Print Friendly and PDF

Hacking Health Care

Hospitals fight ongoing vulnerabilities to keep patient information safe 

By Dawson Bell 

Anyone who has visited a doctor or hospital in the last 10 years knows that technology is revolutionizing the delivery of health care.

Connected devices, online recordkeeping, remote imaging and consultation, and dozens of other advances have made patient care in the 21st century unlike anything that has come before. That’s generally a good thing for doctors, patients and health care administrators. But all that connectedness creates new vulnerabilities as well — ones that cybercriminals are all too eager to exploit.

Consider some of the recent headlines: “Health Insurer Anthem Hit by Hackers,” “Hollywood Hospital Pays $17,000… to Hackers; FBI Investigating,” and “FBI Warns Health Care Sector Vulnerable to Cyber Attacks.”

So far, there have been no major, reported breaches of health care information systems in Michigan, said Scott Larsen, manager of cybersecurity operations for Beaumont Health and vice chairman of the Michigan Health Care Cybersecurity Council. But that’s not for a lack of trying.

“There are attacks every day,” Larsen said, adding that they are thwarted or detected in time to avoid significant damage. The threat from cyber thieves and mischief makers in the health care sector is constant and ever evolving, he added.

“I don’t want people to be paranoid,” Larsen said, “but folks are out to get their data.”

Why is the health care industry attracting so much attention from criminals? The answer is pretty straightforward — like American criminal Willie Sutton explaining that he robbed banks, “because that’s where the money is” — hospitals, clinics, labs and insurers are a gold mine for data.

Experts estimate that patient identification information available on health-related systems can be as much as 20 times more valuable than ID info swiped from a credit card record. And, in addition to identity theft, it can be put to a greater variety of nefarious purposes, like committing insurance fraud or obtaining narcotics.

Ransomware attacks like the one that struck a Hollywood hospital earlier this year, in which hackers introduce malware onto a hospital server — often through email — can put administrators in a no-win situation. They are required to pay ransom or lose access indefinitely to their own patients’ records.

Health care providers also face industryspecific obstacles to designing and implementing cybersecurity defenses. Due to the nature of the work, vast amounts of patient data are stored on an array of devices that have to be accessible to hundreds or even thousands of employees.

Henry Ford Health System Chief Information Privacy and Security Officer Meredith Phillips said effective security is a matter of engaging the entire workforce — all 27,000 of them.

“How do we get each of them to become aware of the risks?” she asked. The answer, she said, is training, continuing education, assessing specific threats and more training.

Phillips and her colleagues around Southeast Michigan say that assessing and upgrading technological infrastructure — firewalls, encryption, protocols for the handling of information and devices — is absolutely necessary to ward off cybercriminals. Necessary, but not sufficient.

Health care providers have to create aculture that instills cybersecurity awareness across the workforce. “No amount of technology,” Phillips said, is a substitute for vigilant and savvy employees.

Joe Francis, senior vice president and chief information officer at the Detroit Medical Center, said another significant challenge is monitoring and enforcing security standards with the plethora of outside vendors and business partners, such as labs and medical record-keepers, which interact with a major health care provider.

DMC’s vendors are required to complete a lengthy questionnaire on their security procedures and enter into specific security agreements before they get a contract, Francis said.

Additionally, health care organizations are under heavy scrutiny and regulation by state and federal agencies. While designed to improve patient care and accessibility (e.g., online recordkeeping requirements), some also increase exposure to the criminal underworld while also imposing potentially heavy legal and financial burdens if that info is stolen.

“You never get to relax,” Francis said. “There won’t ever be any one thing that will (neutralize the threat from cybercriminals).”

Doug Copley, a former Beaumont executive now working in risk management for the cybersecurity fi rm Forcepoint, agrees that repelling health care hackers is “not a project that begins and ends.” Health care providers, especially, face a unique tension between accessibility and security of information.

“Think about who works there,” Copley said. “Physicians and nurses have a desire to help patients. They push back on anything that interferes with that. The last thing they want to do is walk into an operating room before a surgical procedure and be asked to change a password.”

In other industries, he said, it is easier to compartmentalize and limit access. In health care, there are so many points of entry, and so many people who need to pass through them (e.g., an MRI machine that collects voluminous data and has its own operating system) that “the attack surface is much larger,” he said.

Ultimately, no data systems can be 100 percent secure in the face of relentless and sophisticated foes like those targeting hospitals and health insurers, Copley said.

In addition to building robust defenses and a security culture, it is important for providers to have a wide-ranging and workable response plan for when things go wrong. That means, according to Copley, being ready to work with the media, attorneys and insurers, even as the IT team is working on technology triage. And remembering that the work is never done.