Not long ago, businesses were protected with locks on doors and windows. It was a simpler time and, sadly, it is a time that has come and gone in this modern age of cyber warfare. If the recent WannaCry ransomware attacks are any indication, now more than ever, businesses and institutions need to take cyber security seriously to avoid potentially devastating consequences.
In addition to subversive hacking in the business world, where private information can be compromised and sensitive company data absconded with, cyber security measures are now employed to negate the effects of hacking by foreign entities, used a political weapon. It is an increasingly serious global problem, and one that has necessitated the implementation of advanced cyber security methodologies to counteract the increasingly sophisticated capabilities of hackers to subvert these very systems.
“In recent years, cyber security has been a growing concern in healthcare, with high profile cyber-attacks and vulnerabilities causing disruptions for insurers, hospitals and medical device makers. The stakes for patients are high too as patient data could be lost or tampered with, hospital services interrupted or patients harmed through attacks targeting specific devices … “ 1
Government Intervention to Fight Cybercrime
The rapid digitization of the healthcare industry makes this sector particularly vulnerable to cyber attack and this fact has not been lost on the US Congress. The House Energy and Commerce Committee recently convened to address cyber security in the health sector. Information Sharing and Analysis Centers (ISACS) may be key in providing enhanced security for healthcare providers and in thwarting efforts of would-be cyber attackers.
Through the interactive efforts of the 24 organizations that comprise the National Council of ISACs (NCI), great efforts are being made to “maximize information flow across the private sector critical infrastructures and with government. Critical infrastructure sectors and subsectors that do not have ISACs are invited to contact the NCI to learn how they can participate in NCI activities.”2
It is, of course, a Herculean undertaking to strengthen the partnership between public and private entities in healthcare with regards to cyber security, considering the myriad industries and agencies of government which are responsible for regulating and delivering said healthcare. Congress has been encouraged to provide tax breaks and other incentives to prompt companies to get involved with the ongoing effort of ISACs.
Poor Participation Impedes Cyber Security Implementation
Unfortunately, poor participation rates among healthcare facilities has been a persistent problem in the ongoing efforts to implement effect cybersecurity measures across the sector. According to Terry Rice, vice president of IT risk management and chief information security officer at Merck, “companies may be hesitant to share information within an ISAC if they fear the information will not remain confidential to its members.”3
“I think the most shocking statistic was really the fact that 40% of the individuals at the top of an organization–executives like CEOs and CIOs, and even board members–didn’t feel personally responsible for cybersecurity or protecting the customer data.” Dave Damato, Chief Security Officer at Tanium, on CNBC’s Squawk Box, speaking about cybersecurity in the healthcare industry 13
The High Cost of Cybercrime in Healthcare
Aside from the obvious threat of compromised patient information and other incidences of data theft, failures of cyber security are incredibly expensive, to the tune of $6.2 billion annually, according to a 2016 research project conducted by the Poneman Institute. Insights revealed in their studies revealed that “nearly 90 percent of the healthcare organizations … had endured a data breach during the previous two years. Forty-five percent had more than five data breaches in that period with the average cost of a cyber attack totaling $2.2 million. The data contained in electronic health records (EHRs) is often cited as the reason healthcare is such an attractive target in the eyes of a hacker.”4
As secure as people like to believe their health information is in the possession of their doctor’s office or hospital, it is often not the case. The ongoing digitization of health records has been an expensive proposition for the healthcare industry. Securing all that information is another monumental expense and sometimes this part of the cyber security equation has been neglected in the interest of cost-savings, or just by the large-scale nature of the overall endeavor.
The Lucrative Nature of Cyber Theft in Healthcare
Of course, health records are a hot commodity on the black market and they can fetch top dollar from parties seeking to obtain personal information, billing addresses and credit card numbers. Hacking can be a very lucrative enterprise, indeed. Consider this example. “Hackers made off with more than 2.2 million patient records from Fort Myers, Florida-based 21st Century Oncology in March of 2016. A month later, someone stole a laptop with 205,748 unsecured patient records on it from Premier Healthcare, LLC.” 5
The Advent of Ransomware
Ransomware is a new term for most people, becoming familiar with the recent WannaCry attacks unleashed globally, crippling critical infrastructure systems and eliciting significant financial ransom from those who fell prey to the anxiety and potential loss of data characteristic of such attacks. The healthcare industry in particular is vulnerable to ransomware incursions.
“Hospitals are the perfect mark for this kind of extortion because they provide critical care and rely on up-to-date information from patient records. Without quick access to drug histories, surgery directives and other information, patient care can get delayed or halted, which makes hospitals more likely to pay a ransom rather than risk delays that could result in death and lawsuits.” 6
Ransomware malware, in effect, locks-up a computer and makes data inaccessible unless a ransom is paid to the perpetrator. Usually this payment is made in the form of bitcoin. In most instances, a time limit is established for the ransom to be paid, otherwise the computers data will be destroyed. Though most stricken parties don’t pay the ransom, enough do to make it a particularly lucrative criminal enterprise.
The healthcare industry has been vulnerable to ransomware attacks because, surprisingly, many hospitals have taken inadequate steps to prevent cyber security breeches. Instead, most hospitals have focused their primary concern on meeting HIPAA compliance and meeting federal guidelines to insure the security of patient information. Ultimately, most employees in healthcare are simply not trained well enough to recognize and thwart cyber attacks before they occur. Even when adequate training and cyber security measures are in place, it is a continuous challenge to outwit perpetrators who constantly remain one step ahead of the game.
IoT Devices Are At Risk As Well
To add a layer of seriousness to the present situation, cyber attacks can affect not only computers, but devices which are connected to them, as well. Medical tools, heart and glucose monitors are but a few examples of devices vulnerable to cyber attack. Vice-President Dick Cheney famously demanded that his pacemaker be made safe from cyber attack, lest those with ill-intent not manipulate the function of his device remotely. Quite frankly, interference with such devices can be deadly for the patients that depend on them in order to live.
As an example of medical hacking, “In one currently used exploit, known as MedJack, attackers inject malware into medical devices to then fan out across a network. The medical data discovered in these types of attacks can be used for tax fraud or identity theft, and can even be used to track active drug prescriptions, enabling hackers to order medication online to then sell on the dark web.” 7
“No patients have, as far as I know, been killed due to a hacked pacemaker, but patients have been killed due to malfunction[s] of their medical devices, configuration errors and software bugs. This means that security research in the form of pre-emptive hacking, followed by coordinated vulnerability disclosure and vendor fixes, can help save human lives.” Marie Moe, Security Researcher with SINTEF, in “Go Ahead, Hackers. Break My Heart” (Wired)13
The FCC has now suggested that IoT suppliers of medical devices build-in security measure into the products they manufacture; the key word there being suggested. Actually instigating mandatory security practices and requirements for those manufacturers is a time-consuming effort. In addition, networks assigned to relay data between devices and databases also have a critical need for cyber security implementation and monitoring.
A New President, A New Order
There was much speculation as to how the Trump administration would address issues of cyber security. On May 11, 2017, the president signed an executive order which mandated a review of the nation’s overall abilities to combat criminal cyber-activity. The order places the brunt of responsibility concerning cyber security on federal agencies who were to do risk assessments and turn in their respective reports within 90 days. Additional reports examining critical infrastructure risks were due six months after the president’s order was issued.
“The order calls for a review of the threat posed by botnets, which target websites with automatically-generated spam traffic. The Mirai botnet was responsible for significant internet outages last year. But Access Now says the order should also address the government’s process for vulnerability disclosure and its response to data breaches.” 8