In 2017, a spate of high-profile attacks brought the healthcare industry’s need to strengthen its cybersecurity into sharp focus.
In 2017, a spate of high-profile attacks brought the healthcare industry’s need to strengthen its cybersecurity into sharp focus. Ransomware, like WannaCry and NotPetya, has wreaked havoc in small hospitals and biopharma giants alike, and the vulnerabilities appear widespread and acute, experts said.
The ECRI Institute, a nonprofit research organization, identified ransomware and other cybersecurity threats to healthcare—and the danger they pose to patients—as the top health technology hazard for 2018. A Department of Health and Human Services (HHS) Healthcare Industry Cybersecurity Task Force report to Congress in June found that digital security is in “critical condition.” According to the Protenus Breach
Barometer, at least 1 breach occurs in the healthcare sector every day.
Until now, healthcare has “benefited from relative obscurity while no one was paying attention,” said Joshua Corman, a member of the task force and chief security officer at the software company PTC. “WannaCry shattered that obscurity.”
The biggest problems facing healthcare are unique to the field, which also has the highest stakes. “In terms of flesh-and-blood consequences to ransomware and hacking, we are most exposed in hospitals,” Corman said. “It’s almost a miracle that we haven’t had more hospital outages.”
A 2016 Ponemon Institute report noted that data breaches cost the healthcare sector $6.2 billion annually, and attacks remain consistently high in terms of volume, frequency, impact, and price. “New cyber threats, such as ransomware, are exacerbating the problem,” said Larry Ponemon, PhD, the institute’s founder.
Data compiled by the HHS Office for Civil Rights show hundreds of incidents in the past 2 years, affecting tens of millions of individuals. And the problem might be even greater. Lee Kim, JD, director of privacy and security at the Healthcare Information and Management Systems Society, said many security breaches fly under the radar. “There have been a lot of incidents that have created a lot of buzz in the industry, but there’s also a hidden undercurrent of smaller organizations,” Kim said. Low-level security breaches often don’t meet the reporting threshold, and so health systems stay quiet for fear of scaring shareholders, Kim noted.
So what’s keeping healthcare from fortifying its defenses? Security understaffing, a lack of appropriate resources, unnecessary overconnectivity between devices, few means to securely install updates, long-lasting equipment operating on outdated software, and little staff awareness, experts said. A review of the most prolific and largest security incidents of 2017—from WannaCry and NotPetya to targeted attacks and old-fashioned human error—reveals industry-wide trends.
In a massive, high-profile assault this spring, the WannaCry ransomware virus hit 81 British hospitals, leading to thousands of canceled appointments. The virus crippled the United Kingdom’s National Health Service (NHS), causing 19,500 canceled medical appointments; locking the computers of 600 general practitioners; and forcing 5 hospitals to divert ambulances elsewhere, according to a National Audit Office report. The attack “could have been prevented by the NHS following basic IT [information technology] security best practice,” the report said.
As part of a WannaCry wave that also disrupted organizations outside healthcare, 2 multistate hospitals systems in the United States faced significant challenges to operations, according to an HHS cyber notice. “The behaviors that have been reported are typical for environments where the WannaCry scanning virus persists, even though the encryption stage has been blocked by antivirus, or is not executing,” HHS wrote.
“If you were hit by WannaCry, you were really doing something very wrong,” said Justin Cappos, PhD, associate professor of systems and security at New York University’s Computer Science and Engineering Department.
In October, a new WannaCry strain caused additional network downtime at FirstHealth of the Carolinas, a hospital system that takes patients from 15 counties. FirstHealth’s information system team shut down the network when it identified the threat. As of last month, it remained down because of “an abundance of caution,” according to the group’s website.
A spokesperson for FirstHealth declined to comment on the network disruption. But the health system noted that the virus did not affect databases or patient or operational information.
“If we found out tonight that there was a new WannaCry strain, in most of those organizations, there would be no qualified person who would know what to do about that,” Corman said. The cybersecurity task force discovered a “severe” lack of security specialists, with 85% of medical organizations—particularly small, medium, and rural hospitals—lacking a single security staffer. “They have more janitors at these hospitals than they do security people,” he said.
The goal of Theresa Meadows, MS, cochair of the cybersecurity task force and senior vice president and chief information>> officer at Cook Children’s Health Care System, is to add 6000 to 7000 new cybersecurity professionals to the ranks. “All the software won’t help. You need to have people who can spot it,” Meadows said, noting that they could reeducate victims.
But that would take resources. Meadows said the task force wants a federal “stark exemption” so large providers can provide security services and software at reduced costs to smaller provider partners.
Although hospitals manage many competing priorities, experts said cybersecurity must top the list.
NotPetya spread in June, imitating a ransomware virus called Petya, which cropped up in 2016. But rather than extorting users by demanding Bitcoin to unlock data, NotPetya was designed to destroy.
Defense against NotPetya should have been easy, Cappos said. The virus was built “so, so, so poorly,” and “it was essentially just deleting the files on the system rather than really locking them up.” Cybersecurity leaders thought it was made to merely look like an attack.
NotPetya affected mainly Ukrainian businesses and appeared to have been launched by the Russian government, Cappos noted. It subsequently swept across the Atlantic and infected 4 companies: the pharmaceutical colossus Merck, Pennsylvania’s Heritage Valley Health System, Princeton Community Hospital in West Virginia, and Nuance, which sells dictation and transcription software.
A month later, Merck was still reeling from the virus, and Princeton Community Hospital was forced to replace all its hard drives and had yet to relaunch all its systems by late summer. The malware affected Merck’s production, delivery, manufacturing, research, and sales operations, according to a government filing.
NotPetya tapped the same vulnerability as WannaCry did but then spread through a software updater. WannaCry used a National Security Agency hacking tool called Eternal Blue, which NotPetya also exploited, Cappos said.
BON SECOURS HEALTH SYSTEM
Not all security breaches require malicious hackers or software.
Human error caused the biggest security incident of 2017, according to HHS. About 655,000 patients of the Bon Secours Health System in Virginia were notified that their records might have been breached when a third-party contractor accidentally made files accessible online during a network settings adjustment.
Raising awareness is a low-tech solution. “It seems so simple and silly to mention, but educate your end users about what your security practices are, [and] raise their cybersecurity IQ by giving them simple, basic, easy-to-understand awareness tips,” Kim said. “Otherwise, you’ll be just chasing their tail.” Regularly changing passwords is an easy fix, Kim added.
Cybersecurity isn’t just an IT issue, said Juuso Leinonen, senior project engineer for health devices at the ECRI Institute. Protecting systems requires participation from the entire staff. Combating attacks “is something that each department within a healthcare facility can and should play a role in, from clinical engineering to information security, risk management, purchasing, and even the front-end clinicians,” Leinonen said.
Educating employees to identify risks is of utmost importance, Meadows agreed. Most attacks in 2017 occurred through phishing, she said. “The biggest recommendation that I have for hospitals specifically is to do ongoing education around phishing, ransomware, and malware, because you’re only as strong as your weakest link.”
Airway Oxygen, a home medical equipment provider in Michigan, suffered a ransomware attack in April that might have compromised the data of 500,000 individuals, making it the second-biggest security breach of the year. According to an official notification sent to HHS, a hacker infected the organization’s network with ransomware, which then shut employees out.
Afterward, Airway Oxygen hired a
cybersecurity firm to investigate. “Clearly, there is a trend, not surprisingly, where many companies are devoting more money to the organization after an incident,” Andrew Liuzzi, a public relations crisis and risk management expert, later told one news outlet.
Shutting the stable door after the horse has bolted is not enough, and plans should be made before a strike. “You have to have your mitigation plan on the ready,” Meadows said. “Many people didn’t do the work before, so they’re caught off guard.”
WOMEN’S HEALTH CARE GROUP
Although viruses operate autonomously once unleashed, the healthcare industry is also susceptible to targeted hacking.
That occurred at Women’s Health Care Group of PA, when 300,000 patient records were exposed, making it the year’s third-largest breach. The organization informed patients of the breach in July, more than 2 months after it discovered the ransomware, noting that the company’s systems might have been compromised as early as January. “We have been unable to determine if any specific information was actually acquired or viewed in connection with this incident,” it said.
The incident highlighted the need to defend against individual hackers, who may enter through outdated software for expensive, legacy medical equipment whose life spans exceed those of the accompanying operating systems.
There’s a window of time for the medical device community to “really get their act together and fix things,” Cappos said. But when attackers start identifying vulnerabilities in specific devices, the healthcare industry will be in an “absolute world of hurt,” Cappos said. The diversity and complexity of the medical device market make it difficult to identify which supplier or manufacturer to contact and who is responsible to ensure security, Cappos added.
“Frankly, I’ve worked in hospitals where our ventilators were 18 years old and were working perfectly from the clinical perspective,” said Leinonen. “But it becomes very tricky when it comes to medical devices that are built to operate on software that might be obsolete.”
Finding a workable solution for legacy medical devices has prompted a lot of discussion in the industry, according to Meadows. The task force has been working closely with the FDA to solve this problem. “Sometimes you build a building around that machine because of its size,” Meadows said. Hospitals can’t rip out and replace high-cost legacy equipment. “You have to come up with a plan so we can segment that device and not let any potential risk get past it.”
Without segmenting a network, an attack on a single part of the system can disrupt an entire hospital, Corman said. The cybersecurity task force report noted that a single flaw in a single device could cause entire network outages.
The gold rush from paper to electronic health records led to premature overconnectivity, Corman said.
Hospitals must seal the subsequent holes, though implementing security patches is often complex. An industry-wide consensus on how best to address the implementation of patches and updates must be reached. “Probably the most fundamental thing that manufacturers need to do is have a secure way to update,” Cappos said, explaining that systems with updated security patches were rarely vulnerable, as were companies with solid firewalls. “If you can securely update systems, you can fix problems, but if you can’t, you’re basically putting a device in a time capsule in the ground that hackers can get into and do whatever they want with.”
He added, “The actual security of many types of devices, if you wanted to hack into them, is embarrassingly bad. It’s frankly appalling.”