HIMSS’ Director of Privacy and Security Lee Kim, explains why now is the time for healthcare to get serious on preperation to tackle ransomware attacks.
Healthcare data hacked into and virtually held hostage? It may sound like the stuff of science fiction, but it’s a true story told repeatedly and increasingly both in the U.S. and abroad. Today, ransomware and cyber-attacks in healthcare are beyond real, and so are the costly consequences. According to HIMSS’ Lee Kim, now is the time to tighten up your security—or say goodbye to your bitcoins.
“It’s a threat that cannot be ignored,” said Kim, director of privacy and security at HIMSS. “Healthcare organizations need to address ransomware and other malware in their risk assessments. Additionally, adopting new and more technology can mean a larger attack surface and thus more opportunity for cyber-attacks to occur.”
Last year, cybercriminals attacked the healthcare industry at a higher rate than any other sector; more than 100 million records were compromised. Additionally, the sector’s data breaches are getting bigger—with five of the eight largest health data breaches reported since 2010 occurring in the first six months of 2015, according IBM’s 2015 Cost of a Data Breach study.
Healthcare data has become a fast favorite for cyber thieves, because the industry has been traditionally behind the bell curve when it comes to technology adoption. As a result, the industry has greater vulnerability than industries with more mature technical infrastructure. Even more enticing is the fact that health data is rife with information that can be used for medical identity theft and fraud. The swift proliferation of mobile devices, applications and wearables is creating even more opportunities for data breaches to occur.
Ransomware is quickly becoming a popular method of attack, with quite a few hospitals ponying up the cash to restore their files. According to the report McAfee Labs Threats Report: September 2016, hospitals have paid nearly $100,000 to a specific bitcoin account. The actor (it could be a single actor but most likely a group) has apparently received $121 million in ransomware (189,813 bitcoin), targeting various industries.
It’s not as if health organizations are not aware of such virtual threats. According to HIMSS 2016 Cybersecurity Survey (which focused on the responses from 150 information security leaders within acute and non-acute healthcare settings), more than 85 percent of respondents reported having cybersecurity efforts as a business priority; however, the findings also revealed more progress needs to be made. Several barriers were cited in the survey as stagnating such progress, including lack of appropriate cybersecurity personnel (58 percent acute, 62 percent non-acute) and lack of financial resources (50 percent acute, 71 percent non-acute).
Cultivating a Secure Culture
Despite those barriers, how can health organizations approach the issue of cybersecurity effectively? According to Kim, focus your resources and time on risk assessment and build from there. “Use a whole organization approach for cybersecurity to remove the barriers,” she said. “Change the culture in your organization, so that cybersecurity is not perceived as a barrier. Keep your people, processes, and technology up to date to deal with today’s and tomorrow’s threats.”
The important thing to remember is that your approach to cybersecurity must continue to evolve along with your organization. Before any new software component is expected to go live, for example, it’s essential to conduct the proper testing to ensure it does not break the production environment; in the context of a hospital setting, a break in the production environment can mean a risk to patient safety or crippling a critical business function.
As for organizations that may be enacting or maintaining bring your own device (BYOD) policies, Kim says do your homework on what you can do to tighten up your policies. Dealing with third party devices, especially mobile devices, increase the potential attack service; mobile applications can leak data, operating systems can be exploited and even eavesdropping is a valid concern.
“Seek out legal counsel to determine what you can and what you cannot do with BYOD before you have such a program in place,” said Kim. “Ask your legal counsel about mobile device management solutions and what security policies may be enforced.”
As digital innovations become more infused with healthcare delivery practices worldwide, cyber threats will only continue to grow. According to Kim, there is no silver bullet when it comes to effective cybersecurity. However, to stay effective when it comes to thwarting off potential threats, it’s essential for organizations to keep evolving their approach to them.
“More technology means more vulnerabilities that can be exploited,” she said. “When new technology is adopted, you may want to revisit your organization’s risk assessment and determine whether and how to address any new risks introduced by the new technology. In other words, you need to regularly assess risks—whether in the face of new technology or new threats.”