Cyber security among healthcare organizations has continued to rise as a concern, particularly with the increase in frequency and notoriety of ransomware attacks.
In these attacks, cyber criminals find a way inside hospital management system software or other networks and then lock legitimate users out of their files, effectively preventing them from doing their jobs until a substantial ransom is paid.
What should keep those in charge of healthcare cyber security up at night is the fact that these attacks have been more like those first heavy, individual raindrops right before a major storm. The hard rain is still to come.
Creating an effective defense will involve many challenges, the largest of which will be turning system users from being the weak links in network defense to become vigilant and educated protectors of potential break-ins.
To understand the appeal or ransomware attacks to criminals, and the need to ramp up defenses, it’s important to look at these attacks from the hackers’ perspective and how to engineer appropriate defenses from the healthcare organization side.
For cyber criminals, the ability to monetize their efforts is a huge driver. In the past, hackers often attacked the systems of large organizations for fun, for notoriety or because they had some sort of grudge against the organization. Ransomware is a whole different animal. It takes the idea of hacking and makes it a for-profit scheme.
Their victims have suspect defenses, as well. Providers and payers are heavily reliant on PCs, laptops and mobile devices, and every function – clinical, financial, operations, claims and more—is technology-based. Shut down access to applications and you can bring these organizations to their knees. As the Internet of Things era grows, where everything from high-tech medical devices and electronic health records (EHRs) down to the toaster in the break room is connected to the web, more entry points are available, making providers and payers more vulnerable to these attacks.
Better yet for profiteers, most providers find it is faster, easier and cheaper to pay the ransom to get data back, especially if they haven’t been diligent about the way they back up data so they can restore the systems themselves. Even the FBI has suggested that paying a ransom may be the best option for some ill-prepared organizations.
And as providers are willing to pay, another economic driver is that the “cost to entry” is low. Getting into the business doesn’t require advanced technical skills—cyber criminals can purchase toolkits on the Dark Web or from other sources that will do all the work for them except select the targets. Or they can simply hire someone with the skills to do it. They are also sharing information among themselves on which organizations are vulnerable and in what way.
From the healthcare organization’s perspective, the best defense against such attacks involves prevention. The challenge is that technological defenses can be rendered ineffective if users slip up. As a result, an effective healthcare cyber security program must also take human factors into account.
Healthcare organizations are particularly vulnerable to spear phishing schemes and social engineering as a result of several factors.
One is the speed and volume of communications involved, especially in clinical care. Busy clinicians and even C-level executives who see an email or other message that appears to be from a colleague (even though it is from a cyber criminal) will likely not give it a lot of scrutiny before opening it. At that point the ransomware is introduced into the system. A 2015 Verizon report shows that lost or stolen assets (such as smartphones) and privilege misuse of hospital software by authorized employees provide common entryways.
Another reason is the large technology burden that has been placed on IT departments in the last few years to meet various government mandates and business requirements. Implementing EHRs (and subsequent attestation to Meaningful Use) alone has been a huge, time-consuming initiative for hospitals and physicians.
The need to implement data warehouses, analytics, quality reporting, computer-driven evidence-based guidelines, upgraded financial systems, claims automation and many other technologies has stretched IT departments at both provider offices and payer organizations wafer-thin. As a result, IT departments have not been able to place much focus on technical best practices, such as keeping up with myriad security patches for operating systems and individual applications, leaving their networks vulnerable. Studies across all industries show that more than 90 percent of past data breaches were preventable.
IT departments can address the technical side by making security a priority. They can disable macros in documents. They also can takes steps such as backing up data more frequently and using off-site backups that are isolated from the main system. Payers and providers may also want to consider establishing a security information exchange that effectively pools their resources and aggregates their knowledge rather than having each organization attack the issue separately.
If they don’t have the internal resources to manage their data and security effectively, healthcare organizations may want to consider moving it to a cloud provider that will take responsibility for maintenance and management of the core system, especially with the high levels of certified security cloud providers are now attaining. Still, all of this only gets them part of the way there.
There is also a real need is to educate and train users on how to recognize the techniques cyber criminals use to gain entrance to hospital software and networks. Users traditionally have thought of healthcare cyber security as being an IT issue. They must understand their own role. For example, if a user in accounts receivable receives a message saying the attached invoice didn’t go through, the user should be trained not to open the attachment. Instead, the best strategy is to contact the customer to determine if there is a real problem or this is an attempt at social engineering.
The fear of problems causes many bad decisions. By training users to get the facts first rather than immediately going into panic mode, organizations can avoid larger issues, such as ransomware attacks.
The bottom line is there is only so much IT can do to prevent ransomware. It’s a cat-and-mouse game with cyber criminals, and the criminals have the advantage because this game is their entire focus. By enlisting users in the battle, providers and payers can reduce their risk considerably so they don’t end up the next big headline.
Register or login for access to this item and much more
All Health Data Management content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access