Preventing Cyberattacks Is Everybody’s Business

Online criminals are targeting healthcare organizations, jeopardizing safe patient care and exposing personal data. 

You’ve had a chaotic morning. The first patient of the day canceled their procedure and your nurse navigator called in sick, throwing your facility’s entire schedule off track. When you finally sit down to take five minutes to sort through your inbox, an email from your favorite takeout spot offering a free sandwich pops up; all you need to do is click the coupon to redeem. Without hesitating, you click a link that turns out to be a phishing attack.

Phishing is just one of the multiple cyberattacks occurring with increasing regularity at healthcare organizations across this country. According to the State of Ransomware in Healthcare 2022 report that is conducted by cybersecurity firm Sophos, an alarming 66% of healthcare organizations reported getting hit by ransomware in 2021. An even scarier statistic from the report: 61% of these attacks result in data encryption, which can greatly impact patient care and safety.

Four main attack types

John Riggi spent nearly 30 years as a decorated veteran of the FBI, but he now serves as senior advisor for cybersecurity and risk for the American Hospital Association (AHA) and its 5,000-plus member hospitals. His unique experience investigating cyberthreats, international organized crime and terrorist organizations for the FBI and CIA helps him provide trusted advisory services for the leadership of hospital and health systems across the nation. Mr Riggi says there are several methodologies that bad guys use to get into your network that include: 

• Phishing. According to Mr. Riggi, phishing attacks remain one of the most common methodologies that cybercriminals use. “A phishing attack is really the main attack vector; the way malware is delivered into the network,” he says, explaining that the phishing attack delivers malware in a malicious attachment or link that the phishing email tries to deceive the end-user into clicking on that attachment. “And that attachment or link may contain the malware which results in the theft of data or delivery of a ransomware attack,” says Mr. Riggi.

• Theft of data. “This can include patient data, personally identifiable data, financial data and theft of medical research and innovation. Because they possess so much valuable data, cybercriminals specifically target healthcare facilities,” says Mr. Riggi, adding that theft-of-data attacks often originate from foreign criminal organizations based in hostile nation states such as Russia, China, Iran and North Korea.

• Third-party attacks. Mission-critical suppliers of technology, hardware, software and those we rely on to handle our sensitive data are highly vulnerable to cyberattacks. “Bad guys have figured out that if they strike our mission-critical third parties, the attack could have a wide-ranging disruptive effect 
on healthcare customers of that third party,” says Mr. Riggi.

• Ransomware. A type of malware, ransomware is any software designed to disrupt a computer and leak confidential information. “The end objective of ransomware is to encrypt your data in place,” says Mr. Riggi. When it comes to ransomware, he says, cybercriminals have recently been utilizing a double-layered extortion method. “Before they encrypt your data, they steal a large volume of patient data. Then they extort the victimized healthcare organization in two ways: They demand a ransom payment for the decryption key and threaten to publicly release the patient data on the web or sell it on the dark web to other criminals if the ransom is not paid.” 

While ransomware attacks are highly disruptive and can disrupt and delay healthcare delivery and ultimately risk patient safety, Mr. Riggi says that the AHA and the FBI strongly discourage ransom payments. “Payment could encourage additional attacks, and it actually funds the organization to continue to conduct attacks or commit more serious crimes,” he says. 

How to protect yourself

On top of everything else you’re dealing with right with now, you’ve also need to keep your facility safe from the ever-increasing threat of a cyberattack. So what do you need to do to protect yourself and their patients? Protecting your organization involves a multipronged approach coupled with continuous employee training and buy-in. 

Michael Barnes, director of information technology at Knoxville (Tenn.) Orthopaedic Surgery Center, says the one thing organizations need to emphasize to staff is that cybersecurity is everybody’s job. “I remind the staff they are our first line of defense, because they are the ones getting the suspicious emails and phone calls,” he says. To that end, he says consistent staff training is of utmost importance. “One thing I tell new hires is to listen to their gut,” says Mr. Barnes.

“Don’t click everything. Make sure you carefully read your emails and if something seems fishy, it probably is.”
Mr. Barnes tells surgical leaders that cybercriminals have become more sophisticated, making a malicious email more difficult to recognize. “You no longer get emails from a Nigerian prince asking for $10,000. These criminals do research beforehand,” he says.

The importance of getting staff heavily involved in protecting your facility is advice reinforced by Mr. Riggi. He says phishing tests — fake emails to see how employees respond — have proven very effective. “To lower the click rate on phishing emails simulations, I think constant training, education, awareness and leadership is of the utmost importance, because you are in charge of taking care of patients and saving lives is Job One,” he says. A good incentive is to publicly recognize those employees who pass phishing tests and identify real phishing emails and reward them with little treats or small prizes.

Mr. Barnes shares tips in the organization’s monthly newsletter, like utilizing a Virtual Private Network (VPN), which establishes a protected network connection when using public networks. “I also like to include statistics and information on recent healthcare hacks as gentle reminders,” he says.

Other recommendations include:

• Warning banners. “We encourage all organizations to use banners that identify emails coming from outside the organization, periodically changing the color of the banner, especially during a heightened threat environment,” says Mr. Riggi. 

• Multi-factor authentication. When you log into your account from outside the facility, or into your VPN, multi-factor authentication requires not only your username and password, but an individual code that is sent directly to your phone or other device.

• Endpoint protection programs. “The great thing about these programs is even if you click on a malicious link and it lands on your desktop or laptop, these programs offer built-in security right on your desktop or laptop and will take countermeasures to stop the malware from spreading to the rest of the network,” notes Mr. Riggi.

• Electronic medical records. Most EMRs have some built-in protection, but Mr. Barnes does recommend segregating your EMR network from other facility networks. “You don’t want your air conditioning system on the same network as your EMR, because hackers will figure out a way to penetrate your records through your air conditioning,” he warns. 

DATA-STEALING STATISTICS

10 Major Healthcare Breaches

There has been an unsettling upward trend in data breaches over the past 10 years. HIPPA Journal compiled healthcare data breach statistics from October 2009 until June 30, 2022. Below are the 10 largest that have occurred in 

• 2015: Anthem, Inc. (now Elevance Health), a health insurance provider in Indianapolis. Almost 79 million individuals were affected by a hacking/IT incident.

• 2019: American Medical Collection Agency, a collection agency in Elmsford, N.Y. Over 26 million individuals were affected by a hacking/IT incident.

• 2015: Premera Blue Cross, a health insurance company in Mountlake Terrace, Wash. 11 million individuals were affected by a hacking/IT incident.

• 2015: Excellus Health Plan, Inc., a health insurance provider in Rochester, N.Y. 10 million individuals were affected by a hacking/IT incident.

• 2011: Science Applications International Corp., a military contractor that provides services to the U.S. government, located in Reston, Va. 4.9 million individuals were affected by a data breach involving personally identifiable and protected health information.

• 2015: University of California, Los Angeles Health, an academic health center. 4.5 million individuals were affected by a hacking/IT incident.

• 2014: Community Health Systems Professional Services Corporations, a healthcare provider in Franklin, Tenn. ­4.5 million individuals were affected by a hacking/IT incident.

• 2013: Advocate Health and Hospitals Corp., a healthcare provider in Downers Grove, Ill. More than four million individuals were affected after four unencrypted laptops were stolen.

• 2015: Medical Informatics Engineering, a healthcare IT platform company in Fort Wayne, Ind. 3.9 million individuals were affected by a hacking/IT incident.

• 2016: Banner Health, a healthcare provider in Phoenix. ­Over 3.6 million individuals were affected by a hacking/IT incident.

—Danielle Bouchat-Friedman

What it can cost you

If cybersecurity fatigue ever starts to set in among staff or leadership, remind everybody of what’s at stake. After an attack, facilities face the cost of the technical remediation along with lost revenue. “Their systems may be shut down, they may have to cancel surgeries and divert patients, all of which results in revenue interruption and loss,” says Mr. Riggi. A 2018 cost of a data breach study found that for eight years in a row, healthcare organizations had the highest costs associated with data breaches — costing them $408 per lost or stolen record — nearly three times higher than the cross-industry average ($148). 

Finally, think about it from your patient’s point of view: If a facility cannot protect my personal data, can I really trust them with my health? Of course, if you find yourself on the wrong end of a cyberattack, there are certain must-take steps. Mr. Riggi notes that after an attack, it’s critical for an organization to demonstrate how it is attempting to recover the stolen data and protect their systems from future attacks. “Be transparent with your patients about what happened,” he says.

The best thing you can do is take every possible precaution to make sure you’re never in that position in the first place. OSM