Just a few weeks ago the US Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the Department of Health and Human Services (HHS) issued a joint statement warning that healthcare organizations are under an “increased and imminent” threat from ransomware. NBC News reported that at least twenty hospitals have been hit in a recent wave of ransomware, with at least six occurring this past week.
FireEye’s Mandiant division, which is tracking the attacks, commented, “The operators conducting these campaigns have actively targeted hospitals, retirement communities, and medical centers, even in the midst of a global health crisis, demonstrating a clear disregard for human life.”
The threat to human life generated by cyber-attack on health institutions is not hyperbole. In a recent case in Germany a ransomware attack so disabled a hospital that patients were turned away in at least one case leading directly to the loss of human life.
Over the past decades, healthcare has become increasingly intertwined with technology. The increased use of technological solutions in the healthcare field leads to better care and outcomes for patients. However, this integration of technology also creates significant security vulnerabilities which have proven to be difficult to address. Although cybersecurity is not something traditionally associated with healthcare, in the 21st century it has become an integral; part of comprehensive patient care and one of the foremost challenges facing the entire healthcare industry.
Currently, the healthcare industry as a whole seems to be losing the cybersecurity battle, and as a result patient care is being affected. Cybersecurity has literally become a life or death issue in the healthcare industry.
As is the case with cyber issues in general, lack of understanding of the economics of cybersecurity has led to an underinvestment in this critical aspect of patient care
Healthcare in particular is being so heavily targeted by cyber criminals because of the very favorable economic calculus associated health data. Healthcare institutions are “a rich source of valuable data, and it is a soft cyber target.”
As previous posts have shown with all sectors of the economy, the economics of cybersecurity in the healthcare field weigh heavily in favor of the cyber criminals. Patient data sets are extremely valuable to cyber criminals and nation-state actors alike. Meanwhile, the costs associated with launching an attack are relatively low. Profits from stolen patient data sets are very high. Stolen healthcare data can fetch over $1000 dollars on the black market because the information contained in them can be used in several lucrative ways, including to submit false medical claims, prescription drug acquisition, and false applications for credit. To add some perspective, it is estimated that a person’s medical information is at least 20 times more valuable to criminals than a person’s financial information.
In the world of nation-state threat actors, healthcare records are an excellent source of intelligence for building out target folders on individuals those nations might want to compromise in the future. Thus, healthcare organizations are a prime target for cyber criminals and nation-state actors because they present an opportunity for high returns on their attack investment.
As of 2018. there were, on average between 10 and 15 interconnected devices per hospital bed in the United States Moreover, the use of consumer devices, like mobile phones, in the healthcare industry has also become increasingly prevalent over the past ten years. These trends, combined with the COVID-19 pandemic is now causing an even sharper increase in the use of consumer devices in the healthcare field for telemedicine and other functions out of a necessity to adapt medical care to social distancing protocols.
Many of these medical devices are now interconnected into the larger technological “ecosystem,” in such a way that vulnerabilities in one device can put entire networks at risk. The risk to the whole ecosystem exists because each connected device creates a “potential gateway to access” for cyber criminals seeking to gain access to hospital systems and other connected devices. This expanded (and ever expanding) technological ecosystem makes systemic attacks like Ransomware all the more feasible thus multiplying risk not just to the patient – but ALL the patients at a medical facility.
While there has been a massive push to integrate technology into healthcare in order to achieve better patient outcomes in the last two decades, the push to adopt technology to promote cybersecurity has been slower to develop. New America’s Do No Harm 2.0 Cybersecurity Initiative described “an underlying culture of “no” that has emerged around healthcare cybersecurity technology, which stands in contrast with the often-eager adoption of new technologies that promise to directly improve clinical outcomes.”
Many organizations have rushed to integrate technology into almost every aspect of patient care, in many cases at the cost of neglecting the security of these devices and systems.
In 2018, only about five percent of the already limited IT budgets at hospitals were spent on cybersecurity. As an industry, healthcare lags behind banking and financial services, retail, and the wholesale industry in security spending. This is true, despite the significant regulatory requirements and the fact that the vast majority of healthcare organizations continue to be the victims of successful cyberattacks year after year. Furthermore, in 2019, 80% of leaders in the healthcare field indicated that there were insufficient resources allocated to cybersecurity at their respective companies when surveyed while budgets continue to fail to keep pace with the threat actors. As previous posts have demonstrated generically, the cybersecurity problem is not simply an operational technological issue but must be understood and addressed as a systemic and economic issue as well.