News

The Growing Threat of Cyberattacks in Health Care

Hackers see too many hospitals and other healthcare facilities the way a car thief sees a parking lot full of unlocked vehicles.

Easy pickings.

How pervasive is the cybersecurity problem in health care? A Ponemon Institute study found that in the previous two years, 89% of healthcare organizations had dealt with data breaches, and 79% had had two or more. Most, the study found, were the result of criminal attacks.

For a variety of reasons, healthcare facilities are a comparatively easy target, and a very attractive one. As John Halamka, the chief information officer of Boston’s Beth Israel Deaconess Medical Center in Boston, puts it, “If you’re a hacker, you’re going to go where the money is and the safe is the easiest to open.”

But they don’t have to be that easy. There are steps organizations can and should take to effectively lock the doors and take the keys.

 

Three strikes

Health care is a popular target for three reasons, says the Harvard Business Review:

  • Healthcare data is sure money. Medical information can be used to steal identities or create fake ones. And a complete medical record — one that includes a Social Security number, a driver’s license, credit card details, health plan information and prescriptions — can fetch as much as $1,000 on darknet sites, say experts. If nothing else, data can, and often is, used for extortion — a way to force organizations to pay ransom to regain access to their compromised and encrypted data.
  • Health care has lagged behind other industries in taking steps to secure data. Many medical staff members still don’t understand the risks, and healthcare organizations tend to devote fewer resources to cybersecurity than do other industries. A 2017 survey by the Healthcare Information and Management Systems Society found that nearly three-quarters (72%) of healthcare organizations dedicated only 6% or less of their budgets to cybersecurity, and shockingly, well over a third (40%) dedicated 2% or less.
  • Other industries, most of which devote much greater resources, have gotten better about detecting and blocking cyberattacks, forcing criminals to look for new sources of data.

 

Missed opportunities

One result of the scant attention paid is that healthcare organizations simply haven’t kept up with security demands. Last year’s devastating WannaCry 2.0 attack could have been largely thwarted by a security patch released by Microsoft several months earlier. But many providers were still using devices that hadn’t been updated.

At Banner Health, which operates 29 hospitals in Arizona, hackers managed to access millions of healthcare-related records by getting in through the hospitals’ food and beverage outlets. Those, of course, should have been controlled by a completely separate network.

And there are plenty of low-tech issues, too. Ransomware typically finds its way to victims in three ways, according to the Center for Internet Security: phishing emails that contain malicious attachments; malicious links opened by unwitting users; and viewing of advertisements that contain malware.

 

More “Things” to worry about

The increasing number of devices and objects connected to the Internet — the so-called Internet of Things — compounds the challenge for healthcare providers, since each is another potential access point for hackers.

“On average a hospital bed has about 10 to 15 medical devices connected to it at one time,” says Maryanne Woo, a partner at the Reed Smith law firm. “They all need to be able to talk to each other. They all need to be able to share data, share information.”

But that interoperability may be achieved at the expense of security. “If someone from the outside can hack into the MRI machine, hack into the X-ray machine, or can hack into your blood gas analyzer — because none of them are set up to detect malware — then they can go anywhere into the hospital,” says Ms. Woo.

That challenge, she says, has gotten the attention of the FDA, which is increasingly focused on potential hackability in its approval process for medical devices.

 

Better safeguards

Most users know and understand basic precautions, like keeping operating systems up-to-date, using strong passwords, employing anti-virus and anti-spam applications, and regularly backing up data. Still, it’s a good idea to require training for personnel to helps ensure they won’t fall prey to phishing schemes, or open malicious attachments.

But instead of fighting the same battles in the same ways to try to stay ahead of hackers, organizations should consider fortifying themselves with newer, more sophisticated approaches, such as behavior analysis, tokenization and, perhaps down the road, biometric-based security.

Behavior analysis strengthens security by establishing user patterns and flagging behavior that deviates from the usual, such as logging in from a new location or accessing parts of a system the user doesn’t normally go to. Flagged users may be required to provide further authentication or even get booted from the system until a system administrator can investigate and allow access.

With tokenization, data is stored in the databases of third-party providers, instead of in the systems of healthcare providers. Its big advantage is that it isn’t reversible. As opposed to encrypted data, which can be cracked if a hacker gets his hands on the encryption key or somehow determines the algorithm used to create it, “tokens” are randomly generated and irreversible, so they’re worthless to hackers.

Biometric-based security, which relies on identifying users via unique personal characteristics such as voice patterns, fingerprints, or patterns of the iris or retina, is currently being tested and may turn out to be the ultimate safeguard for medical data.

Michael Murphy, MD
Dr. Michael Murphy is co-founder and Chief Executive Officer of ScribeAmerica, LLC. He co-founded ScribeAmerica in 2004, and it is now the country’s largest and most successful medical scribe company with a staff exceeding 7200 employees operating in over 46 states nationwide. Today, ScribeAmerica is the recognized leader of the medical scribe industry and remains at the forefront of professional scribe education, training, and program management nationally. Dr. Murphy served as an Army Ranger for the 1st Ranger Battalion in Savannah, Georgia, which allowed him to gain various leadership skills along with the ability to develop standard operating procedures. He applies this to his daily duties for ScribeAmerica. Dr. Murphy has been a leader on multiple issues including scribe policy, hospital throughput, electronic medical record implementation and optimization of provider to patient ratios. His goals are to continue making all medical practice locations an environment built for an exceptional patient experience that allows providers to focus solely on patient care. Dr. Murphy received his Doctor of Medicine from St. George's University and completed his residency training in Emergency Medicine at the University of Medicine and Dentistry of New Jersey in Newark. He has co-authored one textbook and is involved in 3 peer review articles.
Posted In: Compliance, Future of Healthcare, General, Quality, Efficiency, Utilization On: Tuesday, 6 March, 2018

3 Comments

  • Cyllan - March 10, 2018

    The American healthcare consumer’s ignorance of these practices has allowed them to exist and become widespread. Our elected government officials have increasingly blamed individual American healthcare consumers for high health spending in the United States rather than tackle the sources of the high health spending like these income maximizing hospital practices. They are increasingly bent on creating laws to increase the costs we must pay for our health care (our cost share) and reduce our healthcare benefits. For example, lawmakers have enacted to penalize the American healthcare consumer for having generous health insurance coverage (the Cadillac tax).

    Reply

Leave A Comment

Newsletter

image

Twitter

Twitter cannot show tweets right now. Please try again.

Copyright © 2004-2018. Scribe America. All Rights Reserved.