What You Should Know: 

– Cybercriminals have been highly successful in their ransomware attacks on healthcare organizations, according to a new survey conducted by Sophos. “The State of Ransomware in Healthcare 2023, report reveals nearly 75% of the surveyed healthcare organizations reported that their data was successfully encrypted by the attackers. 

– In addition, only 24% of healthcare organizations were able to disrupt a ransomware attack before the attackers encrypted their data—down from 34% in 2022; this is the lowest rate of disruption reported by the sector over the past three years. 

– Ransomware remains a pressing concern for the healthcare industry. It’s essential for healthcare organizations to stay vigilant and continuously adapt their cybersecurity measures to counter evolving threats and protect patient information. 

Report Key Findings

The findings underscore the critical importance of robust cybersecurity measures in healthcare organizations. With the increasing frequency and sophistication of ransomware attacks, healthcare institutions must invest in advanced security solutions and incident response strategies to protect sensitive data and maintain uninterrupted healthcare services. Additional key findings from the report include:

• In 37% of ransomware attacks where data was successfully encrypted, data was also stolen, suggesting a rise in the “double dip” method 
• Healthcare organizations are now taking longer to recover, with 47% recovering in a week, compared to 54% last year
• The overall number of ransomware attacks against healthcare organizations surveyed declined from 66% in 2022 to 60% this year 
• Compromised credentials were the number one root cause of ransomware attacks against healthcare organizations, followed by exploits
• The number of healthcare organizations surveyed that paid ransom payments declined from 61% last year to 42% this year. This is lower than the cross-sector average of 46% 

3 Best Practices to Protect Healthcare Orgs Against Ransomware, Cyberattacks

Sophos recommends the following best practices to help defend against ransomware and other cyberattacks:

1. Strengthen defensive shields with: 
   • Security tools that defend against the most common attack vectors, including endpoint protection with strong anti-ransomware and anti-exploit capabilities 
   • Zero Trust Network Access (ZTNA) to thwart the abuse of compromised credentials 
   • Adaptive technologies that respond automatically to attacks, disrupting adversaries and buying defenders time to respond 
   • 24/7 threat detection, investigation and response, whether delivered in-house or by a specialized Managed Detection and Response (MDR) provider 
2. Optimize attack preparation, including regularly backing up, practicing recovering data from backups and maintaining an up-to-date incident response plan 

3. Maintain security hygiene, including timely patching and regularly reviewing security tool configurations

There’s no denying it – the need for stronger cyber defense is urgent. More ransomware attacks targeted healthcare in 2022 than any other critical infrastructure sector, according to the FBI’s Internet Crime Complaint Center (IC3). With attacks on healthcare negatively impacting patient care – including increased mortality rates – healthcare organizations must adopt proactive approaches to better protect their patients and sensitive information. 

In the spring, the Multi-State Information Sharing and Analysis Center(MS-ISAC) released new guidelines aimed at supporting healthcare organizations against cyber-attacks. Developed through collaboration between the Cybersecurity and Infrastructure Security Agency (CISA), the FBI and the National Security Agency (NSA), the counsel includes best practices for prevention and response to the six most common vectors for ransomware – internet-facing vulnerabilities and misconfigurations, compromised credentials, phishing, precursor malware infection, advanced forms of social engineering, and third parties and managed service providers. 

The guidance provides healthcare organizations and hospitals with a helpful starting point, offering a plan for implementing essential security steps. However, there are gaps where more can be done to better protect against ransomware.  

For starters, phishing accounted for up to 60% of the attacks on the healthcare sector in the first quarter of 2023, according to DNSFilter’s State of Internet Security report. Even more unnerving? Research shows that healthcare employees are twice as likely to click on phishing links as employees in other sectors.  

It’s time for the healthcare industry to take action – with a proactive approach to ransomware protection. 

Start With an Incident Response Plan 

The umbrella for ransomware defense is a thorough incident response plan, which is critical to protecting data and enabling a fast, effective response in the event of an attack. A plan should cover every aspect of an organization’s defense, including prevention, detection, response and recovery. In addition, it should incorporate a strategy for maintaining encrypted backups offline, should an attack occur.  

The key to an effective incident response plan is in how it is maintained and communicated to employees. Response plans should be tested regularly and updated when necessary. And, everyone in an organization should be aware of the plan and their part in it.  

A decent portion of the advice in MS-ISAC guidance concerns basic – but absolutely essential – measures. For example, steps to guard against compromised credentials are well-known, even if not always implemented. The basics of ransomware protection for healthcare organizations include:  

• Always using multi-factor authentication (MFA), which has been proven to be highly effective against credential-based attacks such as those used in phishing campaigns.  
• Updating the default usernames and passwords used for administrative accounts – an obvious precaution. 
• Avoid root accounts for day-to-day access; attackers who gain access to these accounts can get persistent access to the entire environment.  
• Educating all employees on proper password security in annual training.  

The Importance of User Education 

User education cannot be underestimated due to the sheer number of individuals who have access to Protected Health Information (PHI) and Personally Identifiable Information (PII). However, nurses, doctors and healthcare assistants are often not savvy in cybersecurity best practices. Thus, training must become standard in order to better protect the industry at large. 

We must evolve to institute proper cybersecurity training as an ongoing activity, rather than once a year. Frequent, short bursts of information are more likely to be digested and retained than information from longer annual sessions. In addition to IT and cybersecurity professionals, which the MS-ISAC guidance focuses on, it’s imperative to educate ALL employees – as many outside the cybersecurity and IT scope still have access to sensitive information. The access those employees have – and the sensitivity of the information at stake – increases the attack surface for healthcare organizations, potentially putting not only data, but the wellbeing and even lives of patients at risk. A thorough incident response plan must ensure that all employees regularly receive ongoing training to protect medical databases. A good cyber posture requires a baseline of knowledge for every person within an organization. 

Stay a Step Ahead of Phishing Attempts 

In addition to broad phishing campaigns that attempt to get any one of many employees to click a link, attackers today also conduct targeted campaigns with more sophisticated tactics such as pretexting (posing as a trusted source to gather information), baiting (offering free music or movie downloads to get login information) or even posing as a C-level executive to trick employees into providing information or performing a function. Without proper education and training, how can we expect employees in the healthcare sector to understand how to properly identify these attacks? We can’t. 

Many organizations omit continuous training simply because they aren’t sure where to begin. However, third-party resources are available, including Ninjio, which works with short, regular bursts of information and has kitschy but interesting videos. Or, there is HackNotice, which along with its other services encourages accountability by enrolling employees and family members in breach reports. 

Healthcare workers will make better choices when they feel they have autonomy, support and proper education. While mistakes will inevitably be made through human error, hospitals and medical offices can consider adding another layer of protection by implementing protective Domain Name Systems (DNS) services, which analyze queries and can block some malicious activity, including ransomware, at the source.   

Other Best Practices 

Asset management is a challenge for healthcare organizations due to the variety of connected devices in use, such as scanners, infusion pumps and monitoring devices. This includes monitoring devices that record private patient information like heart rate, blood pressure, and glucose levels. Not to mention the devices implanted inside patients, as well as devices many patients carry with them on a daily basis. While it can be a challenge to track and maintain an Inventory across every moving part in a healthcare system – asset management tools exist that fully eliminate that burden.  

Third-party managed service providers (MSPs) can help small and mid-size companies implement security measures that are beyond the capability they are able to provide on their own. However, it is important to remember that complete information on the systems, data and processes that need to be protected must be provided, as MSPs can’t help protect against what they don’t know about.  

As outlined in the MS-ISAC guidance, it’s imperative for healthcare organizations to ensure that least-privilege principles are applied across service providers. Service control policies to restrict access to specific services or prevent users from performing certain functions, such as changing cloud configurations or deleting logs, should be implemented. 

The threat of ransomware isn’t going anywhere. As a profitable attack vector for cyber threat actors, hospitals and medical offices remain at risk. While the MS-ISAC guidance provides a strong foundation for implementing measures to enhance prevention, response and recovery – there are areas we must improve upon to better protect sensitive information from exfiltration. Through proper organizational-wide education, continuous training, proper phishing awareness, asset management and third-party MSPs – healthcare organizations can establish a more robust cybersecurity posture and better protect against today’s ever growing ransomware threat. Not only will this protect patient data, but patient lives as well.   

About Rebecca Gazda

Rebecca Gazda is the Sr Director of Labs at DNSFilter where she is responsible for categorization innovation, classification accuracy, and threat protection. Rebecca has over 15 years of experience in data and analytics, statistics, data science, and technology team management. Her career has spanned several industries including psychology, neuroscience, cybersecurity, healthcare, academia, and clinical research. Her diverse background provides a perspective into cybersecurity that focuses on the human aspects of threats and threat protection.

Maintaining patient data integrity is more complicated than ever; cybersecurity threats loom, patients are taking more ownership of their care (self-registration, for example) and health system merger activity is on the rise. It can make the quest for the ever-elusive 1% maximum duplicate rate seem, at times, unattainable.

But a secure, accurate, and duplicate-free MPI/EMPI can be achieved. It just requires a multi-pronged approach to protect data throughout its journey into a health system and at every touch along the way.

Duplicate problems

AHIMA points out that hospitals face an average duplicate record rate between 5% and 10%. However, this figure likely underestimates the true scope of the problem, given one recent study that put the duplicate rate at 18%. Coupled with duplicate rates that suggest as many as 20% of all records are incomplete (up to 40% of demographic data was missing from commercial laboratory test feeds for COVID-19), the problem balloons from what on the surface appears to be relatively innocuous into something much more severe.

In its white paper “A Realistic Approach to Achieving a 1% Duplicate Record Error Rate,” AHIMA notes that duplicate patient records lead to misidentification errors and administrative inefficiencies. In addition, missing data within the record can reduce contact tracing, vaccination, and public health reporting.

The financial toll is equally severe; misidentification costs the average healthcare facility $17.4 million per year in denied claims and lost revenue. Further, while progress is being made on both fronts, the lack of patient identification standards and a unique patient identifier exacerbates the overall problem.

Cybersecurity risks

Along with increased opportunities for duplicate and overlaid records, healthcare organizations face growing cybersecurity threats from all sides. The FBI’s 2021 Internet Crime Report revealed that the healthcare sector dealt with the most ransomware attacks in 2021 of any critical infrastructure sector, with the Internet Crime Complaint Center (IC3) receiving 148 complaints of healthcare ransomware attacks.

HIMSS, in its 2021 Healthcare Cybersecurity Survey, found that phishing (45%) and ransomware (17%) are the most significant security threats and financial information is the primary target. Among survey respondents, 67% indicated that their healthcare organizations experienced significant security incidents in the past 12 months, with 32% stating the security level was high and 12% considering it critical.

The threat is severe enough to have prompted the introduction in the Senate of the bipartisan Healthcare Cybersecurity Act, which would establish a partnership between HHS and the Cybersecurity and Infrastructure Security Agency (CISA) with the goal of improving cybersecurity in the healthcare and public health sector. The Act mandates a study by CISA on the risk facing the healthcare industry that also explores strategies for securing medical devices and EHRs, and how data breaches impact patient care. It also calls for the agency to work with information-sharing organizations and analysis centers to create healthcare-specific resources and promote threat-sharing information and educate healthcare asset owners and operators on managing cybersecurity risks.

End-to-end protection

The first step of every patient encounter is choosing the right patient record. While that’s obvious, it doesn’t always happen in the given moment. However, getting it right at the outset is a critical moment for eliminating medical errors, unnecessary costs, and safety issues associated with an MPI tainted by duplicate records.

Clean patient records at registration prevent downstream contamination into other departments – from clinical to imaging to billing, and enhance revenue cycle efficiencies to reduce AR and decrease denials. Positive patient identification also enables digital transformation across the healthcare system, leading to improved interoperability, patient engagement and even improved patient access.

Because of these drivers, health systems are increasingly aware of and using technology to address patient data integrity issues where they can control them. For example, according to Johns Hopkins Hospital, more than 90% of patient record errors begin at registration. These errors lead to duplicate record creation. In addition, health systems protect against front-end contamination of the MPI/EMPI.

In an end-to-end protection model, mismatched records are prevented and mismatches are caught upfront. However, most EHR patient lookup requires specific processes and data to be entered the field by field, in just the right way. If even one detail is off, a search will yield invalid results and can lead to the creation of a new, duplicate patient record. Current dynamic patient lookup solutions return instant patient results as they are typed into the system search bar, just like a web browser. Everyone involved in the patient matching process can narrow and refine results as they type to achieve positive patient identification.

Such a solution is critical when uncontrolled factors, like a health system merger, AHIMA notes. In these instances, duplicate rates can rise to 20% or more. Conducting data and record clean-ups before merging records or health systems can eliminate patient misidentification. Patient lookup technology can help rectify duplicates, getting about the effort of patient engagement much more quickly.

AHIMA notes that technology that conducts ongoing monitoring can identify and eliminate duplicate records and ensure errant records are eradicated before they can contaminate downstream systems, particularly important during mergers, especially if patient registration and identification issues are addressed early on or from the onset.

Combined management and clean-up ensure accurate patient identification anywhere along the patient journey and at any point in the care continuum. These dual approaches also can protect patient medical records from unauthorized user access, breach, or attack, thus securing all patient information and minimizing the ongoing costs of maintaining quality patient data.

How It Works

Resolve patient misidentification issues by leveraging biometrics to collect images and patient information, creating the patient record within the MPI. Then, that data can be analyzed, cleaned, and returned with a copy of the patients’ photos and corresponding medical record numbers.

Such an approach to MPI/EMPI protection operates in multiple environments. For example, the patient’s photo is taken and attached to their unique medical record during on-site registration. During remote registrations or remote visits, the patient is sent a text message with links to take and submit a selfie-and photo of their driver’s license. The system uses this information to search for any record matches before assigning biometric credentials to new patients.

When integrated into the EHR, healthcare organizations can prevent duplicate record creation during patient registration, ensure remote patient data capture and authentication, and clean patient data across the care continuum. The result is improved patient safety, reduced misidentification-related medical errors, fewer write-offs and denied claims, and reduced cybersecurity threat risks.

In the end, end-to-end EMPI/MPI management and patient identification require a multifaceted approach to tackle one of healthcare’s most prevailing problems and reduce the volume of duplicate medical records while securing patient information and minimizing the efforts required to maintain quality patient data.

About Lora Hefton

As Executive Vice President, Lora oversees all aspects of Harris Data Integrity Solutions, including its vision, strategy, controls, procedures, development, distribution, support, as well as ensuring it has the people to deliver quality services and solutions to healthcare entities while maintaining growth. She joined Just Associates in 2010 and, prior to its acquisition by Harris Computer, served as Chief Operating Officer working closely with its founders to expand the solutions and services offered by the business.

If ransomware is not a topic of conversation around any healthcare organization’s boardroom table, directors and senior executives may be exposing the organization (and themselves) to considerable risk. Here’s a guide to ransomware trends for 2022 and steps healthcare leaders can take to help protect their organizations.

Ransomware trends in 2022

The risk of a ransomware attack in 2022 is substantial, with gangs specializing in targeting the healthcare sector. Last year saw dozens of ransomware attacks on hospitals and healthcare institutions for a total of 1,203 individual sites affected. This year, ransomware groups are targeting mid-sized victims to reduce government scrutiny, so no healthcare system should consider itself too small to worry.

While the incident rate is down over 2020, disturbing new trends are expected to increase in 2022. Ransomware attacks are on the rise against business associates that, in turn, affect healthcare organizations. And ransomware attackers are diversifying their approaches to extorting money after they’ve encrypted victim networks. They threaten to (1) release sensitive information that was stolen prior to encryption, (2) disrupt internet access or (3) inform partners, stakeholders and suppliers about the incident — demanding ransom at each step. 

Ransomware attacks can cost tens if not hundreds of millions of dollars, even if no ransom is paid. Network resources including EHRs, scheduling systems, and email can be offline for days or weeks. Care can be compromised, exposing the organization to legal action. Revenue is lost when surgery procedures or other healthcare visits can’t occur, and reputational consequences may be significant. 

Mitigating ransomware risk

Directors and senior executives are used to reviewing financial, legal, and operational risks and assessing mitigations. IT security may be viewed as a cost center that’s always after a bigger budget. In reality, adequately funded and effectively run IT security operations mitigate the risk of ransomware attacks and data breaches. 

Part of the protective effort is having enough budget to keep up with the basics of patching and user education. However, there are another reason Chief Information Security Officers (CISOs) and Chief Information Officers (CIOs) ask for additional security funding. Ransomware gangs and cybercriminals change tactics frequently, requiring ever stronger defenses and new security measures like Zero Trust Networks and Multi-Factor Authentication. 

Mitigating risk starts with understanding the current environment. Healthcare leaders don’t have to become cybersecurity expert to gain a core understanding of an organization’s security posture and level of ransomware risk. Cybersecurity is everyone’s responsibility, from the front lines of healthcare delivery to the boardroom. Here are five questions to ask a CISO or CIO to get started with assessing protections and mitigations that are in place.

1. Who is responsible for your organization’s cybersecurity? Is it all handled in-house? 

There is no right or wrong answer to this question. Some organizations handle cybersecurity completely in-house. Others, particularly smaller IT operations, supplement their in-house resources with managed security services. Find out if the responsible parties are taking both strategic and tactical approaches to layered security and if standards from bodies such as the International Standards Organization (ISO) and the National Institute of Standards and Technology (NIST) are being met as well as rules and regulations affecting your operations, such as HIPAA for data privacy and PCI DSS for credit card payments. 

2. How are endpoints protected, including devices used by employees working remotely and contractors?

When it comes to preventing ransomware attacks, there are no silver bullets. But there is power in understanding how endpoints — PCs, laptops, tablets, and mobile devices — are protected. Ransomware is most frequently introduced via endpoints, and through them gaining access to your network and systems. 

Today’s cyberattacks can be multi-pronged, and the firewalls and anti-virus software that offered protection yesterday are no longer adequate. Make sure any and all endpoints, both on- and off-premises (for example contractors or employees working from home), are properly protected.

Good answers to this question should touch on solutions that use advanced technologies like AI or machine learning to constantly scan for and detect anomalies in user behavior. These technologies automatically stop apparent attacks and pass filtered, critical indicators of threats up the “security stack.”

3. Does your organization have detection and response capabilities to rapidly shut down ransomware, data breaches, and other cyber threats? How are alerts managed and by whom? Do you have a 24/7 Security Operations Center (SOC) staffed by cybersecurity experts to handle your alerts?

Hackers use lateral movement to infiltrate an organization’s network. Find out what tools the security operations team uses to monitor infrastructure and stop threats before the damage is done. Best practices will include some form of detection and response that looks at all the security alerts coming in (and there are thousands of them), then filters and analyzes that data using AI and machine learning technologies. The challenge is to identify the real threats and issue alerts. 

4. What is the recovery plan for your facility in the event of a ransomware attack?

Assume a successful ransomware attack. Now, what do you do? Do you pay up? How is your data protected? What will your staff and patients experience? How long will operations be disrupted? One of the most noteworthy attacks in 2021 was a ransomware attack on San Diego-based Scripps Health, which resulted in system outages for nearly a month and $112.7 million in costs. Can your healthcare operations survive that? 

The IT security team should have a ransomware response plan in place that documents specific actions to be taken and assigns responsibilities to specific team members. The first steps should include identifying the malware, stopping its spread across the network and systems, and removing it from infected devices. Only then should the plan move to the recovery phase.

Having a rock-solid data backup and recovery plan that includes immutable backups is at the heart of any ransomware recovery plan. Any health care organization should be able to restore a very recent, clean version of its data in minutes, protecting against having to pay a ransom to get the data back. 

5. Does IT security have an anti-phishing training program for all the people in the organization? Does the program include drills and test emails to help them recognize phishing?

Employee anti-phishing training and simulated phishing tests are an increasingly important security layer that any healthcare organization should have in place. Phishing is how hackers target human vulnerabilities. Some phishing attacks are laughably crude, but others are very sophisticated. The goal of training is to help employees recognize phishing emails and prevent malware attacks by not clicking on those malicious links or opening suspicious attachments.  

Act now to understand your organization’s ransomware risk

Addressing these critical questions with IT leadership could very well protect an organization from paying up in the long run and exposing patients’ personal and health information to theft. Cybercriminals pay well for that information when ransomware attackers put it up for sale on the dark web. The resulting loss of reputation and trust in the organization may be the highest price paid.

Security maturity is a journey, and your organization may have some or all of these capabilities in place. To properly secure the sensitive and valuable information entrusted to any organization, healthcare leaders must identify any weak points. For a deeper dive into what ransomware protection requires, consult these mitigation guidelines from the multi-national Cybersecurity & Infrastructure Security Agency.

Get started by working with IT leadership to conduct a vulnerability or risk assessment of your organization’s IT infrastructure, ideally conducted by a neutral third party. When it’s completed, the findings should clearly illustrate the risk level so the Board of Directors or senior executives can understand the level of investment required for cybersecurity risk mitigation. 

About Aaron Biehl

Aaron Biehl, the SVP for Meriplex, has been in the technology industry for over 25 years helping healthcare organizations and banks develop a solid foundation for their IT and security. Aaron is passionate about exploring innovative options and solutions for companies and enjoys helping businesses utilize new methods to grow and prosper.

Ransomware attacks continue to wreak havoc on all types of organizations across almost every industry. The healthcare sector in particular has emerged as one of the top targets for ransomware gangs, and the impact can be more dire than for most others. According to new research by Tenable, ransomware is responsible for 46% of all data breaches in the healthcare sector, compared to 35% of data breaches across all verticals. 

Just last month, a major hospital in Maryland lost access to a variety of its IT systems after a ransomware attack. It took officials a full month to restore the hospital’s Electronic Health Record system. Even worse, in October, six separate hospitals across the US – from Oregon to New York – were infected with ransomware within a 24-hour period. The event was severe enough to prompt the US Cybersecurity and Infrastructure Security Agency to issue an advisory to healthcare organizations warning about the rising risk of ransomware.

When hospitals and healthcare providers fall victim to ransomware, they often lose access to critical IT systems, slowing down or even temporarily stopping operation. The malware can take months to fully remove, too often subjecting the organization to significant economic loss. Emsisoft published a report finding that, in 2019, ransomware attacks on healthcare organizations each lasted an average of 287 days and cost an average of $8.1 million. 

During a deadly global pandemic, it’s not just the healthcare organization’s bottom line that is in jeopardy, but also patient health. Ransomware attacks can severely disrupt operations for hours or even days, putting patients’ lives at risk. With ICUs across the country now reaching capacity with COVID patients, the stakes are higher than ever.

Malware defenses such as firewalls and employee phishing training are critical, but by themselves they often fail to stop attacks. Ransomware needs to only get through once to infiltrate and cripple an organization. Over the past couple years, hackers have innovated the means to circumvent endpoint security software and elude seasoned IT staff and well-trained users. Email is the most common attack vector, with victims deceived into either providing corporate login credentials (a phishing attack) or downloading an infected file. In the past, these types of emails were easy to spot, but that’s not so true anymore. In advanced whaling attacks, cybercriminals credibly imitate C-level and other high-ranking executives, bypassing spam filters and increasing the likelihood of fooling employees. These sophisticated email-based ransomware attacks can even include personal details taken from social media profiles. In the healthcare sector, such emails may promise information about COVID vaccines or PPE availability. This increases their urgency and authenticity, thus boosting the chances that an employee will take the bait.

Ultimately, the only way for healthcare organizations to really guard against ransomware is to protect data where it lives – at the storage layer.

Healthcare organizations must leverage immutable storage to protect their backup data. This is the only approach that can ensure rapid recovery from ransomware attacks, without the need to pay ransom. Fortunately, immutable storage is both cost effective and easy to use: Once a backup data copy is written, that backup cannot be altered or erased, which makes it impossible for ransomware to encrypt that data. If a ransomware attack does occur, organizations can quickly restore from the most recent backup via a simple recovery process. There’s no need to pay a ransom, no downtime and, most importantly, far less disruption in patient care. 

Ransomware-proof storage can be achieved through the use of Object Lock, a new feature that is supported by select enterprise storage systems. Because Object Lock leverages the industry-standard S3 API, there are a variety of storage vendors, data protection software vendors and cloud providers that support it.  With Object Lock-enabled systems, your backup data can be protected from ransomware as part of an automated workflow, with no manual intervention required. 

Ransomware isn’t going away, as attacks continue to increase. Before the COVID pandemic, cybercriminals had already begun to target the healthcare sector – they knew that healthcare providers prioritize patient care and assumed these providers would be more likely to pay ransom as a result. With the coronavirus outbreak, the industry is under much greater pressure, and ransomware gangs have capitalized by significantly stepping up their attacks. Fortunately, with Object Lock-enabled storage, we have the means to eliminate ransom payments and thereby stop these attacks for good. 

About Gary Ogasawara

Gary Ogasawara is Cloudian’s Chief Technology Officer, responsible for setting the company’s long-term technology vision and direction. Before assuming this role, he was Cloudian’s founding engineering leader. Prior to Cloudian, Gary led the Engineering team at eCentives, a search engine company. He also led the development of real-time commerce and advertising systems at Inktomi, an Internet infrastructure company. Gary holds a Ph.D. in Computer Science from the University of California at Berkeley, specializing in uncertainty reasoning and machine learning.

If hackers attack your organization and you’re in an industry such as financial services, engineering, or manufacturing your risks are mostly monetary. But when it comes to healthcare cybersecurity, not only is there significant financial jeopardy, people’s health and wellbeing are also at risk so the stakes are much, much higher.

According to the Department of Health and Human Services, there has been an almost 50 percent increase in healthcare cybersecurity data breaches between February and May 2020 compared to 2019. This is thought to be a result of the COVID-19 pandemic distracting the industry due to the sweeping changes required, putting extra pressure on already inadequate healthcare cybersecurity measures. 

Why Are Hackers Attacking Healthcare?

If there’s one thing hackers like, it’s a target that’s “soft” and large, complex organizations in industries that have been slow to adopt and then secure digital technologies are precisely that, soft targets. These organizations usually have broad and mostly poorly defended “attack surfaces,” which provide hackers with many routes to enter and through which they can not only exfiltrate data but also compromise services and hardware.

Healthcare, in general, is one of the most visible and softest targets. Successful hospital cyber-attacks usually cause significant disruption of patient data and routine workflows such as scheduling patient medication, resources management, and other essential services. These hospital cyber-attacks can easily result in what is euphemistically called in healthcare “bad outcomes” … these “bad outcomes” include injury and death.

How Does Healthcare Think About Cyber Risks?

A study by the security consulting firm Independent Security Evaluators concluded:

One overarching finding of our research is that the industry focuses almost exclusively on the protection of patient health records, and rarely addresses threats to or the protection of patient health from a cyber threat perspective … In summary, we find that different adversaries will target or pursue the compromise of patient health records, while others will target or pursue the compromise of patient health itself.

The report argues that protecting patient records has been most of the focus of healthcare cybersecurity planning, and organizations often view threat actors as being “unsophisticated adversaries” such as individual hackers and small hacker collaborations. ISE argues that this framework ignores the potential of far more sophisticated hospital cyber-attacks from political hacktivist groups, organized crime, terrorists, and nation-states who are all highly motivated and well-funded and “As a result, a multitude of attack surfaces are left unprotected, and attack strategies that could result in harm to a patient are not considered.”

The Universal Health Service Hospital Cyber-attacks

In September 2020, Universal Health Services a hospital and health care network with more than 400 facilities across the United States, Puerto Rico, and the United Kingdom, found itself under attack by the Russian “Ryuk” ransomware. This wasn’t the first hospital cyber-attack on UHS. Security firm, Advance Intel’s Andariel intelligence platform, reported that trojan malware-infected Universal Health Services throughout 2020.

UHS has not officially confirmed the details of the attack but reports by UHS employees indicate the attack was the result of a successful phishing expedition. The attack disabled computers and phone systems and forced the hospitals to revert to using paper-based systems to continue operations. Affected network hospitals also had to redirect ambulances and move surgical patients to other unaffected facilities.

As is usually the case with large, complex organizations, cleaning up and restoring the system was neither simple nor quick and a UHS press release on October 12, 2020, announced: “… we have had no indication that any patient or employee data was accessed, copied or misused.” It also stated that operations were mostly back to normal after a total of 16 days. Given that downtime for enterprise security breaches cost upwards of $1,000,000 per day or more this attack will have dealt a serious blow to UHS’ bottom line. Whether UHS paid the ransom is not known.

Cyber Attacks and Murder

When a cyberattack happens to any organization, there are always consequences but when healthcare ransomware is involved there’s a real risk of loss of life. In the case of UHS, there were unconfirmed rumors of four patients dying because doctors had to wait for lab results delivered by couriers instead of by electronic delivery. While those, so far, appear to be just rumors, there is one known case of a patient dying directly due to a hospital ransomware attack.

The University Hospital Düsseldorf (UKD) in Germany suffered a ransomware attack on September 10, 2020. The attackers exploited a vulnerability in the Citrix ADC that had been known since January but the hospital, unfortunately, had not got around to implementing the fix.

As a result of the attack, the hospital immediately announced that “The UKD has deregistered from emergency care. Planned and outpatient treatments will also not take place and will be postponed. Patients are therefore asked not to visit the UKD – even if an appointment has been made” and patients were routed to alternative medical facilities.

The demand note delivered by the hospital ransomware showed that the intended target was not in fact the University Hospital Düsseldorf but rather Heinrich Heine University. The German police contacted the hackers via the instructions in the ransom note dropped by the malware and explained the mistake after which the hackers withdrew their demand and provided the decryption key.

Unfortunately, one patient with a life-threatening illness was diverted to a distant hospital after UKD was deregistered as an emergency care facility. The additional hour’s travel may have been the cause of the patient’s death. On September 18, 2020, German prosecutors launched an official negligent homicide investigation which, if confirmed, would make the patient’s death the first known case of death by hacking.

Protect Critical Systems from Malware

The key to defending your systems from malware and phishing is monitoring and examining all network communications. Now that encryption is becoming the norm for all internet communications, looking “inside” of message streams requires new approaches and technologies so that embedded threats are caught and handled before they can escalate into disasters.

About Babur Nawaz Khan
Babur Nawaz Khan is a Technical Marketing Engineer at A10 Networks, a leading provider of secure application services and solutions. He primarily focuses on A10’s Enterprise Security and DDoS Protection solutions and holds a master’s degree in Computer Science from the University of Maryland, Baltimore County.

Conversa Health’s Scott Anderson provides a brief take on the state of data security in healthcare.

The wave that is big-data doesn’t appear to be cresting in healthcare anytime soon, and unfortunately, neither are the threats waged against it. Hijacking and hacking into personal health information (PHI) has become a growing trend that’s here to stay. So, the question remains: what should be done about it?

The last couple of years have unveiled a fair share of data breaches in healthcare: in 2017, more than 45 percent of ransomware attacks were on healthcare organizations, according to a study conducted by Beazley, a global cybersecurity company.

Last year, we saw many various health organizations, including Allscripts, CMS, and Blue Cross fall victim to phishing scams, breaches, and ransomware attacks. As a result, cybersecurity spending is expected to exceed $65B over the next five years—and the tactics of thieves are only getting more sophisticated: ever heard of crypto miming? You will.

As PHI continues to multiply and mobilize in the form of telemedicine devices, wearables, and cloud-based clinical and AI-driven platforms, are there enough solutions out there to protect the groundswell of virtual vulnerability? Yes, according to Conversa Health’s Scott Anderson.

Anderson, the CTO of the San Rafael, Calif-based provider of automating digital health conversations between patients and providers, shared his thoughts on the state of cybersecurity in healthcare, along with the worst-case hacker scenarios and best tactical approaches to keeping the threats at bay.

Q

Given the fast pace of technology in healthcare right now, do you think tech companies are offering robust solutions that are keeping patients safe in terms of data privacy?

I do.  While I can certainly see the acceleration in the rate of adoption of new technology, it’s still an ecosystem that runs on quarterly releases.  Relative to the rest of the technology industry, that’s still a glacial rate of change, and much of that is driven by fear; primarily, the fear of making that one change that brings about a disastrous regression.  If we accept that mitigating regression risk is a critical factor in security, let’s minimize the risk by reducing the amount of change introduced to the system, by shipping software with more frequency. It’s not quite that simple, but it’s the truth.

Q

Let’s talk hypothetically: What are some of the worst-case scenarios that can occur when it comes to breaches that affect patient data?

Employment is the one that could wind up as the most relevant. While it’s illegal under the ADA to ask about disabilities or medical conditions during the interview process, nothing is stopping a company from using data it has obtained for that purpose.  Of course, profiling based on data is already currently in use as a means of projecting future health care needs based on medical records and changes to prescriptions.  A health data breach has the potential to be far more insidious than a PII breach—we can monitor credit records and look for abuses, but the fear that your medical past might be used against you when you are under no legal obligation to disclose personal information, nobody wants that.

Q

At Conversa, your solution interfaces with a lot of different sources of data and PHI, like EHRs. How did your company approach the issue of data security when creating the conversation platform, and what did you learn about providing a secure platform along the way?

Our primary approach is to consider security events a matter of “when” and not “if.”  Attempts will be made, and therefore any potential flaw in our security is the company’s number one priority. We continuously monitor our software and cloud configurations for anything that might constitute a risk, from the accessibility of cloud infrastructure to code that introduces potential script attack vectors. Issues found using this process supersede any other work in priority. Therefore, it is paramount that we reduce the occurrence of these issues, so that the team can focus on innovation and moving our company forward. Shifting the perspective in that way changed the culture.

Q

There have been serious data breaches in healthcare over the last several years, and hackers keep finding new ways to compromise data. How does the healthcare industry as a whole protect itself, especially as it rapidly adopts new technologies: What can provider organizations do? What should companies that provide interfacing technologies do? Furthermore, what can patients do to play a part in protecting their data?

First off, in my experience, provider organizations are already doing a good job of wrapping their heads around the idea that new technology and innovation coming from small teams like Conversa requires some acceptance. Specifically, smaller, newer companies can move fast because they are typically unburdened with the cumbersome processes and bureaucracy that naturally develop as large businesses become enterprise companies. If I asked anything of provider organizations moving forward, it would be to form an approved, internal plan for how to map their nimble technology partners into their heavyweight systems.

For technology partners, accept that enterprise systems view your technology with extreme skepticism, and therefore you have an opportunity and a responsibility to lead with security. Ensure that you are building within your team culture a sense of ownership around security—relegating security to a single team or owner will guarantee that gaps exist between the silos.

Finally, patients can protect themselves with similar approaches that companies use internally: Have high expectations of the health systems that serve you, but don’t give them all the responsibility; Use strong passwords and use a password manager; Keep virus and malware scanners active and up to date: Be wary of emails requesting information, which no company that cares about your information would send you.

Q

Given the challenges in the industry, where do you see the issue of security in healthcare over the next five years? What do you think needs to be put in place to ensure that data security is less susceptible to breaches or ransomware attacks? Does it need to go beyond creating HIPAA compliant solutions?

With the current models for compliance verification and certification, it costs prohibitive for smaller companies to engage with auditors.  Working with small companies as well as auditing companies and large systems, let’s find a way to create an incremental certification that scales with companies, and sets milestones along the growth curve.

How data is stored and subsequently used in both de-identified and aggregate forms needs scrutiny. The rise of data-driven, algorithm-based software platforms that make decisions for us (and about us!) requires deep thinking about the impact of those platforms beyond innovation for its own sake.

Q

What’s the essential message here for our readers when it comes to the subject of data security in healthcare?

Small companies and startups have the potential to move healthcare forward faster than ever before, and they can do so in a manner that has the potential to be more secure than their larger counterparts.  Continuous deployment and monitoring minimize change while requiring engineering and operations to work hand in hand, eliminating the silos that create risk, not to mention eliminating the cultural barriers between development and ops that can create “us vs. them” mentalities in the workplace. 

Bio:
Scott Anderson is the CTO of Conversa Health, an intelligent Patient Relationship Management (PRM) platform that allows doctors to deliver continuous, personalized care. Prior to this role, he was the director of engineering at WalmartLabs.

From medication pumps to pacemakers, people depend on lifesaving devices to live their healthiest possible lives and manage chronic ailments. Many of those patients likely hear about cybercriminals orchestrating massive data breaches, and might get concerned about one of those incidents compromising their information.

However, they probably haven’t considered the hackers might target the devices in their bodies or the ones they otherwise use for better well-being.

Hospitals Must Pay Attention to Device Monitoring and Security Strategies

Today’s healthcare facilities are becoming increasingly connected. Statistics indicate that for every bed in a United States-based hospital, there is an average of 10 to 15 connected devices. Although those aren’t usually inside patients’ bodies, they continually collect sensitive information and transmit it to staff members.

It’s critical for hospital management teams to weigh the clinical benefits against the possible risks of using those devices. Then, they must devise and implement methods to monitor those devices and keep them secured.

Device Testing Is Essential

A 2017 study by the Ponemon Institute found most health organizations and device manufacturers polled believed a device they used or manufactured would be attacked within the next year. However, 53 percent of healthcare facilities and 43 percent of manufacturers do not carry out any tests on these devices.

Regular and methodical testing of medical devices helps people spot issues before they become significant problems. Having a proactive attitude about tests could help prevent product recalls or patient complications.

Experts in the field of healthcare device security found most hospitals could not tell when simulated attacks occurred on medical pumps.

Health facilities must not merely trust that the devices they use for patients are safe and uncompromised. Ongoing testing gives them the evidence needed to feel confident for a good reason, instead of making assumptions based on implicit trust.

Hospitals Could Show Preference to Cybersecurity-Minded Manufacturers

The Food and Drug Administration issued content calling upon manufacturers to consider cybersecurity threats when designing medical devices. That’s a step in the right direction, but it’s important to realize the FDA material is only comprised of guidelines.

That means manufacturers have no legal obligation to implement them. Some analysts say the guidelines may at least give device makers a framework. However, only 51 percent of device makers abide by the FDA guidelines.

When choosing which manufacturers to work with when taking care of supply needs or experimenting with new devices, hospital administrators can show an intention to purchase medical devices responsibly by explicitly asking manufacturing representatives whether they are committed to cybersecurity. People at a healthcare organization responsible for medical device purchases show preferences in other ways, such as by insisting on electroplated or gold-plated items that offer advantages such as corrosion resistance and electrical conductivity.

If they also begin making it clear they only want to enter into supply contracts with manufacturers that prioritize cybersecurity, that decision could have a ripple effect that sets a good example.

Critical Thinking and Updated Knowledge Are Critical Cybersecurity Aspects

The likelihood of medical devices being affected by ransomware or other attacks doesn’t seem to be on the radar of many healthcare professionals. However, researchers who conducted extensive research in the United States and India about what could happen if medical devices get compromised reached sobering conclusions.

For example, they say a hacker could infiltrate a medical device that dispenses medication inside a patient and make it give a fatal dosage. In other cases, a hacked device could provide physicians with the wrong information, such as by directing them to use an AED on a patient with a normal heart rhythm.

Forward-thinking health practitioners who work with medical devices should take it upon themselves to think outside the box when pondering potential cybersecurity risks with the equipment. It’s also useful for them to consciously look for current news about cybersecurity threats in the health sector and remain aware of them.

Traditional Cybersecurity Approaches Are Not Sufficient

Internet-connected devices at hospitals around the world require a dedicated and unique approach to cybersecurity. In other words, the IT professionals working at those facilities cannot necessarily use the same general strategies for securing those devices as they do when locking down their networks.

Unfortunately, though, many are doing just that. Statistics published in a 2017 survey by ZingBox revealed more than 70 percent of IT decision-makers in healthcare who responded believed they could use traditional security strategies to secure connected medical devices.

Granted, there are substantial challenges to keeping some medical devices locked down, but they are not impossible to tackle. Taking medical device security seriously means understanding what’s required to achieve that goal. One obstacle to overcome is the fact that the area of medical device security is still emerging, and there is not always a consensus for how to address it.

Machine learning platforms that use automation to spot security issues are available, but they haven’t become widespread in the health field yet.  

Better Security for Medical Devices Is a Collective Effort

Besides remaining aware of these tips, healthcare professionals must realize improving security of medical devices is everyone’s responsibility — not something hospitals or manufacturers must deal with alone.

Kayla Matthews is a health IT and medtech writer whose work has appeared on VentureBeat, The Week, Contagion Live and BioMed Central. To read more posts by Kayla, follow her on Twitter or at ProductivityBytes.com.

Hospital-acquired infections and data breaches may have vastly different causes, but they have one thing in common—they put healthcare organizations and patients at risk. The “pathogens” which cause data breaches originate both externally and internally—but practicing healthcare cyber hygiene can reduce or eliminate their “infection.”

Patient data has high value—to others. According to Verizon’s 2017 Data Breach Investigations Report, healthcare has the second highest number of breaches after financial services. PHI (protected health information) and PII (personally identifiable information) such as Social Security number, healthcare ID number, address, date of birth, and payment data can be worth millions on the ‘dark web’. In their 2017 study, IBM Security and Ponemon Institute estimated the cost of one breached healthcare record at $380, the highest among US industries. An earlier Ponemon study estimated the total annual cost of data breaches in healthcare to be $6.2 billion.

Data breaches and cyberattacks designed to gain information or dump it on the ‘dark web’ put healthcare organizations at financial and operational risk. An external cyberattack or DDoS initiated through brute force, phishing, malware that steals legitimate access credentials, or Locky/Petya-type ransomware that closes down systems can limit patient care by shutting down EHRs, patient portals, and business processes such as billing and payments. Insider breaches due to theft, equipment loss, snooping, and errors may not be as obvious, but they historically have led in the number of breach incidents. They can compromise systems and go on for years–14, in the case of Tewksbury Hospital in Massachusetts.

The financial aftermath of a breach can cost millions more in investigations, settlements, remediation, restoration, and substantial fines. Anthem paid a record $115 million to settle lawsuits over the 2015 breach of 78 million records. The Office of Civil Rights-Health & Human Services (OCR-HHS), responsible for Federal privacy and security enforcement under HIPAA, has increased its activities, recently fining a Denver FQHC $400,000 for security noncompliance. Not securing data also means difficulty in meeting quality care and national performance standards in value-based care, such as the Quality Payment Program required by MACRA and the Medicare Shared Savings Program (MSSP) for ACOs.

Protect patient data through healthcare cyber hygiene. Just as clinicians work ceaselessly to prevent hospital-acquired infections, CISOs, CIOs and healthcare IT departments must dedicate themselves to cyber hygiene—a series of best practices for protecting sensitive data. No matter what type of healthcare or related organization you work in—a large research hospital, clinic, regional medical center, insurance company, or a provider of business or clinical/CRO services—the data you work with must be protected. The five best practices that follow are a start:

1. Train employees

Technical, administrative, and clinical staff are the first line of defense in everyday cyber hygiene. They must understand the importance of practices such as never sharing passwords; securing hardware from theft; avoiding the use of default passwords and system configurations; changing passwords regularly; patching systems to remain current; learning to spot suspicious emails, and not clicking on embedded email links or attachments. Continuing education not only should ensure that best practices are followed, but also as the threat landscape changes, content and approaches are adapted.

2. Encrypt data

Data should be encrypted, both in transit over the network or in email, and while stored, using Transport Layer Security (TLS) 1.2 or higher and AES 256 or higher. Data encryption protects against attackers who manage to breach other defenses and against man-in-the-middle attacks, in which a malicious actor intercepts communications to gain access to sensitive data.

3. Back up everything

Data backups are crucial to combat aggressive ransomware attacks. The only way to return systems and devices to normal after a successful ransomware attack is to restore from a clean backup. Back up business, medical, device, email and other data on a regular schedule, and keep backups in multiple physical locations.

4. Perform regular scanning of devices and applications

Healthcare organizations must regularly scan their networks, workstations, mobile devices, and applications against known vulnerabilities. Cyberattacks can enter through an organization’s network, wireless network, applications, devices and the physical environment itself. Unlike an enterprise into which only badged personnel or approved visitors can enter, anyone can walk into a hospital. Visitors can easily hear a conversation while standing in line, look over materials sitting out in the open, and secretively plug a USB device into a wheeled nurse’s cart or another accessible device. High risk also is associated with any unsecured text, chat and email messages that the organization sends patients on their mobile devices.

5. Conduct regular threat modeling and penetration testing

Threat modeling and penetration testing exercises describe current threats and reveal how attackers can target your organization. They identify systems that can be leveraged to exploit vulnerabilities and potential entry points into networks, applications, and devices. This practice, when regularly done, helps an organization effectively address and remediate existing weaknesses.

Healthcare cyber hygiene ensures that breaches may happen, but disasters don’t have to. No system is perfect, equipment may be stolen from the most secure facility, and ‘black hats’ are endlessly inventive, as the WannaCry and Petya/NotPetya ransomware attacks have proven worldwide. By implementing these practices and continually upgrading their IT systems to meet potential threats, healthcare and related organizations will significantly improve their security postures without compromising services for patients and their families—and benefit themselves financially.

Saurabh Harit is a managing security consultant at Spirent Communications’ SecurityLabs unit where he is responsible for delivering penetration testing services to Spirent clients across the globe.

Several notable trends from 2017 will continue to impact the health information technology (HIT) industry in the new year. Ransomware tops the list, particularly after this May’s WannaCry worldwide cyberattack, followed closely by increased awareness of electronic prescribing of controlled substances (EPCS) as an “upstream solution” to battling the nation’s mounting opioid abuse crisis.

Beyond the ongoing development of these two leading trends, HIT experts are also asking two key questions as we close out the year: how do we get to interoperability in healthcare?; and, how do we improve the patient experience?

As we round the corner to the new year, it’s worth looking at these and other 2017 highlights to see what we should expect in 2018. 

1. Ransomware: a new breed of healthcare hack

Healthcare fell victim to more than 330 data breaches this year –  nearly one per day. Large-scale ransomware attacks like WannaCry, which hit 112 countries, struck the industry with a scary new reality: hackers will find a way in and – regardless of safeguards taken — hospitals will get hit.   

Most hospitals have finally recognized what has been universally acknowledged; while they can educate staff and reduce the incidence rate, there’s ultimately little they can do to completely eliminate all the risk and prevent user error and susceptibility to phishing attacks. Indeed, smart hospitals now anticipate that their systems will get compromised at some point.

The well-prepared hospitals build resiliency around their users and core and critical systems, and focus beyond keeping the bad guys out. Instead of just patching, they devote priority resources to keeping their systems operational, or rapidly restoring after an outage. 

It’s unlikely that we’ll see fewer cyberattacks in 2018, so the only way we can beat the hackers at their own game is to remain focused on resilience and rapid recovery. The quicker hospitals can get back up and running, the less impact hackers can have.

It’s worth noting that, on this latter point of resiliency, the technology currently exists to support this design. In fact, the same technology offers multiple incremental benefits to healthcare informatics, providing improved ROI. Virtual desktop infrastructure (VDI), for example, is virtualization technology that runs the desktop system (OS and applications) on a centralized server in a data center. This design is well proven and broadly supported by various vendors. Moreover, it delivers reduced operational complexity and cost, and has the added benefit of resilience with rapid restoration of services. This is a win-win-win. 

2. Technology as a champion in the battle against opioid abuse

The opioid epidemic grew in 2017, killing an estimated 90 people per day in the U.S. The rest of the world faces the same issue, with varying degrees of social impact. Also growing is the understanding that technology can play a key role in combatting the opioid epidemic. Indeed, both regulators and providers embraced EPCS as a central tool in the fight against opioid abuse. 

We saw an increasing awareness that DEA regulations for EPCS in present form need revision. Perhaps most notably, The Commission on Combating Drug Addiction and the Opioid Crisis provided formal EPCS recommendations to President Trump in November, giving EPCS regulatory momentum that is matched by state and federal legislation to enact EPCS mandates.

At the end of 2017, EPCS has been mandated through legislation in six states – New York, Maine, Connecticut, Rhode Island, Virginia, and North Carolina – and several additional states are considering similar laws. This legislative momentum will continue into 2018, as EPCS appears in bills already introduced in New Jersey, Massachusetts, Texas, Pennsylvania, and North Carolina – and more states are expected to follow.

In addition, 2017 was the year that the U.S. Congress introduced federal legislation mandating the use of EPCS nationally for the Medicare Part D program. We’re likely to see more such movement in the coming year, and technology has a key role to play in this battle. 

This is because technology now enables the delivery of prescriptions in a trusted, secure, compliant, and truly efficient manner. Efficiency is not to be under-estimated, as the intersection of all preceding factors is crucial to broad adoption. If technology only solved the compliance and security aspects while ignoring provider workflow and efficiency, for example, we would see increased frustration on the added workload, and potentially lower adoption.

3. The long road to interoperability

We have a long…long…way to go before achieving interoperability in healthcare, but 2017 was a good year for foundation-building in this critical area. One of the challenges is that, under our current HIT regime, we embark on building technology for our customers the same way we embark on home improvement projects at your local building supplies store or outlet.

That is, we think up a rough design, polish it up, and then proceed to purchase a bunch of materials. We finalize by going home and building the final product on the location where it will reside. 

This model ignores the need for precision integration and interoperability, exposing multiple weaknesses and points of failure. It’s analogous to our networking industry in the 1980s and 90s, where customers would buy products from small and large vendors and expect things to work together.

Instead, of course, customers regularly encountered troublesome and unpredictable issues, with elevated costs, extended time requirements, and reduced reliability. To address that disconnect, IEEE and other interoperability standards were established to ensure precise definitions of layers 1 and 2 of the ISO model at the network layer.

This push also included formation of interoperability labs and forums, like Interop, so vendors could test, validate, and resolve problems before shipping to the customer. This allowed vendors to ship products and components that, when plugged in, would reliably work together. By the late 1990s it was rare to encounter interoperability issues at layers 1 and 2, and the industry moved on to focusing on layers 3 and above.

We don’t have that yet for HIT systems – but 2017 showed good progress in getting closer. Indeed, both HIMSS and CHIME took substantive steps recently to advance the successful exchange and re-use of health information. These bodies, along with leading organizations like CommonWell Health Alliance, as well as the leading EHR vendors (Epic, Cerner, Meditech, and others) will be indispensable parts of the interoperability solutions in 2018 and going forward.

We are on our way to a truly connected healthcare delivery system in which mobile patients and their records go back and forth from one care setting to another. Perhaps by the end of 2018 we’ll outgrow the “Home Depot effect” and at least operate more like Ikea, where all of the pieces our customers need are packaged together in one box.

4. The patient as a consumer  

The line between patients and consumers became very blurred in 2017. Healthcare has historically viewed people as patients, but today’s patients are more knowledgeable and outspoken about how they want their healthcare experience delivered. 

Millennials, for example, are tech-savvy – but we’re asking them to register and schedule healthcare appointments through analog methods and processes. We’re basically providing them service that was outdated in the 1990s. Moving into 2018, the healthcare industry must pivot – similar to the way airlines did to change their customer experience. Instead of asking people to stand in line to check-in with an agent, airlines gave customers easy-to-use kiosks in front of service desks. Perhaps a question we need to answer in the coming year is: how do we give patients an “airline check-in” experience? 

In 2017, healthcare organizations also struggled with getting patients to adopt the use of patient portals. While portals should simplify the patient experience (by centralizing access to medical records, online bill pay, and appointment scheduling), in reality the lack of interoperability between EHRs actually makes it impossible for patients to access all of the necessary information in one place. Instead, patients must access one portal for medical records and another to pay their bills – without one portal actually linking to the patient’s insurance information. 

This experience is so clunky (and rarely mobile-friendly) that patients abandon it altogether. In 2018, we have to figure out how to give patients central access to everything they need. High-quality digital Identity, along with Single-Sign On, may be the key to centralizing patient data, or employer-driven portals, which some start-ups are developing, that can link employee benefit information to billing and patient medical records.  

As an industry, we need to value our patients’ insight as consumers so we can deliver a better experience, and indeed many institutions have recognized and are acting on this dimension.

These are the key trends that drove the HIT industry in 2017, and that we can expect to continue as we head into 2018. Not all of these important trends will reach their optimal conclusion in 2018 – some might enjoy continued progress without fully being realized. But we can reliably look to these as substantive areas to watch as we start 2018.

Gus Malezis is the President and Chief Executive Officer of Imprivata, a healthcare information technology security company that enables healthcare to access, communicate, and transact patient information, securely and conveniently.  

More than four in five U.S. physicians (83 percent) have experienced some form of a cybersecurity attack, according to new research released today by Accenture and the American Medical Association (AMA). The key findings reveal physicians see need for the healthcare industry to increase cybersecurity support for medical practices in their communities. More than half (55 percent) of the physicians were very or extremely concerned about future cyberattacks in their practice. In addition, physicians were most concerned that future attacks could interrupt their clinical practices (cited by 74 percent), compromise the security of patient records (74 percent) or impact patient safety (53 percent).

Conducted between July 2017 and August 2017, Accenture and the American Medical Association (AMA) surveyed 1,300 physicians in the United States to assess their experience and attitudes toward cybersecurity, data management and compliance with the Health Insurance Portability and Accountability Act (HIPAA) guidelines. The findings show the most common type of cyberattack was phishing—cited by more than half (55 percent) of physicians who experienced an attack—followed by computer viruses (48 percent). Physicians from medium and large practices were twice as likely as those in small practices to experience these types of attacks.

Nearly two-thirds (64 percent) of all the physicians who experienced a cyberattack experienced up to four hours of downtime before they resumed operations, and approximately one-third (29 percent) of physicians in medium-sized practices that experienced a cyberattack said they experienced nearly a full day of downtime.

In addition, the vast majority (85 percent) of physicians believe it is very or extremely important to share personal health data outside of their health system—they just want to do it safely. Two-thirds believe that greater access to patient data both inside (cited by 67 percent) and outside (65 percent) their health system would help them provide quality patient care more efficiently. In addition, a significant majority (83 percent) of physicians said that HIPAA compliance alone is insufficient and that a more holistic approach to assessing and prioritizing risks is needed.

“The important role of information sharing within clinical care makes health care a uniquely attractive target for cyber criminals through computer viruses and phishing scams that, if successful, can threaten care delivery and patient safety,” said AMA President David O. Barbe, M.D., M.H.A in a statement. “New research shows that most physicians think that securely exchanging electronic data is important to improve health care. More support from the government, technology and medical sectors would help physicians with a proactive cybersecurity defense to better ensure the availability, confidentially and integrity of health care data.”

Ransomware and other cybersecurity threats to healthcare delivery has topped  ECRI Institute’s Top 10 Health Technology Hazards for 2018 list. Ransomeware are potential patient safety crises that can disrupt healthcare delivery operations, placing patients at risk. Ransomware attacks can lead to canceled procedures and altered workflows (e.g., reverting to paper records). They can also damage equipment and systems, expose sensitive data, and force closures of entire care units. Ultimately, they can compromise or delay patient care, leading to patient harm.

The annual report identifies the potential sources of danger involving medical devices and other health technologies that ECRI believes warrant the greatest attention for the coming year. The guidance that accompanies each hazard provides practical strategies for reducing risks, establishing priorities, and enacting solutions.

To develop the annual list, ECRI Institute’s multidisciplinary staff of engineers, scientists, nurses, physicians, and safety analysts draws on the resources of the Institute’s 50-year history, as well as expertise and insight gained through testing and analyzing healthcare technologies. Topics on the list are selected by weighing factors such as the severity, frequency, breadth, insidiousness, and profile of the hazard. Additionally, all the hazards selected can, at least to some degree, be prevented by implementing appropriate measures.

Here is a look at Top 10 Health Technology Hazards for 2018:

1. Ransomware and Other Cybersecurity Threats to Healthcare Delivery Can Endanger Patients

2. Endoscope Reprocessing Failures Continue to Expose Patients to Infection Risk

3. Mattresses and Covers May Be Infected by Body Fluids and Microbiological Contaminants

4. Missed Alarms May Result from Inappropriately Configured Secondary Notification Devices and Systems

5. Improper Cleaning May Cause Device Malfunctions, Equipment Failures, and Potential for Patient Injury

6. Unholstered Electrosurgical Active Electrodes Can Lead to Patient Burns

7. Inadequate Use of Digital Imaging Tools May Lead to Unnecessary Radiation Exposure

8. Workarounds Can Negate the Safety Advantages of Bar-Coded Medication Administration Systems

9. Flaws in Medical Device Networking Can Lead to Delayed or Inappropriate Care

10. Slow Adoption of Safer Enteral Feeding Connectors Leaves Patients at Risk

Editor’s Note: Greg Maudsley is a cyber security expert at Menlo Security, a Silicon Valley-based  cyber security company that protects organizations from cyber attack by eliminating the threat of malware.

Hospitals and other healthcare organizations (HCOs) are increasingly singled out by cyber criminals for ransomware and other attacks. Not only are patients’ sensitive records being targeted, but also – as the FBI warns – their intellectual property or credit card information. The primary reasons for the HCO vulnerabilities are outdated security architectures, and overall lack of IT security experts. Isolation technology provides an appealing alternative to traditional security methods, and prevents, rather than treats, malware and phishing attacks.

Why are HCOs Susceptible?

The majority of today’s healthcare-targeted attacks, such as ransomware, are motivated by financial gain rather than simple notoriety. Cybercriminals will always target those organizations with the weakest defenses and the most valuable data. Few industries are as dependent on data and information than healthcare; without patient records, a hospital cannot operate. 

Hospitals pose a relatively easy target due to the high number of network ingress and egress points, which translate into attack vectors. Workers routinely access critical information from multiple, often unsecured, devices or networks, which renders a perimeter-based security architecture irrelevant.

Compounding the issue, staff at medical institutions often lack essential IT security knowledge because tight budgets make it difficult for hospitals to afford IT professionals with strong security backgrounds. As a result, many hospitals fail to conduct the regular security audits required to keep them safe from attacks. In essence, they are playing a perpetual game of catch-up. 

Related: 5 Lessons Learned From The WannaCry Ransomware Attacks for Hospitals

The Doctor Has Become Patient-Zero

In medical terms, Patient Zero is loosely defined as the first human infected by a new or recently discovered viral or bacterial outbreak. The term has found its way into the IT security lexicon where it’s corollary is the first individual to be infected by a new malware strain, or the first victim in a phishing campaign. This brings to mind a scenario where a single individual is initially infected and rendered contagious. This “patient zero” who then comes in contact with others who also become contagious, and in turn, infect multiple others.

The illness spreads logarithmically until medical experts are able to cure the disease or limit its propagation. This can take months or years, because even with the luxury of modern medical science, infectious diseases are difficult to treat or cure. Before it is contained, a new virus or bacteria can sicken untold numbers of individuals.

When we refer to patient zero in IT terms, many entertain the notion that if an individual is infected by a new malware strain, or clicks on a new malicious web link, today’s state-of-the-art security solutions immediately respond and effectively eliminate the threat. The reality, however, is more analogous to infectious disease.

Today’s security solutions rely on detecting good versus bad. Although we have a solid understanding of what is good and bad today, we have no way of knowing what will be good or bad tomorrow. And just as it take time for medical experts to develop a cure or treatment for a never-encountered disease, so does it take time for security products to develop defenses against new exploits. Even with technologies such as machine learning and AI, there can be a day, week, or months-long gap between initial “patient zero” infection and effective mitigation. During that time, many others can fall victim to the attack. We need to understand that the IT patient zero actually represent tens, hundreds or even thousands of infected devices.

Polio and smallpox impacted a significant portion of the world’s population before they were finally contained. That containment came in the form of a preventative vaccine. What better way to stop a disease than to prevent it from ever happening in the first place?  The same holds true for IT security. Because we will never be able to detect every new malicious web link, malware exploit, or email, as with medicine, prevention holds the key.

Related: Why Ransomware Attacks in Healthcare Will Continue to Rise in 2017

A Preventative Approach

A new preventative approach to eliminating malware, such as ransomware, and the patient-zero problem is isolation, which implements a secure and trustworthy execution environment (or isolation platform) between the user and potential sources of attack. By executing sessions away from the endpoint and delivering only safely rendered information to devices, users are protected from malware and phishing attacks. In the isolation model, malware has no path to reach an endpoint and legitimate content needn’t be blocked in the interest of security. With a native user experience, administrators can open up more of the Internet to their users while simultaneously eliminating the risk of attacks.

Healing Qualities

With the right isolation technology, HCOs can heal their IT security weaknesses, and recognize a number of benefits over legacy security products:

First, isolation is 100 percent effective in preventing malware from web and email links. User sessions are executed in virtual containers within the isolation platform. All content—including any malware—is disposed of along with its container by the platform each time a user completes a session. There’s no chance for malware to escape and infect the user’s endpoint. As a result, there are no false positives that block legitimate content and generate alerts, or false negatives that allow malware to reach its target.

Secondly, it delivers a user experience that is indistinguishable from browsing the web directly, with no noticeable latency or impact to browser functionality such as cut and paste or printing. There is no pixilation, choppy scrolling or other visual artifacts common with ‘screen-scraping’ technologies like VDI. Isolation uses the optimal encoding mechanism for each type of content, and delivers it securely to the user’s device using industry-standard rendering elements that are compatible with any device, browser or operating system.

Thirdly, a cloud-based isolation solution deploys quickly and easily (without appliances or endpoint software) and reduces security complexity and costs by eliminating endpoint software and outdated appliances. It can be turned on in minutes and simplifies operations by eliminating alert fatigue with zero false positives and negatives. And, it can scale to meet the demands of small to global HCOs.

Finally, isolation can be used in conjunction with existing security infrastructure. Next generation firewalls, for example, which protect against the latest cyberattacks, become even more versatile and effective when integrated with threat isolation.

Related: 5 Basic Steps for Hospitals to Improve Their Data Security

It’s Time for HCOs to Become Immune to Malware and Phishing 

Cybercriminals will always target those organizations with the weakest defenses and the most valuable data. Hospitals will always possess valuable data, but by bolstering their cyber immunity posture with new technology such as isolation, they can make themselves a much less appealing target for ransomware and other cyber threats.

Editor’s Note: Richard Sullivan is chief government and revenue officer for Medsphere Systems Corporation, the solution provider for the OpenVista electronic health record.

Will information technology ever realize an imagined future where security is strong enough, reliable enough, secure enough to block any and all attacks?

It’s a dubious proposition made more uncertain by the recent WannaCry ransomware incident that started a couple of weeks ago and continued around the globe for several days. The virus was seemingly halted on Friday, May 12, when a security researcher found weaknesses in the code, but additional versions without those weaknesses have been sent out since.

Whoever is sending out WannaCry will continue, or someone else, someplace else, will send something similar or more virulent. The war is never over.

Which means hospitals, IT vendors, security firms and other HIPAA business associates must constantly work to develop better tools. In pursuit of that goal, what can we learn from the WannaCry attack thus far that can help with security moving forward?

1. System updates are essential.

 WannaCry targeted Windows operating systems and succeeded where those operating systems lacked security updates. Hospitals in Britain’s National Health System suffered considerable damage because so many are still using Windows XP, a 16-year-old operating system. Contrast that with U.S. hospitals, which were minimally impacted. Indeed, a major concern for hospitals around the world is the use of old operating systems in a variety of settings that are no longer upgraded or supported. Microsoft rushed a Windows XP security update out after WannaCry was unleashed, but it’s not something the company wants to do or would probably be willing to do with any regularity.

It probably goes without saying, but the use of unlicensed and unlicense-able software leaves hospitals completely vulnerable to malware attacks. In the U.S., this is not a significant problem. However, in China and countries similarly resistant to strong policing of intellectual property licensing and use, computers may as well put out a virus welcome mat. Reportedly, WannaCry impacted around 29,000 institutions in China.

2. Devices are vulnerable

Specifically, WannaCry successfully attacked Bayer Medrad radiology devices in at least a couple of examples, the first known hacks of medical devices. The concern about medical devices is acute simply because they often control something directly related to the patient condition. A hack of the EHR system is problematic and disruptive. A hack of a medical device is potentially life-threatening.

3. Even inept hackers are successful enough to be very disruptive. 

Possibly derived from hacking tools originally created by the National Security Agency, WannaCry had certain post-NSA vulnerabilities that researchers and security experts could identify relatively quickly. Using terms like “amateur hour” and “easy fix” to describe WannaCry, security professionals said the virus was not a particularly challenging nemesis. But even imperfect malware spread rapidly to more than 150 countries, infected hundreds of thousands of workstations and cost as much as $4 billion. Imagine what kind of damage a more successful hack could do.

4. The most expensive part of ransomware is not the ransoms

It’s not unreasonable to see many hackers as anarchists with active minds, time on their hands and a perverse motivation to kick at the pillars of modern society. Most of the ransoms demanded in the WannaCry case were in the $300 to $600 range, and most organizations chose not to pay them. As of Friday, May 12, one consultancy estimated only $100,000 in total had been sent to hackers. No one was going to get independently wealthy off this hack. Still, WannaCry bled an estimated $4 billion dollars from the system. Again, imagine a much more successful effort than WannaCry and you can see how motivated hackers might be determined to bring certain essential industries—healthcare, for example—to a grinding halt without getting dollars in return.

5. Subscription services are a viable alternative. 

A primary reason WannaCry succeeded at all is because there is so much old software out there running various computing devices. Subscription software is one way to get old software out of the market. With the subscription option, to use WannaCry as a specific example, Microsoft can quickly and easily provide security updates to all applications and operating systems. The company did, in fact, provide updates in March to patch the security hole WannaCry exploited, which made the damage in the United States much less extensive. Clearly, however, those updates did not extend to the millions of Windows instances in use globally. While technology companies have been promoting subscription software options for years, buyers have been slow to sign on. Perhaps instances like this will convince many that subscription is both the more affordable and safer option. 

Right now, failsafe responses to malware and hackers are multi-pronged, and subscription software can be a significant component in that defense. Each hospital must develop a comprehensive and stringent security program as a necessary foundation for overall protection.  

The security battles will continue into the foreseeable future and each will give us an opportunity to make the defenses more responsive and sophisticated. The hospitals that can learn security lessons without having to pay ransoms or endure systems shutdowns will be those that react rapidly and prepare for the various threats.

Speaking of which, have you installed those Windows security updates recently? 

Editor’s Note: John Smith is a Principal Solutions Architect at IT analytics company ExtraHop. Prior to joining ExtraHop, John was a Cloud Architect at both Philips and McKesson and was previously a Principal Architect at the Centers for Disease Control.

Hardly a day goes by without news of a new cybersecurity threat or breach, and the healthcare industry is hit with more than its fair share. While unfortunate, it’s not hard to understand why. From personal health information (PHI) to insurance records, healthcare facilities are full of rich, sensitive patient data, making them prime targets for attacks. In fact, major cyberattacks on healthcare grew 63% in 2016, and one in four US consumers have now had their personal medical information stolen in a healthcare breach.

Statistics like these are scary for the entire industry, from healthcare delivery organizations to insurers and technology providers. They’re also terrifying for patients. When it comes down to it, if there’s any institution you want to be able to trust, it’s your healthcare provider. They take care of your health and well-being. It’s only natural to expect they can take care of your data. But consumers – rightfully so – are losing trust in health IT to consistently safeguard their information. We trust them with our lives, but we no longer trust them with our data.

The unease about healthcare’s ability to secure sensitive data and systems is not confined to consumers. Increasingly, health IT professionals themselves are expressing doubt and skepticism about their current security practices. According to a recent survey of 50 healthcare organizations, only 13% said they were confident that their existing security tools could defend against ransomware attacks.

The reality is that healthcare is acutely vulnerable to cyberattacks. And the sense of uncertainty and doubt about the efficacy of current security tactics is palpable. So what can healthcare organizations do to combat this issue, and regain the trust of both consumers and staff?

How Did Health IT Get Here?

The number and scale of healthcare cyberattacks has greatly increased in the last several months, which has significantly contributed to the deteriorating trust in health IT. So how did we get here?

First, it’s important to remember that the healthcare industry doesn’t have much experience with cyber threats relative to other industries. E-commerce professionals have been trading punches with bad actors for nearly 20 years now. As such, they’ve been forced to toughen their defenses and build up a high level of resistance. Up until 18-24 months ago, few health IT professionals had experience dealing with the frequency, variety, and severity of threats to which they’ve been subject recently. As such, healthcare infrastructures and systems haven’t faced the rigorous testing that’s now second nature to organizations in other verticals.

In addition to the relative immaturity of the security infrastructure itself, many healthcare organizations haven’t developed the robust processes and best practices that help other organizations stay ahead of the threat curve. Things like backups and regular updates don’t happen as frequently as they should, due in part to the associated risk of instability or downtime which can have far-reaching consequences in a hospital setting. Then there’s the overall entropy that tends to be present in health IT departments, which can lead to less stringently followed and enforced security protocols.

Finally, from my first-hand experience supporting healthcare over the last 21 years, we need to acknowledge that health IT workers, especially those working for smaller healthcare systems, are often overworked and tasked with doing a large number of important, complex tasks in order to keep critical systems going. Just as with any industry – from financial services to food services – things can fall through the cracks when employees are overworked. The difference is that, in healthcare, the stakes are so much higher when mistakes happen. System up-time can literally be a matter of life or death. Budgets are also often tight, so adding additional personnel or investing in a new security solution is not always an option, leaving staff to make do with what they have.

How can health IT improve security and restore trust?

We know healthcare facilities are being bombarded with cyberattacks, and we know there’s skepticism about existing security tactics. So what can health IT do to address these issues? It has to start with visibility. Trust and confidence are gained by having insights and knowledge at your fingertips. Information is empowering, and it allows IT professionals to make smarter decisions and address key issues. As health IT gets more complex – from connected devices to hybrid infrastructure – IT workers need to know what’s happening, when it’s happening, and why it’s happening. Otherwise, they’ll be trying to control systems blind

No one knows when the next big breach or vulnerability is coming, but I can tell you that it will involve communications between systems that are not supposed to be communicating at all. To succeed under those circumstances, it’s time for healthcare to realize that visibility isn’t a “nice to have,” it’s a “must-have.” The best thing that health IT professionals can do is find solutions that allow them to see – down to the transaction level – what’s happening across healthcare IT and clinical systems in real time. Now more than ever, IT staff need tools that can do things like discover applications and devices automatically, and rapid identify anomalies in IT and clinical workflows.

The first step in obtaining the right level visibility is first identifying which systems will either land you in the news, on krebs.com, or result in you getting fined in the event that they are breached. I understand that hospitals have sensitive data traversing multiple places, but we can at least start with where the crown jewels are, such as databases where PHI is stored and the systems that provide transit for them. Getting an adequate inventory of all of your high-risk systems will make your life considerably easier. It is entirely possible that the needed visibility within an environment of several hundred systems can be easily distilled into monitoring a few dozen systems that house sensitive data. The key here is not to start from the top-down but from the ground-up. Identify key systems that house critical data, then look into the ingress and egress of those systems. A common theme taking shape for cyber security is simplifying the task(s) associated with it. Simplicity starts with visibility, it doesn’t get much simpler than knowing, at the packet level, who is talking to who.   

True visibility into and understanding of the interplay between critical systems has another advantage: it allows IT to run leaner. Many of the healthcare organizations I’ve worked with have, at least in part, implemented lean practices, and insight is critical to supporting those initiatives. For overworked health IT teams, this can make all the difference.  

Think of it this way, most infrastructure today is akin to a dark parking garage. That lack of visibility would lead the average person to have less confidence and trust that the garage is safe. The same goes for health IT. CISOs and CIOs don’t lose sleep over the systems they know about. They lose sleep over the systems they aren’t aware of. To keep data, systems, and patients safe, you need to be able to see what’s going on across your environment in real time. For health IT, it’s time to bring everything into the light.