After years of steadily increasing cyber threats that have resulted in record numbers of compromised patient information (PHI), financially extorted health organizations, and publicly disrupted hospital operations, cybersecurity represents one of the chief concerns for healthcare executives.
According to Karthik Swarnam, AT&T Vice President of Security Architecture, “Cyber crime damages are expected to rise to $6 trillion annually by 2021. This represents the greatest transfer of economic wealth in history and risks the incentives for innovation and investment.” Healthcare executives must begin viewing their vulnerability to cyber-attack as the greatest threat to their reputation, patient trust, and ultimately their bottom line. Simply funding prevention strategies is not enough; understanding the threats you face is paramount to protecting your organization.
Long gone are the days of solo hackers, seeking notoriety. Today’s threat groups are coordinated, collaborative, and highly organized – diligently working around the clock to breach everything from private email accounts to patient databases. The cyber crime industry’s net worth has surpassed that of the illegal drug trade. Collaborating anonymously in underground chat rooms and dark web portals, cyber crime organizations are virtually impenetrable and almost impossible to bring to justice.
Cyber criminals target medical organizations using a variety of techniques including custom malware, e-mail phishing, SQL injection, cross-site scripting (XSS), DDoS, and others. Over the past several years, ransomware, phishing attacks and medical device hijacks have played prominent roles in successful hacking attempts.
Ransomware is a type of malware that prevents or limits users from accessing their system, by locking (i.e., encrypting) the user's data until a monetary ransom is paid. In 2016, the healthcare industry was the victim of 88% of all ransomware attacks in U.S. and there are over 1,000 ransomware variants developed every day.
Phishing scams are fraudulent email messages appearing to come from legitimate enterprises (e.g., your university, your Internet service provider, your bank). These messages usually direct you to a spoofed website or otherwise get you to divulge private information (e.g., password, credit card, or other account updates).
Medical device Hijacks. The very medical devices that provide lifesaving treatment are now being targeted by hackers - for profit. Attackers place malware within the medical network, which then propagates. Once inside medical devices, the cyber attacker now finds safe harbor in which to establish a backdoor (command and control). Given this open access, the attacker is free to discover targeted resources such as patient data or to take over the device and change its settings, turn it off, etc.
Simply put - financial gain. The average value a stolen healthcare record is $355, more than twice the average cost for a credit card record. Additionally, medical information fraud takes more than twice as long to identify as compared to regular identity theft. This is due to the nonperishable nature of PHI – it can’t be changed or replaced like credit card numbers. Cyber criminals sell and trade this information among each other to create a complete profile of the victim.
For patients that have received a breach notification, the likelihood of being a victim of fraud is one in four. Because of the amount of sensitive information contained in a single healthcare record, hackers now have access to a multitude of opportunities to financially extort their victims. We’ve seen hackers use stolen usernames and passwords to access various online accounts and even bill the victim for health services that were never rendered. For hospitals, the financial extortion can cost thousands, even millions, of dollars, and have reputational repercussions.
With MACRA in full effect and the many measures that promote data interoperability, the healthcare industry is more vulnerable than ever. As we rapidly move toward a technologically connected healthcare environment, today’s opportunistic hackers will continue to evolve and exploit these new regulations. Healthcare organizations must begin to adopt a culture of security, which begins by recognizing and understanding the current cyber threat landscape. Successful organizations will be defined not by whether they have or have not been the victim of a cyber-attack, but rather by how well they are able to detect and respond to such attacks