– The cybersecurity issues faced by the healthcare sector in 2018 aren’t much different from those in recent years. However, hackers are increasing in sophistication and steadily improving success rates. The year started off with a bang with several high-profile security events and continued throughout this month.
Meanwhile, most providers continued to struggle to keep up, due to tight budgets and a lack of resources and staff. While these struggles on the sector aren’t new, they serve as reminders that the industry will continue to face near-daily breaches until they can catch up to hackers.
HealthITSecurity.com spoke with security leaders across the industry to get a sense of what some of the year’s biggest stories have taught leadership to avoid a repeat in 2019.
Email: Friend or Foe?
For David Finn, Executive Vice President of Strategic Innovation of CynergisTek, the biggest lesson learned from 2018 was “email can be your friend, and it can also be your worst nightmare.”
“Email is far and away the number one threat across all industries, but especially in healthcare,” Finn said.
READ MORE: How to Build a Balanced Healthcare Cybersecurity Budget
Consider some of the biggest hacks of 2018, some of which occurred in the last few months.
Not one but 15 New York Oncology Hematology employees fell victim to a targeted phishing campaign in April. Those employees were tricked into providing hackers their credentials, breaching the data of more than 128,000 patients for a week.
Another email event caused the data breach of 190,000 patients in June, when two employee email accounts were hacked at health savings trustee HealthEquity.
And several phishing attacks spurred breach notifications throughout the year — that went unnoticed for weeks and sometimes several months. For one, a hacker breached several email accounts at Aultman Health Foundation in February, but officials failed to discover the attack until March 28.
“There’s no silver bullet to security. And for email, it comes down to the user.”
READ MORE: Iron-Clad HIPAA, EULAs; But Can a Dispute Put Patient Data at Risk?
But a similar phishing attack on Minnesota’s Department of Health and Human Services, where a breach of 21,000 patient records went undetected for more than a month, revealed some of the biggest reasons why email hacks continue and will go on indefinitely: The state can’t keep up with the threats.
“Can you please try and help us connect why there was such a failure here of four months before folks were notified of the compromising situation of their private data?” State Senator Mary Kiffmeyer asked officials during an October 21 hearing.
Minnesota IT Services Commissioner Joanna Clyborne explained it boiled down to a lack of resources and timeliness. But the human aspect also played a part in that prevent someone from clicking on a link is an ongoing challenge.
“The breach is indicative of a growing and invasive cyber threat,” said Clyborne. “It requires our constant vigilance, attention and innovation. The fact of the matter is, however, that the [security team] is not resourced fully to address these persistent threats.”
Finn echoed those sentiments. “There’s no silver bullet to security. And for email, it comes down to the user,” he said.
READ MORE: Pharmaceutical Companies Most Targeted Industry by Cybercriminals
“We’re still not spending the resources and time on the people who get the email,” said Finn. It’s a great way to deliver malware and we’re not learning the lessons needed to stop it. And that’s not going to change in 2019 — but hopefully it will.”
The good news is that there have been fewer records breached in these attacks, he explained. However, there have been much more of them.
In fact, a recent Symantec report found that the number of breached records declined from 100 million in 2015 to just 5 million in 2017. However, 10 percent more organizations reported a breach in 2017 than in 2016.
“That speaks to the email issue. Phishing is getting more expertly targeted,” Finn said. “Now, hackers will target an organization, spend time researching and steal credentials. There are a smaller number of records, but there are more breaches, and it’s much more effective.”
Ransomware Declines, Other Threats Increase
Security leaders have said throughout the year that reported ransomware attacks have gone down, which was confirmed by a recent Proofpoint report. However, it doesn’t mean the issue has gone away entirely.
In fact, the notorious, hyper-targeted SamSam ransomware has pummeled the healthcare sector throughout the year. In fact, the hackers have banked $6 million from its victims this year. The Department of Justice recently indicted two Iranian hackers for these attacks.
The indictment shed light on some of the biggest ransomware attacks seen in recent years. SamSam was behind the massive the near week-long outage at Allscripts in January, and other attacks such as Hancock Health.
“We’re still not spending the resources and time on the people who get the email.”
And that doesn’t include the long line of other organizations that have reported ransomware attacks, especially in recent months. While these attacks are notable, the decline in ransomware from 2016 is significant.
It’s good news that ransomware has declined, but it has resulted in some other threat actors taking hold, Finn explained.
“The bad guys have learned you can catch more flies with honey,” said Finn. “They’ve been stepping down ransomware attacks. But there’s been a huge uptick in cryptomining — using a victim’s own network to gather cryptocurrency and mining with hundreds of thousands of bots on a network.”
“It’s a two-edge sword: Less ransomware, but using our machines for attacks,” he added.
To Finn, there’s been one positive thing about the high-profile ransomware attacks: “People have started to understand the real cost of downtime. The fines are helping, as well.”
A recent Ponemon report found the cost of these attacks can run about $5 million, due to system downtime and end user productivity loss. Finn explained that these employees struggle to work with a shut down, and projects come to a halt.
“Billers can’t bill, which is almost as bad as having money taken from an organization,” said Finn. “We’re finally getting a real overview of cost.”
For example, Finn recalled an event where a hospital shut down this year. The system was taken over in just 14 minutes. It cost about 60 percent of the IT budget to recover, and they had a quick recovery time.
Medical Device Security
At the HIMSS Security Forum in June, Christian Dameff, an emergency room physician and security researcher from the University of California made waves with his presentation: a simulated attack on a patient with a medical device.
The patient who was represented by an actor presented signs of chest pains to a team of clinicians. While the team performed routine care based on those symptoms, the patient’s pacemaker continued to malfunction and routine treatment didn’t work.
The concerning factor is that none of the physician’s considered the device was hacked, and the patient continued to die and come back to life when the medical device would surge.
“The bad guys have learned you can catch more flies with honey.”
While Dameff said these scenarios are low, that’s not a reason to address it. In fact, Finn explained that in July, a medical device was hacked in Russian during a pediatric surgery. The hack took out a medical device in the operating room, while the surgeon was operating on the brain of his patient.
“It was like driving with a blindfold,” said Finn. “He had no respiration monitor, no heart rate, no visual information on the status of the patient. It had a good outcome, but the surgeon realized he couldn’t do surgery without the tech.”
“The attack was so targeted that we have to believe someone was trying to learn a lesson with it,” said Finn. “There were a couple of others during the year, though they seemed to be less targeted, more like collateral damage.”
Indeed, the Food and Drug Administration has increased its guidance around the devices this year, to reflect the increasing concern around these vulnerable platforms, explained Finn. And device manufacturers have stepped up, as well.
“There’s still a lot of hysteria, but there’s real focus and at least people are paying attention to biomedical devices,” said Finn. “It’s a huge win because it’s been needed for some time.”
Financial Lessons Learned
“2018 was a tough year because for the first time we saw the largest increase in breaches — and fines, as well,” said Shefali Mookencherry, Principal Advisor for Information Security, Privacy and Disaster Recovery at Impact Advisors.
Office for Civil Rights Director Roger Severino has remained true to his word by continuing to enforce patient data breaches at a routine pace. Just this month, the sector has seen two major settlements.
The latest with Advanced Care Hospitalists stemmed from a 2015 event where a breach occurred and the organization failed to enter into a business associate agreement.
“We’re starting to see more and more enforcement based on confidentially and security,” Mookencherry said.
“It’s also the first year where we saw an increase in organizations paying ransoms following a ransomware attack in order to unlock files,” she said. “There are some who pay, but others who use backups.”
It’s notable that security leaders, HHS and the FBI all warn that organizations should not pay ransoms.
To Mookencherry, it’s also important to note that hackers are now using threats like cryptomining and crypto-jacking, which has a huge financial impact on organizations.
“There’s still a lot of hysteria, but there’s real focus, and at least people are paying attention to biomedical devices.”
In May, the EU General Data Protection Regulation went into effect, which is relevant to those US health organizations that care for EU patients on a routine basis.
However, to Corinne Smith a healthcare attorney with Clark Hill Strasburger, GDPR has other implications for privacy in the US. While many have not paid much attention to GDPR and the potential ramifications on the U.S. healthcare sector, it’s incredibly important.
“GDPR is very different than HIPAA because it focuses on an individual’s rights and not their data,” said Smith. “In addition, it has hefty fines which exceed HIPAA and a shorter reporting requirement (72 hours). The GDPR has a unique “right to be forgotten” can conflict with legal mandates to retain records.”
“In addition, GDPR addresses the use of genetic and biometric data which are not differentiated in HIPAA,” smith added. “We will be learning more about GDPR in 2019, as healthcare becomes increasingly global.”
Indeed, the push for privacy rights and an update to HIPAA has increased throughout the year. Just this month, AMIA called for a federal alignment of health data privacy policies to shore up HIPAA’s regulatory gaps. The hope is to make “consumer-centricity a prerequisite condition” and better protect patient privacy.