The cyberattacks that we've seen in the healthcare sector over the past year are starting to rewrite the rules of the security game for healthcare-related businesses in a way we really haven't seen before.
It was evident from speakers and attendees of a cybersecurity symposium I attended during the Healthcare Information and Management Systems Society 2016 conference in Las Vegas on Feb. 29 that the string of recent attacks on healthcare sector entities is waking up an industry that has largely been asleep at the wheel when it comes to awareness of the evolving and potentially dangerous cyber threats facing their organizations.
It was bad enough that attacks last year on several health plans, including Anthem Inc., Premera Blue Cross and Excellus BlueCross BlueShield, resulted in breaches affecting nearly 100 million individuals. Eye popping indeed.
But it seems to me that many of the 200-plus attendees at the packed HIMSS 2016 Conference cybersecurity symposium are most rattled by recent ransomware attacks on some small and mid-sized hospitals, including Hollywood Presbyterian Medical Center, which in February acknowledged that it paid extortionists $17,000 to unlock encrypted patient data.
That's because the health plans that were targeted in those mega-breaches last year were major insurers holding enormous amounts of data. Even after those breaches, many hospitals and healthcare providers were still in denial that they too could ever fall onto the radar screens of cyberattackers. But the ransomware case involving Hollywood Presbyterian was too close to home - literally - for other healthcare providers that are now suddenly fearing a similar fate.
One attendee, who asked to remain unidentified, told me that the attack on Hollywood Presbyterian was the main reason she decided at the last minute to attend the cybersecurity symposium. The Hollywood hospital is located not too far from her own healthcare organization - and the thought of data being locked up by cyberterrorists and unavailable to clinicians for patient care decisions was particularly frightening.
Different Breed of Breaches
No longer are hospital CISOs - and those at other healthcare sector entities, including cyber insurers - mostly worried about breaches involving clinicians losing unencrypted laptops containing thousands of patient's protected health information. Healthcare sector organizations are clearly getting spooked by these other recent attacks they're hearing about.
"Cyberattacks like we've been seeing [on healthcare sector entities] are entirely different from the privacy breaches we've seen in the past," attorney and cyber insurance expert Kimberly Holmes, vice president of product development at OneBeacon Insurance Group, told attendees.
This new breed of massive breaches involving hackers attacking the databases and network systems of healthcare sector organizations "will dramatically change" how cyber insurers issue coverage, she predicts. "There's a lack of actuary data [for these kinds of breaches in the healthcare sector]; that's why these policies are so difficult," she said.
Dan McWhorter, vice president of threat intelligence at FireEye, and a speaker at the cybersecurity symposium, painted a bleak picture of what the healthcare sector is up against:
- Nation-state attacks: So far, larger institutions - health plans, pharmaceutical firms, research centers - seem to be the target of hackers in China, Russia and various countries in Eastern Europe. China at this point does not seem too motivated to sell protected health information on the Dark Web, but rather could be collecting data for intelligence-building and potential espionage. Also, Chinese hackers could be behind attacks involving theft of intellectual property from medical technology companies in an attempt to play catch-up in healthcare, he says. "China is under pressure to improve healthcare," McWhorter says of China's growing population and increasing demands of better healthcare. But that's really bad news for smaller U.S. medical technology startups. "Losing a little information could be losing it all," he says.
- Ransomware attacks: These attacks, including those that are carried out by bots and often target no one in particular, but leave everyone vulnerable, will likely increase, he predicts. "These guys are opportunists," he says. However, healthcare entities also need to be particularly wary of more sophisticated ransomware attackers who destroy backups of databases, then encrypt and lock up main databases, he warns.
- Attacks and breaches involving smart phones: These attacks, as well as those against medical devices and the Internet of Things - are coming to healthcare entities, too, he says. "New cell phones have all these new features ... with no security," he says. And these new apps and devices are being used without any kind of security scrutiny by patients, staff and third parties of healthcare entities, he contends.
McWhorter's message to healthcare organizations is that it's a scary world, and it's only getting scarier. And so healthcare CISOs and their teams need to be ready "to fight the tough fight."
How is your organization upping its cybersecurity game in the face of these evolving threats? Let us know in the comment space below.