Dangerous cybersecurity attacks have become a sweeping problem across our healthcare industry, with most hospitals having experienced not one or two, but many threats in the last three years. It wasn’t that long ago when the most common perpetrator of security breaches was a negligent employee. But the majority of threats now are from cybercriminals and other malicious actors, according to the 2019 HIMSS Cybersecurity Survey published last month. The good news is that many hospitals have conceded that these risks are not going away and are investing in tenacious battles against cybercrime. We’ve gathered data from a variety of hospitals detailing innovative and aggressive strategies they are using to minimize if not eliminate significant security incidents.
A storm of healthcare security breach reports has already begun in 2019. Fifty-nine breaches affecting more than a million individuals were reported in the first two months on the OCR Wall of Shame. The great majority of incidents was perpetrated by hackers, with unauthorized access or disclosure a distant second cause. The compromised targets were mostly healthcare provider organizations, as opposed to health plans (which accounted for less than a fifth of breaches and just one percent of the affected healthcare records). Impacted hospitals ranged from large hospital systems, e.g. UConn Health and Rush University Medical Center, to small rural hospitals such as Pawnee Country Memorial Hospital in Nebraska.
Perhaps the biggest underlying reason for the healthcare industry’s cybersecurity woes is the intense expansion of providers’ data infrastructures. A “tsunami of connectedness” — an apt term coined by Marlon Harvey of Cisco has overtaken our landscape in the last five years. IT infrastructures have become exponentially more complicated with the proliferation of EHRs, connected medical devices, mobile devices, cloud storage, patient portals, analytics software, wearable devices and more. Many hospitals have not increased security protections, either technical or cultural, at the same rate. Our mostly non-profit hospitals, already struggling with high costs and even financial viability have not applied sufficient funding to the problem. A shortage of qualified security experts also has stymied progress.
HIPAA, ironically, has even played a negative role in this drama. Designed specifically to protect us for this expected high tech era, it instead is seen as a “compliance” obligation. If executives believe their organizations to be HIPAA compliant, many have had few worries about deploying ever more connected data storage and transmission solutions. Some IT professionals and security officers may have had reservations, but their traditional lack of visibility at the corporate level has prevented a more cautious approach to technological modernization. Indeed, despite the fact that healthcare has historically spent less on security than other major business sectors, a Black Book study in 2018 found that that healthcare cybersecurity spending had actually shrunk. Meanwhile, data security breaches can cost a single hospital as much as US $7 million, including fines, litigation, and damaged reputation, according to a Ponemon report.
Simultaneously, bad actors (most often external) — whether practiced criminals or hobbyist hackers — have been quick to see and seize the ever-growing opportunities to access the valuable personal information of our millions of patients. More than 180 million records were stolen between 2015 and 2018 (Black Book), affecting about one in every 12 healthcare consumers.
The variety of cyber threats continues to expand in number and sophistication, from ransomware to new worms and other malware to more effective phishing exploits. In the last year phishing-generated trickery that facilitates network compromise has become the most frequent tactic to get in the door, bringing in malware and ransomware. The HIMSS Survey reported that the most common initial point of compromise was e-mail (e.g., phishing e-mail) (59%), followed by human error (25%). Criminals are also taking advantage of inadequate authentication, lack of email encryption on devices, use of unsecured WiFi networks, vulnerability of outdated legacy systems, sharing of devices with others and much more. Irresponsible practices of business associates such as vendors and consultants are also commonly identified as an initial point of compromise.
Here we offer our seven top recommendations to hospital leadership to help realize immediate improvements in their hospital’s defenses against cybersecurity threats.
- Organizational cultures need to incorporate a clear no-exception policy that responsibility for cybersecurity starts at the Board level, followed by chief executives.
— It should be a given that Boards, executive teams and clinical proponents for new medical and information technologies will require input by security experts on potential security risks of technology purchasing decisions before making them. By tieing such risks to organizational business goals, board members and CEOs can make better-educated and mitigative decisions.
— The Gartner Group’s Peter Firstbrook calls for creating “simple, practical and pragmatic risk appetite statements… that leave no room for business leaders to be confused as to why security leaders are present at strategic meetings.” Our industry’s plethora of recent expensive security breaches has shown that poor security can threaten C-level jobs and the organization’s reputation, which should be a strong inducement to leaders and senior stakeholders to understand how security must be factored into technology-oriented planning.
- It should be a given that every hospital has a comprehensive cybersecurity risk management program. But Black Book reported that 60 percent of hospitals have not formally identified specific security objectives and requirements in a strategic and tactical plan.
— Nearly 85 percent of hospitals do not have a dedicated security executive. Decisions about cybersecurity spending are being made at the C-level without including users or affected department managers. Only four percent of organizations have a steering committee to evaluate the impact of cybersecurity investments. Cybersecurity should have a dedicated budget outside of the overall IT budget, but typically does not. The shocking no-no’s go on and on.
— Risk management programs historically have been seen as potential barriers to technology advancement and revenue goals. Instead, they should be devised starting with the premise that risk management is a positive business outcomes enabler that will prevent unnecessary costs and risks and support business goals. It is logical that if data is considered a value-generating asset, it should be protected. If stakeholders are not aligned with the importance of institution-wide cybersecurity, they are likely to ignore or undermine efforts to avoid cybersecurity gaps.
— The risk management program should start with a continuously updated inventory of the organization’s data assets and security protections, including data security policies and enforcement effectiveness; a defined, well-qualified cybersecurity leader; specific security goals; regular, thorough risk assessments; real-time systems monitoring; a cybersecurity disaster plan; a formal multi-faceted staff training and awareness program (not just an annual video course); and formal data security governance frameworks that enable logical assessment of new security products by working from the hospital’s specific risks/needs to define the solutions to be purchased.
— System patches must be ratcheted up. Use of BYOD should be evaluated on the basis of its value, and if it makes sense, must be supported by constructive but protective rules. Sideline purchases of connected medical devices or applications by discrete departments should be banned. The list of best practices continues downstream; while it is beyond the scope of this paper, it will not be beyond the crack security leader your organization should have.
- Organizations should not rely on HIPAA compliance to define their security postures.
— Just this month the College of Healthcare Information Management Executives (CHIME) told Congress in a letter that compliance with HIPAA is not only insufficient to prevent data breaches, but has also resulted in lower cybersecurity defenses than are needed. HIPAA-compliant hospitals may be meeting the minimum standards for data privacy and security, but “That does not mean that they are well protected against cyberattacks. HIPAA is complex and compliance requires a significant amount of resources. That can mean fewer resources are then available to tackle cybersecurity issues and protect against actual cyber threats.”
— As one interviewee reported in a 2018 study on hospital cybersecurity published by Mohammad Jalali in the Journal of Medical Internet Research, HIPAA is a one-size-fits-all that has distorted cybersecurity programs. “I treat compliance as a separate issue from security. Let’s make sure that we’re plausibly compliant and let’s build a program over actual security. Another said HIPAA is “a floor, not a ceiling.” A third offered a specific example of the disconnect: “It’s impossible to have good security without testing, without a very active threat hunting program… But (the latter) is not generally contemplated in the general HIPAA regulatory regime.”
- Cybersecurity should be defined as a patient safety issue, and therefore everyone’s problem and everyone’s responsibility.
— Leadership has traditionally considered security to be strictly an IT concern. This position has included bundling hospital staff training under IT staff who often can offer little more than annual video training sessions. The Healthcare Industry Cybersecurity Task Force’s 2017 Report to Congress turned the IT ownership idea on its end, stating that cybercriminal activity like ransomware attacks, medical device hacking, interference with the connectedness of medical devices and automated medication delivery systems, and large-scale privacy breaches are patient safety issues. Even interoperability efforts have “increased patient safety risks due to the introduction of insecure solutions, such as a patient portal accessible over the public Internet with limited security controls in place, or the rapid development of EHRs with minimal standardization or guiding security best practices.”
— These challenges are likely to increase as IoT, including non-regulated devices like wearables, affect privacy, safety, and patient care. According to the 2019 HIMSS report, lack of employee awareness of cybersecurity dangers remains a grave problem in the industry, “with multiple surveys indicating lack of preparedness and understanding of security policies leading to the improper exposure of sensitive patient data.”
— Cybersecurity must be governed across hospitals with a collaborative approach: all staff working together toward the common goal of protecting patients, one another and the hospital. Patients must be educated on using insecure devices or apps to access or transmit their information. Executives, other decision makers, and Boards must commit to their own cyber literacy in order to make the lowest risk highest value decisions possible, and they need to be provided education to do so. Clinical staff and other departments with frequent access to protected health information must establish complimentary security practices that include information sharing about changing industry threats, risks and protective tactics. Wherever it is possible to demonstrate to clinicians that security measures will benefit their patients, acceptance is more likely.
— It is frequently argued that smaller hospitals can’t afford to have a dedicated security executive to manage these challenges. How about half time…or how about a carefully vetted outsourced solution? Is it possible that today no hospital can afford not to have a dedicated security leader?
- Ensure adequate security staffing.
— The cybersecurity skills shortage is growing, with the number of unfilled cybersecurity roles expected to increase from 1 million in 2018 to 1.5 million by the end of 2020. The widespread transformational move of data to the cloud has contributed to the problem. Organizations eager for cost savings are often not prepared to manage cloud security, which is a responsibility shared by both the vendor and the customer. Gartner estimates that the majority of cloud security failures will be the fault of the customers through 2023.
— Similarly, organizations looking at AI-based technology, potential interoperability solutions like blockchain and other new technologies must have security governance skills and tools to keep up. These initiatives may necessitate investing in development of existing staff or outsourcing. True, security staff does not create revenue, but it will protect it.
- Legacy systems must go sooner not later.
— Most hospital environments are a mix of newer technology and older legacy applications and devices that are insufficiently supported to prevent data compromise. Often, an older application may be a stakeholders’ “favorite,” or not easily replaced. Until a data breach or loss is experienced — in other words, until it’s too late — it can be difficult for IT or the security leader to initiate a change, simply because they can’t demonstrate the risks well enough to convince key stakeholders.
— Hospitals are notorious for having no single decision-maker. Stakeholder buy-in is considered essential, but hospitals’ complex environments where numerous departments with very different objectives exist make this difficult. This challenge points again to the need for strong organizational policies around prioritizing cybersecurity. Major culture shifts, heightened direction from leadership, and enforced process changes in clinical and revenue cycle environments, in particular, will be necessary.
- Manage business associate/vendor security practices.
— Relationships with diligent, qualified business associates have proven to be a boon to hospitals’ service quality and cost efficiencies. But data security and privacy breaches either caused by business associates or enabled by their deficiencies have exploded in recent years. At least 40 major breaches by BAs in the first eight months of 2018 exposed the information of more than 2 million individuals. The sad news is that many employees of vendors with access to protected health information (PHI) don’t even know that they have BA responsibilities under HIPAA, even if their firms have business associate agreements with the hospitals with whom they have contracted. BA agreements too often are just seen as part of the paperwork needed to win the contract.
— Every hospital’s risk management program must pay attention to the security postures of its vendors on an ongoing basis. This starts with a stringent BA agreement and an assessment of the level of the BA’s access to patient information, its security/privacy policies and procedures, and reference-checking its history with other hospital clients. BAs must maintain an active security/privacy program that aligns with HIPAA requirements at the very least but more importantly aligns with your organization’s security program. The vendor must engage in ongoing security administration activities to assess, monitor, prevent, and mitigate security threats and your hospital should require an annual report that documents these activities. Take note that if the BA is contracting with downstream business associates on your hospital’s behalf, it must have BA agreements with them and impose the above data security and applicable privacy requirements on them.
— As with our other recommendations, your hospital’s business associate risk management program can only be effective if your security executive and/or others are held accountable for all of the above and actively collaborate and share information with every BA.
This is serious stuff. In just the last week while preparing this paper, the following grim security reports came in. Take heed.
- A new Moody’s Investors Service Report put hospitals in its highest security risk category, primarily due to the “sensitive and essential nature of data used by hospitals, the value of healthcare data to hackers, the increasing number of vulnerabilities introduced from connected medical devices, and the time it would likely take to recover from an attack and the disruption to the business while an attack was mitigated.” The report noted that breaches result in hospitals “having to increase their investments in technology and infrastructure, cover the cost of regulatory fines and litigation, pay higher insurance premiums, increase R&D spending, and deal with serious reputational effects, including higher customer churn rates and a reduction in creditworthiness.”
- A ransomware attack on Columbia Surgical Specialists of Spokane in Washington that threatened the information of up to 400,000 patients was reported. Files captured by the ransomware contained patient names, driver’s license numbers, Social Security numbers and other types of PHI. The provider paid $14,649.09 in cryptocurrency to decrypt the files that the cybercriminal had grabbed and encrypted.
- A case of snooping on celebrity medical records was reported that has resulted in ‘dozens’ of healthcare workers being fired from Chicago’s Northwestern Memorial Hospital for accessing the medical records of Jussie Smollett, the “Empire” actor, without authorization.
- Covenant Care, a California provider of residential care and skilled nursing, reported a security breach after learning of unauthorized access to an employee’s email account that exposed the protected health information of 7,858 patients.
- A former employee of an affiliate of the University of Pittsburgh Medical Center (UPMC) pleaded guilty to accessing the medical records of patients without authorization with intent to cause harm. She faces and now faces up to a $250,000 fine and a jail term of up to 10 years.
- The March 7 Beazley Breach Insights Report came out, confirming healthcare is the most targeted industry sector, accounting for 41% of all breaches reported to Beazley Breach Response (BBR) Services.