Why healthcare data is a dangerous target

December 18, 2018

As healthcare providers make required moves toward electronic health record (EHR) keeping, the very private information they hold is more and more tempting as a target for cybercriminals. At the same time, cyberincidents such as ransomware attacks that cause system lockups in healthcare facilities and health equipment manufacturers can have dire consequences to the people who require their products and services to survive.

As of January 1, 2018, the United States alone has seen more than 110 hacking or IT-related healthcare organization incidents that affected 500 or more individuals.

To gain insight into the unique issues healthcare industries face in securing valuable and sensitive personal data, we commissioned a survey of 1,758 healthcare organization employees based in the United States and Canada. our aim was, and is, to create a dialog among businesses and IT staff in healthcare about the current state of employee awareness of cybersecurity among their employees, with a goal of suggesting useful proactive steps.

Repeat ransomware

Our findings were disquieting, with more than three-quarters of the employees who were aware of a ransomware cybersecurity attack on their organization reporting that they’d experienced up to five attacks. Malware attacks such as ransomware attacks can cost enterprises an average of $1.24 million and SMBs $123K apiece — not to mention, devastate their reputations. It should go without saying that repeat incursions do not reflect well on the victim organizations.

Healthcare systems have extra regulatory wrinkles, as well. Whether their focus on regulations or some sense of false security has held them back, these organizations have some catching up to do in the area of cybersecurity. Some key points gleaned from our research:

  • Responses varied wildly to a hypothetical scenario in which employees received an e-mail request for a patient’s protected personal health information. Nearly three-quarters (73%) said they would report such a request to their IT department, but that leaves a significant number unsure or cooperating with third-party requests.
  • Nearly three-quarters of respondents (71%) said they do care about having cybersecurity measures in place at their organization to protect patients.
  • However, only 14% of respondents thought their organization had enough cybersecurity protection for connected medical devices.
  • One in ten respondents (11%) said they needed better protection for employees to safely work remotely.

Although mere awareness of a problem may seem trivial, in the case of medical data, which is both legally protected and valuable, outside requests for data take on great importance. Requests may be legitimate, or they could help cybercriminals gain entry to your system Think it couldn’t happen to you? Our survey data indicated that 20% of Canadian respondents had responded, or had a coworker who’d responded, to an external request for patient information.

Downtime

The healthcare issue is broadly twofold. Patient data is valuable — extremely important to protect. Then, there’s service. If a healthcare organization becomes unable to function, for example because of a ransomware attack, then it may become unable to provide vital services.

Such was the case with the WannaCry ransomware epidemic. Though more than a year old, WannaCry continues to cause trouble. It initially made headlines in 2017 for knocking out 200,000 computers, including in healthcare facilities and medical equipment manufacturers, in 150 countries.

Just recently, East Ohio Regional Hospital and Ohio Valley Medical Center both had to close part of their operations and turn to paper charts following a ransomware attack that took down their systems. Ransomware is a thorny problem: It exploits the human factor to gain a sophisticated foothold in computer systems. Some ransomware locking or encryption has been solved, but to date, the only reliable strategy overall is to avoid infection by using rigorous staff training and up-to-date cybersecurity protection.