The health care industry is now the next big hunting arena for cyber criminals, as a sharp increase in hack attacks in recent years on medical institutions reveals. Last week, the Hollywood Presbyterian Medical Center in Los Angeles said it paid 40 bitcoins — or around $17,000 — to hackers who held its data system hostage, preventing the hospital’s staff from using their computers.
Health care institutions are especially vulnerable to such attacks, because they store sensitive patient data on networks that can be accessed on multiple devices. Although hospitals typically have low profit margins and need to make difficult choices on investments, they must strengthen their data systems and train employees to respond swiftly in the event of cyberattacks, experts warn.
“Health care institutions are in a tough space,” said Larry Whiteside, Jr., vice president of health care and critical infrastructure for Optiv, a cyber security solutions firm based in Denver, Colo. “They have low margins and have to figure out how to spend their money wisely. Security has for decades been their last choice of spend.” He called upon the health care industry to understand the risks it faces and start with “some small steps.” With proper processes and procedures in place, some of these cyberattacks could have been averted, he added. (See: “How the ‘Ten Commandments’ of Cyber Security Can Enhance Safety.”)
Spreading awareness about health care institutions facing increasing risks of cyber attacks is important, according to M. Lisa Yeo, professor of information systems at the Sellinger School of Business at Loyola University in Baltimore, Md. “We need a larger conversation so that companies and the public are talking about [cyber attacks] — where they are happening, who they are happening to,” she said.
A broad public discourse about such threats “could get some impetus behind law enforcement to have the technical capabilities to be ready to track the problem as soon as it starts,” added Yeo. She noted that hospitals typically have a very small time frame in which they are asked to pay a ransom. “If you don’t have all the technology in place to track what is going on … you’re not going to be able to have law enforcement help you in any real way.” Bitcoin payments are hard to trace, which explains why the hackers at Hollywood Presbyterian chose that route, she said.
“It is the beginning of a pandemic hitting health systems in the next few years.”–Larry Whiteside, Jr.
Whiteside and Yeo discussed the growing threat of cyberattacks on medical institutions on the Knowledge at Wharton show on Wharton Business Radio on SiriusXM channel 111.
A Pandemic in the Making
“Health care is a particularly vulnerable sector with respect to cyber security,” said Jeffrey Vagle, a lecturer in law at the University of Pennsylvania Law School and executive director of the school’s Center for Technology, Innovation & Competition. “Many of the devices and systems used in a medical environment simply were not designed with a high degree of security in mind, mainly due to the fact that ease-of-use for health care professionals is paramount.”
According to Yeo, hospitals are attractive targets for hackers. “This is data that potentially could risk people’s lives,” she said. “[That] means hospitals have an incentive to recover the data quickly and will likely want to pay up because that will be the fastest way to gain access to their data.”
Whiteside said that although the attack on Hollywood Presbyterian did not surprise him, it is only now that the media is paying serious attention to how health care institutions are soft targets for cyberattacks. “Health care data is more valuable to hackers than credit cards since more information can be gleaned from it,” he added. “It is the beginning of a pandemic hitting health systems in the next few years.”
Casualty List
The trail of casualties of such cyberattacks is growing. Since 2010, at least 158 institutions, including medical providers, insurers and hospitals, have reported being hacked or having information technology issues that compromised patient records, the Los Angeles Times reported, citing federal records. Last July, UCLA Health in Los Angeles said it was a victim of cyber attacks that may have compromised the data of about 4.5 million people.
“Organizations can start with easier — and cheaper — goals, like digital hygiene training for all of their employees, and go from there.”–Jeffrey Vagle
Data breaches are costing the health care industry $6 billion annually; the average economic impact of data breaches per organization is $2,134,800, according to a study released last May by Ponemon Institute of Traverse City, Mich., a research organization focused on privacy, data protection and information security policy.
Federal law requires hospitals to report medical data breaches that impact more than 500 people. Hollywood Presbyterian has 434 beds, and it alerted law enforcement authorities after the breach.
Whiteside said the threat of ransom-seeking cyber attackers goes beyond the health care industry. “Ransomware is just another form of a virus,” he said. “Organizations have to work on security on their endpoint devices (smartphones or tablets).” They are more prone to cyber attacks than even before because employees are more mobile today, they have more access to data and their devices are interconnected, he added.
“We have to look at more security on these end-devices … because the attackers are becoming more sophisticated,” said Whiteside. “Unfortunately, hospital systems have not kept up with the times in changing their endpoint methodologies.” The health care industry also has to overcome a problem in that it is not attractive to top talent in information security because it offers lower pay compared to other industries, he pointed out.
Enhance Digital Hygiene
However, increased investments in security infrastructure may not provide the real solutions for medical institutions. “The goal of 100% security is probably not one worth pursuing — organizations can spend all of their funding and still have no guarantees of security in the end,” said Vagle. “Rather, organizations can start with easier — and cheaper – goals, like digital hygiene training for all of their employees, and go from there.”
“For attacks to be profitable, the attackers need to continue to keep their word.”–M. Lisa Yeo
In boosting their defenses against hackers, Whiteside noted that medical institutions have to focus on three aspects — people, process and technology. “Education is low hanging fruit – once a year is not enough to train your people,” he said of typical training programs that organizations conduct for their employees.
Medical institutions must emphasize “cyber security education” for their employees where they understand how best to mitigate risk, noted Whiteside. “You are asking doctors, nurses, clinicians and so forth: ‘Don’t click on things you weren’t expecting.’”
To Pay or Not to Pay
Does it make sense for hospitals facing ransomware threats to pay up? Yeo said she understands why Hollywood Presbyterian felt the need to make the ransom payment. “I’d love to be able to say flat out ‘No, you never should [pay a ransom].’ But, the reality is they have operations they have to maintain, and individual clients and patients [whose records] they may need access to quickly. They can’t afford to take whatever amount of time it might take to restore everything through backup. If I were a businessperson put in that situation, I would choose to pay,” she said.
Whiteside described it is a “business-based risk decision,” and explained how that choice would play out. “If people’s lives are not at risk, some organizations might choose to not pay that ransom.
Even after paying the ransom, “there is no guarantee that you will get access to your data back,” said Whiteside. Yeo, however, did not think hackers would go back on their word, simply because it wouldn’t make good business sense. “There is that risk, but for attacks to be profitable, the attackers need to continue to keep their word.”
Despite any ransom payment made to hackers, hospitals remain a target to be attacked again, said Yeo. Much of these attacks depend on people clicking on the wrong buttons or downloading the wrong files to be successful, she added. “You need a campaign with employees … to get the right training and processes in place to make sure this doesn’t happen again.”