact: Decreased budgets from the reduction in elective procedures, which are a large source of revenue for healthcare providers: During the pandemic, the healthcare industry was hit not only by COVID itself but also by the impact on its funding - losing money from canceled elective procedures and doctor appointments while having to identify their own funding and aid for handling COVID emergencies. This created a shortfall across all budgets, including IT.
- The need for balancing speed and security: In 2009, the Meaningful Use Act mandated the transition to digital health records. Gaining secure access to electronic records, became a major pain point for doctors since it led them to have to remember passwords to access systems. When it comes to information, doctors and hospitals are often more concerned with accessing patient information quickly rather than the security aspect of that information. Login methods that add time to accessing critical systems can cost an extra minute or two - and that can spell life or death in some situations. If a security protocol interrupts their workflow, that can put patients at risk.
- Password challenges: If healthcare providers find passwords too difficult to memorize or have too many to memorize or find that they need to change passwords too frequently, they will find a workaround, such as leaving systems unlocked, sharing access cards or writing their passwords down on walls or taping them under computer keyboards.
- User experience: Security must strike a balance with usability, and particularly in environments like healthcare where the primary goal is patient care and information security is a secondary concern. Doctors need usable security solutions so that they do not resort to workarounds.
What Steps Can Healthcare Organizations Take to Become Less Vulnerable?
- Good hygiene: Patching vulnerabilities and maintaining systems should be done continuously, not sporadically.
- Moving to the cloud: Moving to the cloud instead of maintaining all their data on-premises where ransomware attacks are more prevalent, and data may not be fully encrypted. If healthcare organizations have at least some of their data stored in the cloud, they will still have access to some services online in the event that their on-premises storage is attacked by ransomware.
- Cybersecurity awareness: Educating clinicians and back office staff about increasing cyberthreats targeting their organizations.
- Security solutions that don’t impede patient care: Implementing security that healthcare providers will adopt and that doesn’t interfere with patient care. Anything that clinicians can do to save time while logging in to systems, is critical. It’s important to understand the workflows of doctors and implement technology that fits within those workflows.
Multi-factor Authentication Options:
- The importance of flexibility and multiple options: Multiple authentication methods are crucial in health care and it’s important for users to have flexible options. Having multiple options allows users to implement solutions in a way that complements their workflow. Biometrics can be a good option for some healthcare situations. Since there are many unique workflows in healthcare, offering flexible options for authentication is vital since there is not always a one-size-fits-all solution.
Biometrics as an MFA Option:
- One of the leading causes of death in the United States is medical errors, including inaccurate medical records. If for example, a doctor reviews an incorrect record and doesn’t realize a patient is allergic to penicillin, the patient could be at serious risk. Patient misidentification is a huge problem that healthcare has been trying to solve. Biometrics would be an effective way to prevent this mistake. For example, if a patient were in a car accident and knocked unconscious, their palm could be scanned to ascertain their identity and access their medical records.
Biometrics is a good solution for remote access since a clinician could use their palm or fingerprint to confirm they are who they say they are. For Electronic Prescribing for Controlled Substances (EPCS), biometrics is a reliable option for verifying a patient’s identity.