It’s perhaps one of the greatest testaments to human greed in an age of increasing cybercrime, that criminals are prepared to put at risk the very institutions upon whom they themselves may next depend—for a profit.
Last year, in the US alone, 289 hospitals were impacted by ransomware attacks, curtailing access to records, impacting online devices, and putting lives at risk. According to Statsitica, almost two-thirds of compromised institutions paid the required ransom (the highest of all attacked sectors) – usually averaging about $197K per attack (surprisingly, the lowest average demand, but still, putting them at risk of secondary ransomware attacks). However, the ransom paid is usually dwarfed by the cost of remediation and other related damages—$113m in the case of San Diego’s Scripps Health non-profit consortium of clinics, hospitals, and research facilities. All told, IBM places the average cost at $10m!
And that’s just the money. At least a quarter of hospital officials polled believe that cyber-attacks definitely caused an increase in mortality, and a third trace complications to treatment disruptions.
Healthcare is more than just a service; it’s a critical infrastructure, which means that your average cyberthug is not necessarily motivated by pure profit. He or she may also be in the pay of a rogue nation attempting to disrupt the quality of life of a nation and undermine its political stature. In the US, this is sadly no longer difficult.
Long overdue and placing the US on par with the developed world, to a limited extent, Obama’s 2009 Healthcare Act quite possibly helped place healthcare within criminal sights by incentivizing the industry to go digital. By 2019, however, most patient care institutions were still using fax to transmit records, quite simply because faxes are more difficult to breach. No passwords or email addresses to leak, no malware to breach, and easily isolated. Unfortunately, Obama—well intentioned though he may have been—changed all that.
Making healthcare an attractive mark is now the ease of infiltration. With a staff-to-patient ratio of one to five (low compared to the average 1:8 in hotels but high compared to the number of sick people at any time within a hospital’s region), the number of doctors, nurses, and sanitary staff indiscriminately downloading apps to their hospital end-point devices (their cellphones) is very high. Moreover, doctors and nurses work long hours and work under intense pressure. This makes them especially vulnerable to phishing and other forms of social/human engineering, providing attackers with a wide open door through which they then access other online systems.
SCMedia reports, however, that “third-party vendors were behind the vast majority of healthcare data breaches.” These include vendors and maintenance crews behind the equipment, cloud service providers, core service providers and acquisition supply chains (laundry services, syringe and other tool vendors), and more. Add to this the number of IoT devices connected to the world wide web, which include anything from MRIs to IV pumps, devices that can be monitored remotely by attending doctors, and more, and a hospital’s attack surface is wide indeed.
On the techno side, however, hospitals are tragically understaffed with IT and cybersec professionals, compared to other similar-sized organizations. Medical equipment is vastly expensive (the INUMAC MRI scanner goes for a quarter of a BILLION dollars), and the priority for hospital spending is medical.
Luckily, the average doctor (though not the average administrator, according to the average doctor) will not think twice when faced with the question: your money or your patient’s life. Losing a patient’s data could be life-threatening, as in the case of blood type or allergies, for example. Sadly, the reason to easily pay a ransom is often an economic decision rather than an altruistic one.
President Clinton’s Health Insurance Portability & Accountability Act (HIPAA), two decades before Obamacare, carefully delineated the rights of a patient to privacy and the protection of health information. Consequently, paying ransom, and in some cases the additional remediation costs, are therefore considerably cheaper than the potential lawsuits resulting from the compromise of such data.
Cast high when phishing
Large ransomware syndicates have in the past apologized for rogue affiliates targeting healthcare, as in the case of LockBit last year and Conti’s 2021 free decryption key to Ireland’s beleaguered healthcare system. Notwithstanding, healthcare, like cybercrime, is big business, and owing to increasing costs, consolidation is the abiding theme. It’s no longer your neighborhood GP but a network of hospitals, outpatient clinics, schools & continued training facilities, research laboratories, affiliated doctors, transport and support systems, and more.
Last May’s Shields Healthcare attack affected two million people whose medical and personal data was stolen; the Aurora Health attack three months later—3 million. The cost to Universal Health Services of its 2020 Ryuk attack was $67m, to Anthem Inc. when attackers stole 79m records in 2015 was a whopping $115m in litigation alone!
When in 2021 a baby died in Alabama, the mother sued the hospital for not informing her before delivery that its computers had been compromised, leading to diminished care and resulting in brain damage and the baby’s consequent death.
As opposed to Europe, where hospitals are publicly funded and therefore less likely to pay a ransom, the very fact that US hospitals are private enterprises provides them with the independence of paying as they see fit. Unfortunately, that only means openness to repeat offenses. Hopefully, the latest White House National Cybersecurity Strategy may provide some relief by shifting the onus of protecting medical devices to the manufacturers. Additionally, the healthcare industry is adopting new security measures for healthcare stakeholders, as outlined by the National Institute for Standards & Technology (NIST Health) to gradually replace the outmoded requirements of HIPAA.
Pillars of Zero Trust
50 million Americans were impacted last year from cyber breaches in the healthcare industry. The malady is quickly spreading also to the senior care and pharmaceuticals industry (which may result finally in some action). We have not yet completely recovered from the Covid pandemic’s 220% increase in phishing attacks. And unfortunately, the industry is failing to take remedial action.
On the most basic level, to prevent initial penetration, recurrent employee anti-phishing training, and testing are unavoidable. Sending false phishing messages cannot be avoided. But since employees are human, it pays to install apps that prevent the opening of phishing pages in case they do accidentally click on a link.
For their part, IT professionals must ensure that their tools are up-to-date—devices patched, email filters installed across all systems, antiviruses, and endpoint security systems updated, and training ongoing. Healthcare Facilities Today provides a list of tools that can be used, and Tech Target – tools for cloud management, compliance, AI and multi-platform support.
But the most important steps to take are backups, planning, encryption, and a Zero Trust model, in which access to computer resources is presumed never to be safe. Here, users, devices, networks, workloads, and data must constantly identify themselves and verified before interconnecting. This includes the thousands of IoT devices in an average 500-bed hospital. The control and policy pillars of this approach require real-time monitoring of all systems and automated responses to incidents. Threat detection solutions must be implemented to block malware before a breach, and barriers must be put in place to block all access.
But finally, a policy is only as good as the people who implement it. Protect them!