Friendly security can save lives – and that’s not just a provocative phrase to get your attention. It’s actually true.
Hospitals are quickly becoming one of the hackers’ favorite ransomware targets. The steady stream of media reports announcing the latest healthcare facilities that were attacked indicates an end to this targeting is not likely around the corner – and that’s only based on the publicized cases.
Now we have new research showing us that at hospitals impacted by a data breach, the death rate among heart attack patients increased in the months and years afterward. That’s scary stuff, despite the fact that it sounds logical. The cyberattack might have affected critical hospital equipment or the allocation of medications. Although if this was the case, it fails to explain why the aftereffects lasted throughout the months and years following a breach. Even if hackers managed to sabotage critical systems, it is expected that these systems would be fixed or replaced shortly thereafter.
For example, on Friday, September 20th, 2019, Campbell County Health (CCH) experienced a computer service disruption that was later identified as ransomware. The ransomware affected the CCH computer system and its ability to provide a number of clinical services. On October 7th, CCH reported that its lab, radiology capabilities, and all of its medical group providers and clinics were fully functioning. I would be curious to watch in the months and years to come to see if death rates among heart attack victims in this particular health system rise or fall.
In another instance, Michigan-based healthcare statement processing solutions provider Wolverine Solutions Group was impacted by a ransomware attack in the fall of 2018. However, officials were still trying to pin down the number of residents affected as many as six months later. The ransomware attack was initially thought to have impacted over 48,000 patients before the Michigan attorney general later raised that estimate to over 600,000 residents.
In these types of scenarios, the ramifications are likely to trickle down into latent consequences. However, in the critical healthcare environment where seconds count, the unexpected effects can be overlooked and ultimately a matter of life or death.
In reaction to cyberattacks, healthcare providers implemented better cybersecurity measures. These include enforcement of a stronger password policy, second-factor authentication, and firewalls to separate different databases. While improving the hospital’s security infrastructure, it made it more difficult for healthcare workers to quickly access data, especially when it was most needed. In the emergency room, every second can dictate the difference between life and death.
Cybersecurity measures slowed down ER doctors and nurses which, according to the research, impacted the cardiac care given to patients in need. If you are at high risk of cardiac arrest, the last thing you want is the ER admissions nurse to forget the long and complicated password imposed by the hospital IT administrator.
The research found that the time it took for a patient to receive an electrocardiogram increased by as much as 2.7 minutes after a data breach, and this lag remained as high as two minutes even after three to four years. The researchers believed that these findings explained why the 30‐day acute myocardial infarction mortality rate increased by as much as 0.36 percentage points during the three‐year window following a breach.
The mandate of cybersecurity products is to protect the customer or user from attacks. Often, this priority is placed at the top, overshadowing every other customer’s need. Phrases like, “The operation was a success, but the patient died,” express this dangerous disconnect.
Friendly security products protect the customer from cyberattacks, but also prioritize the operational and business needs of the customer. In the extreme case of the above research, prioritizing security over usability can cost lives. Placing security above everything else can also cost service providers millions. Sometimes the loss of revenue due to an unfriendly security solution can be higher than the potential losses resulting from a cyberattack.
For example, a password reset process that’s too complicated and lengthy can increase customer churn in nearly any industry. Finding the right balance between security and usability by utilizing biometric authentication and one-click two-factor authentication can provide the required security while keeping users engaged.
Security solution providers need to focus on building security products that put a heavy emphasis on their customer’s operational and business needs. Yes, security products must provide adequate protection from cybercriminals, but they should not hurt the business generated from the product they protect.
I’m fortunate to work with a talent pool full of security experts who work to keep security as user-friendly as possible. In today’s security industry that’s full of countless solutions to protect every aspect of an enterprise, I think we can all agree that friendly security stands out as a definite differentiation that customers not only appreciate but benefit from in an often eye-opening fashion.
About Asaf Ashkenazi
Asaf Ashkenazi is Verimatrix’s Chief Operating Officer, responsible for developing and communicating the organization’s strategic plans, initiatives and future goals. Asaf is also responsible for analyzing market dynamics, building strategic partnerships and identifying potential M&A targets. He has more than 15 years of security experience, spanning product management, business development and a variety of engineering roles throughout his career.
1Choi SJ, Johnson ME, Lehmann CU. Data breach remediation efforts and their implications for hospital quality. Health Serv Res. 2019;54:971–980. https://doi.org/10.1111/1475-6773.13203
2Campbell County Health, health news, September 20, 2019, https://www.cchwyo.org/News/Press_Center/Health_News/2019/Service_Disruptions_at_CCH_no_ETA.aspx