Not that long ago, healthcare worried mostly about the physical loss of personal health information (PHI) by way of a lost thumb drive, a stolen laptop, some misplaced paper files. These were the primary concerns in HIMSS initial security survey, published in 2008. It wasn’t until five years later, in 2013, that the largest healthcare security breaches came from cyberattacks instead of lost or stolen devices.
So, is it encouraging to see how far the rapid pace of change has carried health IT in just a few years? Well, yes and no. Growth is good, but it always presents a new set of challenges. To be sure, healthcare has joined the rest of the wired world as a frequent target of technically skilled ne’er-do-wells.
The challenge of healthcare cyber-breaches
In 2014, cyber-breaches in the form of systems hacking, credit card skimming, and phishing (obtaining sensitive personal data by pretending to be someone trustworthy) totaled 29% of all security breaches. In 2015, that number rose to 38%.
Expect the trend to continue and expect it to get more complicated based on what’s happening in other industries. You may, for example, remember an interesting experiment last summer in which hackers demonstrated the susceptibility of a car’s onboard computer system by taking control of a Jeep going 70 miles per hour on a freeway outside St. Louis.
“Immediately, my accelerator stopped working,” writes Andy Greenberg in a Wired magazine article on the car sabotage. “As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl. This occurred just as I reached a long overpass, with no shoulder to offer an escape. The experiment had ceased to be fun.”
The hurtling SUV hijinks are just one example of the Internet of Things (IoT), the global network of tangible objects (a Jeep, for example) with embedded sensors, software and hackable Internet connections. Where cyber masterminds used to have to access a car’s diagnostic port to tap the computer, now they can do so wirelessly.
Hacking medical devices
Of course, the commonality of sensors and software make most devices potentially hackable. So, what might hackers do if they can gain remote control of healthcare devices? The prospects are a bit chilling. Imagine where that Jeep might have gone with black-hat hackers at the keyboard.
“We may soon be looking at insertables—implants, pacemakers, insulin pumps—becoming targets of cyber-terrorists,” says Ponemon Institute Chairman and Founder Dr. Larry Ponemon in a Healthcare IT News article.” And this is not science fiction. It’s already been demonstrated.”
Nightmarish movie scenarios are unlikely, but hackers are already able to install ransomware on computers that holds data hostage until the owner pays a ransom to recapture control.
“It’s a bit like thieves sneaking into your home, and rather than carting away the TV, stuffing your jewelry and electronics into an impenetrable trunk,” explains Kaveh Waddell in The Atlantic. “Then they try to sell you the key.”
As Waddell reports, one hacker made $1 million in a single day off desperate computer users, and the FBI says some viruses are so good the easiest path is to just pay the ransom—usually in the $300 to $750 range.
“There is cause for concern,” according to a report by the Health Research Institute at PriceWaterhouseCoopers (PwC). “2015 saw the first-ever government warning that a medical device was vulnerable to hacking—an infusion pump officials warned could be modified to deliver a fatal dose of medication.”
The cost of cybercrime
Of course, hacks, ransomware, phishing scams, and the like are not just happening in healthcare. Analysts estimate banking lost roughly $1 billion to cybercrime between late 2013 and early last year. Last summer, JP Morgan reported that hackers had accessed a database with information for 76 million households and 7 million small businesses.
As one might expect, these incidents are only a drop in the bucket. As a former executive with a financial portfolio management software firm, I know the assault on financial institutions is relentless, despite constant and detailed efforts to improve security. After all, as Willie Sutton reportedly said when asked why he robbed banks, “Because that’s where the money is.”
But what if hackers, en masse or gradually, were to figure out that hospitals were actually pretty lucrative and easier pickings? There’s not much reason to think that hasn’t happened already. Consider the Anthem breach last year and PwC analysis showing that 85% of large healthcare organizations experienced a breach in 2014 with 18% costing more than $1 million to fix.
Sutton’s logic applies to healthcare organizations, too. Hackers will go after the big ones because that’s where the money is, but there’s no reason to think it will end there. If a small hospital can be held hostage for $300 in ransom, why should we think they won’t be? After all, the urgency associated with unlocking an infusion pump will be greater than regaining access to vacation photos. More urgency equals more rapid payment, and more frequent hostage taking if security doesn’t improve.
What can be done?
While healthcare has not been a major hacking target for that long, the security recommendations and requirements that anticipated these scenarios have been around for a while in the form of regularly updated HIPAA regulations. These regulations require hospitals to establish a security framework—basic procedures like access control and user education. Unfortunately, they provide little in the way of specific strategies and tactics like regular penetration testing, clear reporting procedures, or how to perform periodic testing and training. Hospitals and health systems must make their own decisions to ensure that their overall environment is secure.
I have no doubt all healthcare enterprises believe they are doing their best to protect PHI and patient financial information. But there are still disconnects. Even the most security-aware technical staff is limited by budget restraints. Even the most focused administrator has a lot of moving parts to manage and fund. And HIPAA requirements leave some security preparation wiggle room based on the size and resources of the facility.
Ultimately, the security decision calculus must be driven by risk—by what a hospital or health system is vulnerable to—not what it can marshal the resources to defend against. And understanding risk has little reward if you don’t invest the time and money to mitigate it. In our connected world, we pay for security or we pay for lack of security. There can be little doubt that the latter is more affordable—to say nothing of predictable—in the long run.
This was first published on Medsphere on 01/26/16. It has been republished here with the author’s permission.