We live in an exciting time. Technological advances have showered almost every industry with innovation, leading us to breakthroughs that have made our lives simpler, our worlds bigger, our understanding greater.
These advances have also made information more accessible, which in many ways, is revolutionary. Can you imagine driving to a new location without the help of Google Maps, or no longer having the latest news at your fingertips? But, when information falls into the wrong hands, things stop being revolutionary and start getting dangerous.
We are inundated with technology at every turn, and while encryptions and password protections may give the illusion of safety, much of our information is up for grabs. Especially when it comes to our most personal and private data: health care records.
Health care information is a highly coveted get for cybercriminals. In fact, IBM data shows that health care took the top spot in cyberattacks in 2015. Five of the eight largest breaches in health care since 2010 happened in the first six months of 2015, and more than 111 million health care records were compromised just that year.
According to Forbes with data from the Office for Civil Rights (a branch under the U.S. Department of Health and Human Services), that’s nearly 35 percent of the U.S. population. The lion’s share of those records were at risk due to Anthem’s breach, which accounted for 78 million penetrated records in February 2015.
Reporting: Problems when you do, problems when you don’t
The Office for Civil Rights tracks health information breaches that affect 500 or more people as they are reported to the Secretary of Health and Human Services. A quick glance reveals that, since October 2009, there are nearly 1,600 cases of health-related breaches impacting over 500 people. That’s almost 195 annually for the past eight years.
But then again, that number could be far smaller than the true figure, because it only accounts for the cases that are reported (and not for cases that impact less than 500 people).
“A lot never get reported,” say Mark Weatherford, chief cybersecurity strategist at vArmour. “That’s not endemic of the health care industry, because it happens everywhere. And it happens for a lot of reasons.”
vArmour is a data center and cloud security company, focusing heavily on health care as well as other industries. The company brought on Weatherford in November 2015 to continue its endeavor to thwart would-be cybercriminals. Meg McCarthy, former executive vice president of operations at Aetna, was appointed to the company’s board the same month to provide insight into health care’s specific security needs.
Sometimes the lack of reporting is because organizations aren’t immediately aware of a breach, and once they encounter it, they remediate it themselves and move on rather than reporting, says Weatherford.
“In the case of Anthem, [the breach] impacted stock price, company morale, the ability to bring in new clients and customers,” Weatherford says. “The finance industry found this out in the early 2000s — data breaches mean customers go elsewhere. So, the rationale for health care providers is to not make this data public.”
But not reporting has its own serious consequences. When patients aren’t made aware of a hack or breach, but then suddenly can’t receive care or begin receiving random bills for services, the fallout can be can disastrous, says Weatherford.
Unlike other hackable industries such as finance, health care organizations have not ramped up investments to account for strong IT security measures.
Keith Stewart, vice president of strategic markets and business development at vArmour, says, “The health care industry is in an awful space pinched between two forces. They are underfunded and under-focused on this problem, which is a painful combo.”
Weatherford agrees, saying that despite being on the forefront of cutting edge technologies, the health care sector has some serious catching up to do when it comes to investing in security. “You can make an easy case that what [health care] is trying to protect is more important, because it’s their clients’ most sensitive information,” he says.
Yet, health care security measures have fallen short and if something isn’t done soon, more cyberattacks are on the horizon. That means more impacted patients and more financial damages.
The financial burden
With the expansion of electronic health records (EHRs) and the growing use of the Patient Protection and Affordable Care Act (PPACA) online marketplaces, amongst other technological advances in the health care sector (think increasing use of wearables and data sharing), the health care field has never been as exposed as it is today.
Research from a 2012 Ponemon Institute survey says that 94 percent of hospitals surveyed had suffered a data breach, estimating the total cost of handling these incidents at $7 billion a year. That’s not far off from the actual $6 billion figure the Workgroup for Electronic Data Interchange (WEDI) attributed to damages and costs caused by cyberattacks on health care in the 12 months leading up to the June 2015 publication of its paper “Perspectives on Cybersecurity in Healthcare.”
Looking at cybersecurity from a compliance point of view, several health care organizations could find themselves on the wrong end of HIPAA fines after a breach. But those fines won’t be the biggest cause of financial concern.
According to the 2013 Ponemon “Cost of a Data Breach” report, mediating a breach costs in the range of $233 per comprised health record. When you add in other expenses — legal actions, new security investments, protection services, etc. — that’s when the final numbers can really add up. Just ask WellPoint, the company Anthem bought back in 2004.
When the WellPoint breach exposed 612,402 people’s health information, HIPPA issued a fine of $2 million. Manageable for a major corporation, right? Well, according to a SANS report, that $2 million fine quickly turned into a $142,689,666 expenditure after all was said and done.
In other instances, breaches go unnoticed entirely.
But why are cybercriminals suddenly interested in medical data? According to WEDI, formed in 1991 and appointed in 1996 as the IT advisor to HHS, personal health information is more valuable than credit card numbers on the black market. The heightened value of health data — credit card information fetches $2 a record versus health data’s $20 — on the black market is perpetuated by the increased amount of personal information that can assist in identity theft, but also because security breaches are often harder to catch and mitigate in health care. In other words, some stolen health data will be sold before anyone even notices it’s missing.
And hackers aren’t just stealing data anymore; they’re holding it hostage.
“Ransomware is becoming an epidemic,” Weatherford says. “Health care has been hit harder than anyone by ransomware and there have been very public events.”
Ransomware is a type of malware that can be installed on computer systems, restricting access until a ransom is paid.
Weatherford says that, until now, because of ransomware’s lack of sophistication, many organizations have opted to pay the relatively low ransom rather than struggle to contain the problem internally. Ransomware attacks are usually intended for quick payoffs, not long-term damage to an organization.
But now, the price is going up, according to Weatherford. While ransomware hackers used to ask for sums somewhere in the range of $300 to $400, a recent ransomware attack saw Hollywood Presbyterian Hospital pay $17,000 in bitcoin ransom to regain control of its system. And that figure doesn’t account for the lost revenue the hospital suffered when its system was offline during the debacle.
In May, Kansas Heart Hospital in Wichita, Kansas was also the target of a ransomware attack. Unlike Hollywood Presbyterian though, giving into hacker demands proved fruitless when the cybercriminals didn’t restore access to the hospital’s systems. Instead, they just asked for more money.
Although hospital President Dr. Greg Durick said patient information was never at risk and hospital operations weren’t affected, this sets a dangerous precedent. While health care providers may want to quell any threat by playing ball, there is no guarantee today’s cybercriminals will stick to the rule book.
And why would they? With health care providers lacking the necessary resources to thwart or even contain hacks (a Symantec study says 52 percent of surveyed hospital IT specialists allocate 0 percent to 3 percent of its budgets to security endeavors), cybercriminals are the ones dictating the terms, not the institutions tasked to save lives and protect patient information.
Add in the introduction of the Internet of Things (IoT) — a network of physical devices that are connected and able to communicate through software — and modern health care is teeming with opportunity, both for providers and cyberattackers.
Results from the 2014 SANS “Securing the Internet of Things Survey” says that the health care and pharmaceutical sectors will be among those that experience the highest level of near-term deployment and use of IoT devices. Because of this, cybercriminals are gearing up to find new ways of using IoT to expand their potential target points.
Christian Renaud, IoT research director at 451 Research, says that although hospitals have been slow to evolve in the past, IoT can help with the industry’s tedious tasks, like paperwork and filling in EHR gaps.
Because IoT is still in its early stages, says Renaud, knowing where the vulnerabilities lie may be problematic. That said, in order to embrace the benefits of IoT and avoid some of its shortcomings, businesses need to transform.
“Last quarter, the number one barrier for adoption of IoT was organizational change, not the technology,” he says.
Organizational change means the retraining of staff to adequately adapt to the technology in order to avoid user error, a top reason for security problems says Renaud. Today, plenty of organizations are deploying IoT trials, but the main concern has shifted to security — a worry that is specific to health care.
That worry is warranted, in health care and beyond. An EY report notes 70 percent of the most commonly used IoT devices contain vulnerabilities, and 56 percent of survey respondents say it is “unlikely or highly unlikely” that their organization would be able to detect a sophisticated attack.
Although this data shouldn’t divert from the potential breakthrough medical advances IoT can achieve, it does invoke uneasiness when considering the possible security ramifications. The two aren’t mutually exclusive, which can blunt some of the excitement surrounding IoT’s health care applications.
The EY report also states, “While the IoT is entering daily life more and more, security risks pertaining to IoT are growing and are changing rapidly. In today’s world of ‘always on’ technology and not enough security awareness on the part of users, cyberattacks are no longer a matter of ‘if’ but ‘when.’”
Raising the bar
In order for health care to lessen the blow of cyberattacks, changes must happen — and soon. Weatherford says “mom and apple pie stuff” like patching systems, educating users, and using offline backups of data are easy ways for the health care industry to take strides in the right direction.
“The criminal element goes where the pickings are easy and where they can monetize best,” Weatherford says. “As we raise the bar in health care, the criminal element will look somewhere else. They’ll never go away, but by raising the bar just a little bit, it’s like the bad guy rattling your door knob, noticing it’s locked, and moving on.”
Both Weatherford and Stewart agree that at this juncture, health care either doesn’t have or isn’t allocating the necessary resources to combat growing cybersecurity threats. Still, Weatherford says HIPPA and the HITECH Act also need to do more regulatory work to “raise the bar” for health care security.
“Regardless of what happens in the regulatory arena, breaches in the health care industry in the last 12 months are making security a board room conversation,” says Stewart. “This is ultimately about protecting critical patient data and maintaining quality of service and trust in health care. No board will disagree with that statement. They just need to get the resources in line.”
But getting to that point, Stewart says, “it’s going to take longer than we’d like.”