-
August 25, 2019
-
Today’s healthcare industry is plagued by a number of serious, undeniable cyber risks.
Start with an expanding attack surface, ripe for exploit by hackers. Add a reliance on outdated medical hardware and software. Include resistance by management to address the full scope of risk and a lack of employee awareness. The result is a diagnosis of disaster.
Consider what happened to the American Medical Collection Agency (AMCA) this year. In June, AMCA’s parent company revealed that the medical billing firm had suffered an eight-month long data breach that affected nearly 20 million patient records. The resulting expenses drove AMCA to file for Chapter 11 bankruptcy protection.1
Clearly, the healthcare industry needs to take immediate steps to mitigate these kinds of risks and become more cyber resilient. Here is an analysis of some of the trends troubling the industry and suggested remedies for reducing vulnerability.
Increased Attack Surface
The attack surface, or environment in which vulnerabilities exist that attackers can target, has grown enormously in healthcare over the past few decades.
Its growth can be traced back in part to the advent of the electronic health record (EHR) and electronic medical record (EMR). These digital versions of a patient’s health information chart have had significant impact on care. They provide authorized users, like healthcare professionals, with immediate and real-time views of details about patients resulting in accurate and speedy treatment options.
Unfortunately, at the time these electronic records were developed, security was often an afterthought. This has led to numerous entry points for malicious actors to exploit, and all it takes to gain access to millions of patient records is one successful cyber attack.
As part of an effort to contain that threat, a specific focus on patient privacy followed with the development of the Healthcare Insurance Portability and Accountability Act (HIPAA). HIPAA’s goal is to limit data sharing to protect Personally Identifiable Information (PII), even as the environment HIPAA regulates requires data sharing to best serve patients.
This tension between access versus privacy has distracted the industry from recognizing the real risks in cybersecurity.
Making matters worse, data containing medical records is much more valuable to hackers who can sell it for significantly more money than other kinds of stolen data. Medical records can help with conducting insurance and tax fraud, which often takes longer to detect and can generate higher revenue for malicious actors.2 Who needs to phish for an email password when you can steal a patient’s entire medical record and make a small fortune?
All this leaves the healthcare industry in a catch-22 situation. More patient information entered into the network improves patient care, and yet the expanding database of information makes it more enticing for cyber criminals.
This tension between access versus privacy has distracted the industry from recognizing the real risks in cybersecurity.
Legacy Medical Hardware and Software
Across every industry, installation of the most up to date software and hardware is key to ensuring the latest security features are in place. Healthcare has unique challenges in this regard.
Hospital and healthcare facilities do not have a universal technology. Some may have purchased common medical devices, yet the inherent software is so behind the times it’s often riddled with security flaws. Others run hardware or software that is so outdated a software patch is not even available.
The need to update legacy systems and software is something administrators have been dealing with for years, and a cost-effective solution has yet to present itself. Building technology refreshes into new devices might be one solution. So too might be purchasing new devices without known vulnerabilities. Both of these options, however, are expensive.
The answer may lie in a mandate that requires collaboration between technology and security to create proper risk management and acceptance procedures. This would allow pricey legacy equipment to remain in use as long as it is continually reviewed and assessed so that additional controls can be implemented when needed.
Regulation in the healthcare industry is generally focused on patient privacy concerns such as HIPPA, and the fines for failing to be compliant are steep. That tends to put the upgrading of legacy devices on the back burner for medical organizations. But even with the significant investment to meet higher standards, prioritizing medical and traditional technologies is crucial to best ensure overall security.
Getting Buy-in on Cybersecurity
Until recently, the healthcare industry did not see a direct correlation between cyber attacks and an impact to patient care. That changed two years ago but there is still much room for improvement. In May 2017, the United Kingdom’s National Health Service (NHS) experienced a ransomware attack that locked computers and brought normal operations to a standstill. The attack affected hospitals and thousands of appointments and operations had to be canceled. Ambulances were diverted.3 Access to patient records, schedules, and emails was disrupted.
Beyond the threat to human life, the attack was extremely costly. The NHS reportedly lost £92m (roughly USD $118 million),4 and its reputation was severely damaged. In fact, the once-august institution is still working to restore the public’s trust.
While the attack succeeded in opening eyes to the legitimacy of cyber risks in the healthcare industry, amazingly, full buy-in from leadership is still lacking, possibly due to financial concerns or not fully comprehending the damaging outcomes from risks they’re facing. Without more aggressive preparation, damage from the next attack could be far greater, going so far as to force smaller facilities to shut down permanently and patients to abandon their providers entirely.
People: Your Greatest Asset
People, processes, and technology are keys to improving the security of any organization’s attack surface. Within the healthcare industry, a lack of employee awareness and education presents a major security weakness.
Employees (and patients) need to know the “why” behind certain actions designed to improve security. With greater understanding of the reasons, they are less likely to try and circumvent processes out of perceived inconvenience, and more likely to actively help in securing the organization.
Take the NHS incident. The attacker is believed to have exploited a Microsoft flaw and the NHS either did not apply the appropriate software patch to mend it, or was using an old operating system that did not have an available patch. It’s also possible that many employees ignored management’s request to install updates, which is a common issue in the cybersecurity world.
Technology and security professionals need to work together with healthcare professionals to develop and provide more mutually beneficial solutions. The goal should be to create adequate security standards and protocols that do not reduce the usability of systems for their healthcare workers.
To better drive this point home, cyber risks need to be explained not as technical threats, but as safety issues for patients. Providing the context behind the importance of installing updates will change employee perception that any new process is a hindrance and reduce the likelihood they will ignore the request to update.
A Unique Challenge
The healthcare industry’s reliance on access to information and operational continuity, in addition to an attack surface that continues to expand, will keep industry stakeholders as prime targets for cyber criminals. Proper security measures absolutely must be implemented, and employees need to be educated in terms they understand. The end goal of cyber experts and the healthcare professionals they interact with is ultimately the same — to ensure patient safety. Ensuring collaboration between these groups may provide a much-needed cybersecurity booster shot.
Footnotes
1. Davis, Jessica. “AMCA Files Chapter 11 After Data Breach Impacting Quest, LabCorp.” HealthITSecurity, HealthITSecurity, 18 June 2019, https://healthitsecurity.com/news/amca-files-chapter-11-after-data-breach-impacting-quest-labcorp
2. Forrester Research. “Arm Yourselves for Healthcare's Cybersecurity War.” ZDNet, ZDNet, 14 Jan. 2019, https://www.zdnet.com/article/arm-yourselves-for-healthcares-cybersecurity-war/
3. Lawless, Jill, et al. “World Cyberattack Cripples UK Hospitals, Demands Ransoms.” Star Tribune, Star Tribune, 12 May 2017, http://www.startribune.com/uk-hospitals-report-tech-problems-in-possible-cyberattack/422099413/
4. Field, Matthew. “WannaCry Cyber Attack Cost the NHS £92m as 19,000 Appointments Cancelled.” The Telegraph, Telegraph Media Group, 11 Oct. 2018, https://www.telegraph.co.uk/technology/2018/10/11/wannacry-cyber-attack-cost-nhs-92m-19000-appointments-cancelled/
© Copyright 2019. The views expressed herein are those of the authors and do not necessarily represent the views of FTI Consulting, Inc. or its other professionals.
About The Journal
The FTI Journal publication offers deep and engaging insights to contextualize the issues that matter, and explores topics that will impact the risks your business faces and its reputation.
Related Insights
Published
August 25, 2019
Key Contacts
Senior Managing Director, Head of Americas Cybersecurity