By Matt Schur from the AMT Pulse.
Healthcare is under threat from cyberattacks like never before. Not only is it the most targeted industry, with more than 90% of organizations experiencing a breach last year, but healthcare also has the costliest attacks. Researchers say that every American has likely had their health information compromised more than once since 2020 alone.
Just last year, attackers hit Change Healthcare, a subsidiary of UnitedHealth Group, exposing nearly 200 million medical records. Providers were unable to collect payments for weeks afterward, and the total cost of the breach exceeded $2 billion.
The attackers employed a tactic known as ransomware, hijacking sensitive data and systems until a ransom is paid. Such attacks are increasingly troublesome for the industry: Forty-six hospital systems were held ransom last year, up from 25 in 2022, according to data security firm Emsisoft.
“Ransomware is just getting worse and worse and will continue to because we haven’t really figured out a good way to stop this and deter attackers,” says Errol Weiss, Chief Security Officer, Health-ISAC, which organizes cybersecurity intelligence sharing among healthcare organizations. “When we see organizations pay ransom after ransom, and extortion payments keep climbing, unfortunately, that just encourages the cybercriminals to keep doing what they’re doing because they’re getting rewarded for it.”
Subsequent disruptions from ransomware attacks are severe, including diverted ambulances, postponed surgeries and unfilled prescriptions. And that’s the greatest threat, says Karen Habercoss, MBA, MSW, Vice President, Chief Information and Privacy Officer, University of Chicago. “When cyberattacks happen and systems go down, there’s always the potential for patients to get hurt,” she says. “We’re a trauma center. In the event of an attack, not being able to accept patients and having them go farther out—those minutes can matter, like if someone is having a stroke. This impacts our patients, our trust, our reputation. All these things are worrisome to me.”
Target Rich
Healthcare is targeted so frequently for many reasons, but first and foremost, Habercoss says, is financial gain—and there’s a lot to gain. “We have patient data, which is usually people’s most sensitive information—embarrassing types of information—that people don’t want out there,” she says.
Stolen health records can fetch 10 times more than stolen credit cards, according to research from IBM and Ponemon. Healthcare facilities also handle financial data, including credit cards, checks and debit accounts; employee data, including Social Security numbers, birthdates and passport numbers; and strategic data, especially with research, such as intellectual property around novel technology, new vaccines and more. “We just have everything,” Habercoss says.
Legacy technology poses an additional risk. Many pieces of hardware, such as older MRI machines, can be more susceptible to attacks while also being too expensive to replace. Plus, healthcare facilities frequently rely on many third parties, such as with electronic health record vendors. “We’re highly interconnected with lots of different systems—not only interconnected in our systems, but also with all kinds of people externally, vendors and collaborators, who may or may not have equivalent security on their systems,” Habercoss says.
The industry is inherently fiscally constrained, too. As Weiss points out, if a hospital has a certain amount of money to spend, that money is likely going toward a direct benefit to patient care—say, hiring a new doctor or investing in cutting-edge equipment rather than hunkering down on cybersecurity improvements.
“I think that the biggest challenge that security professionals have in healthcare is it really comes down to a lack of budget and resources to do their job,” Weiss says. “With ransomware specifically, it’s sort of the perfect storm where we’ve got networks that are not as well protected as they should be.”
Historically, he says, even the small amount of health data spending that facilities allocated with the rise of digital healthcare records was likely being spent on HIPAA compliance, not necessarily toward thwarting cybercriminals.
Building Organizational Resilience
With the rise of attacks, IT leaders have been prioritizing cybersecurity, Weiss says, who recommends that organizations allocate 6% of their overall IT budget toward cybersecurity. Leaders are shifting their mindset, too.
Gone are the days of “defend, defend, defend,” Weiss says. That old model focused on protection, with organizations looking to cover all access points and responding when needed. IT leaders are now increasingly embracing resilience as king: How quickly can you detect, respond and recover from an attack? “Networks are so porous: There are cloud-based services, employees logging in from all over the place now. An attack is not a matter of if, but when,” Weiss adds.
Many healthcare organizations follow the Department of Homeland Security’s Health Industry Cybersecurity Practices (HICP), which highlights best practices for prevention and response. On a more granular level, Weiss singles out three major cybersecurity priorities: staying updated on security patches and system updates, backing up systems and having employees use multifactor authentication. “We’ve seen a number of large-scale incidents that were rooted in the failure of multifactor authentication,” Weiss says.
Across the board, these efforts require that security becomes part of an organization’s culture. Backups in particular are a major priority so systems can continue to operate when issues arise, whether from an attack or a natural disaster that cuts off electricity.
“Everybody—leadership, staff who are taking care of patients, IT departments—everybody needs to be trained,” Habercoss says. “There needs to be practice—tabletop exercises or continuous education—about what to do in a downtime, making sure you’re consistently training and messaging a concept of patient safety.”
That includes, Habercoss says, planning for contingencies such as gaming out how organizations would pay employees if they were attacked, especially if systems are down and the organization is not billing and generating revenue. What do you do as a pharmacist when you don’t have access to fill prescriptions with electronic systems? How should medical assistants respond if electronic health records aren’t accessible? “You’re not trying to scare people, but we want to make sure we are prepared,” Habercoss says.
What Individual Employees Should Monitor
As with any heist, criminals look for weak points. That means cybercriminals typically aren’t targeting the on-alert IT administrator whose job is to monitor and prevent such attacks. “They’re targeting people far from there, like the front desk workers,” says Amar Yousif, MBA, Vice President and Chief Information Officer at UTHealth Houston.
To that end, Weiss says, it’s important to create a culture across the organization where everybody—medical assistants, lab techs, physicians, accountants—think of themselves as being part of the cybersecurity solution, a human firewall.
“Technology is moving at a speed that regulatory requirements cannot keep up with, so it’s up to us to begin to assess and regulate ourselves in some ways,” Habercoss says.
To start, that means recognizing that bad actors are always and actively trying to attack a healthcare system. “We ask people to be suspicious of unexpected emails, texts or calls, especially when the person on the other side is trying to push some sense of urgency,” Weiss says.
For many professionals who entered an industry specifically to help people, it might feel counterintuitive to resist such emotional pleas.
“My advice is to be vigilant against phishing emails,” Yousif says. “The hallmark of a phishing email is urgency. They always try to make it sound like you need to do something now: Your paycheck is not going to be delivered, your timesheet is going to be rejected, your access to some credentialing system will be disabled. They try to impersonate the help esk or perhaps the CEO or the president of the organization, demanding that you do something quickly and urgently.”
Such diligence will need to increase as cybercriminals deploy artificial intelligence to improve their attacks. Using that tech enables better, targeted emails that don’t have the classic grammatical errors, misspelled names and other obvious red flags of previous phishing efforts. With AI, “they can create a targeted email in perfect language, and do it with any language on the planet, that comes across completely convincing to the receiver,” Weiss says.
The expectation isn’t that allied healthcare workers are experts or even necessarily up to date on the latest scams. Rather, “I want them to tell us about anything and everything that they think is suspicious, even if it seems silly,” Habercoss says. “Nothing is ever too small.”
Habercross says her best advice for allied health professionals is to know their downtime procedures. Do you know where your forms are? Do you know how to access patient data? Do you know how to adjust your workflow in the event of an outage or disruption? “I know it can be frustrating to practice these procedures, but it’s very important,” she says.
Embracing Change
Technology has always been an amplifier, Yousif says. “Whether it was the gas engine or even agriculture developing 10,000 years ago, technology takes something and makes it better,” Yousif says. “The same technology that is transforming healthcare to be better, faster and more scalable has also opened the door to bad actors.”
For better and for worse, there is no stopping the technology trajectory. “The speed at which we’re moving now with technological advancements is nothing like we’ve ever experienced in the past, and it’s only going to continue to move faster,” Habercoss says.
Ultimately, change is the only constant, Yousif says. “So embrace change and try to center the patient in your thinking by walking through their journey as you deliver technology systems that interact with them.”