lolloj - Fotolia
Published: 24 Jan 2017
Amid the fear, chaos and spread of data breaches in healthcare triggered by cybercriminals, there are strong signs of progress in health IT cybersecurity, according to cybersecurity experts.
While healthcare has long underfunded IT security compared to industries like finance and manufacturing, that trend is changing dramatically, said information security and privacy expert Larry Ponemon, chairman and founder of the Ponemon Institute in Traverse City, Mich. "We're starting to see [security] budget levels in healthcare as a percentage of the total IT budget, numbers that are projected to almost double next year," Ponemon said. "A lot of the organizations that were woefully unprepared for this are going to be spending some serious resources."
For 2017, financial services companies are increasing their cybersecurity outlays by 4% or 5%, but healthcare organizations are on a pace to double that, with IT security budget increases expected to top 10%, Ponemon said. "For healthcare, 2017 is the year of catchup," he added.
2016's harsh cyber-reality
The past year served as a wake-up call for hospitals. More than 15 million people's protected health information (PHI) records were compromised in data breaches in healthcare last year, according to a database of reported health data breaches maintained by the Office for Civil Rights (OCR).
While the total number of reported breaches through mid-December 2016 -- not including major ransomware incidents -- rose modestly from 2015, hacking incidents spiked 63% from 57 to 93. Unauthorized access and disclosure incidents, apparently by organization insiders, also saw a significant jump, from 101 to 119. However, thefts and losses of stored data went down, perhaps indicating some progress by providers in combatting data breaches in healthcare. However, untold numbers of cyberincidents go unreported or are reported several years after they occur, so the OCR database only provides a partial view of the data breaches in healthcare.
Meanwhile, the data networks of at least a dozen hospitals and health clinics from Marin County, Calif., to Oxford, Miss. -- including high-profile healthcare systems in Hollywood and the Washington, D.C. area -- were partially or completely locked up by ransomware last year.
"To pick one thing that has really been causing the most grief for healthcare this last year, it is these ransomware attacks," said Rick Kam, president and co-founder of ID Experts, a cybersecurity consulting and technology firm in Portland, Ore.
Down and out for two days
The most notorious ransomware attack on a healthcare organization in 2016 occurred at Hollywood Presbyterian Medical Center in Los Angeles. The assault forced the 434-bed acute care hospital, which serves an affluent, celebrity-studded population, to turn to paper records or lose patients to other hospitals for two or three days after its computers were compromised. The hospital paid $17,000 in bitcoin to the cybercriminals to unlock its network.
For Kam, whether cybercriminals target a hospital used by celebrities or a big healthcare system such as MedStar Health in Maryland -- whose 10 hospitals treat many politicians and government employees -- the effect of a successful ransomware strike is the same. MedStar was crippled in last year's March 27 ransomware strike. "These organizations literally can't operate because they can't access not only healthcare records, but also the systems that support their basic operations," Kam explained.
Even smaller breaches, like many of those in the OCR database, perhaps involving PHI records of 500 to 300,000 patients, can be significant depending on whose records they are, Kam said. "In the context of healthcare data, sometimes it's more important who owns those records as opposed to how many records there are," he noted.
Indeed, if 2015 was the year of massive data breaches in healthcare -- with large-scale PHI hacks hitting big organizations such as Anthem Inc., the nation's second-largest insurer -- then 2016 will be remembered for its proliferation of ransomware strikes on midsize and smaller hospitals.
A state-of-the-art enemy lurks
Cybercriminals' ransomware codes and tactics became more sophisticated and capable of infiltrating targets days or months early with reconnaissance sorties before striking or spreading laterally through mobile devices and the internet of things, Ponemon said.
Insidiously, new strains of ransomware and malware can now also routinely infect backup data that resides in the cloud, according to cybersecurity experts. "It's harder to detect and has these properties that make it even more deadly," Ponemon noted. "That's really scary if you're a hospital and you have backup records."
Ponemon, like many cybersecurity experts, said the best response to evolving cybercrime threats is as much creating a culture of data security as installing security technologies such as perimeter and medical identity monitoring, threat detection, encryption and multifactor authentication.
Ponemon said a promising trend is smaller regional hospitals and healthcare systems banding together into something akin to cybersecurity cooperatives to share the cost. Kam said healthcare organizations also are becoming more proactive and seeking out malware to parry and block.
At the same time, Kam, whose company sponsors the Ponemon Institute's annual report on the privacy and security of healthcare data, maintained that data breaches in healthcare should not be viewed in isolation. Breaches, he argued, are part of a wider wave of cyberattacks causing massive losses of data at influential, hyper-connected institutions such as the U.S. Office of Personnel Management (OPM).
OPM is thought to have lost control over the records of 21.5 million people in the June 2015 breach. Those records include government employees, elected official, contractors and anyone who has undergone a federal background check. Federal officials suspected Chinese hackers, possibly sponsored by the Chinese government.
Kam suggested that such hackers might be combining personal data from health records from the Anthem hack with personal information from the OPM hack to create deep background profiles on individual Americans for the purpose of blackmail or espionage. "You can then, as a nation-state, start to deploy your strategy to compromise these people more efficiently," Kam said. "You just need to find a few people in the right places."
FBI now chasing healthcare cybercriminals as part of Cyber Division mandate
Healthcare organization insiders a threat to PHI security
Ransomware guidance from Department of Health and Human Services