Robert Olsen in Modern Healthcare
A year after hackers unleashed the WannaCry and NotPetya ransomware, taking down healthcare organizations and other companies around the world, the healthcare industry still struggles to keep its systems secure.
In the first six months of 2018, there were 154 breaches reported to the Office for Civil Rights, up 13% compared to the same period in 2017. There were 50 "hacking/IT" incidents specifically during that period in 2018, just two more than there were during the first six months of 2017.
"There's definitely more healthcare-related breaches," said Bob Olsen, Navigant's director of cybersecurity. "The challenge is there are new vulnerabilities being discovered every day. It's a bit of a moving target."
But there could be multiple factors behind those increases, cautioned John Riggi, senior adviser for cybersecurity and risk for the American Hospital Association and an FBI veteran. Organizations may simply be reporting breaches they wouldn't have reported in the past, or reporting breaches that happened years ago. That's what happened with LifeBridge Health, which in 2018 reported a breach of half a million patients that happened in 2016.
Nevertheless, healthcare organizations are engaged in a constant battle against cybercriminals, Riggi and others said.
The struggle peaked in May 2017, when hackers let loose the WannaCry ransomware, which encrypted data and demanded ransom in bitcoin in exchange for the decrypted files. The attack affected about 200,000 computers in 150 countries, including the UK, where the National Health Service's systems went down.
A little over a month later, hackers sent out another piece of ransomware, NotPetya, which took down Nuance and other companies. Nuance lost $92 million in revenue due to the attack.
But ransomware attacks don't come from hacker organizations alone. "Nation-states are aggressively targeting healthcare and hospitals in particular," Riggi said.
Health systems have more to fear than their IT infrastructure going down. Breached data can end up on the dark web, where they're bought and sold. As more health data becomes available on those networks, prices have fallen. But the data is still useful to buyers, Finn said. People can aggregate health data and non-healthcare data from multiple sources, connecting people's health data with their financial information.
"They're using data in ways we don't even think of," he said.
Those risks have spurred hospitals and healthcare organizations to be more aggressive in their defenses, Riggi said. But their plight never ends. "With every counter-measure put in place by a hospital, the adversaries come forward with a counter-measure for that," Riggi said.
Part of the trouble is the speed—or lack thereof—with which healthcare organizations can react, Olsen said. "It's sort of like moving a big ocean liner—it just takes time."
Healthcare executives and security teams should prioritize protecting the most sensitive and critical data, including protected health information, Olsen said. That work includes an initial risk assessment and putting in place appropriate training policies, and patches.