By Jacob Olcott, vice president of business development, BitSight Technologies
A new security trend has emerged in the healthcare sector: ransomware attacks. In recent weeks, three large hospitals have been infected with malware that demands money in order to decrypt sensitive data. Most recently, Kentucky-based Methodist Hospital had malware spread across their entire internal networks. The company resorted to shutting down all of its machines in order to scan each one for infections. As of this writing, they had not paid any ransom.
In February, a similar case took place at Hollywood Presbyterian Medical Center. The hospital had a portion of its computer network disabled and decided to pay a $17,000 ransom in order restore access. Allen Stefanek, the hospital’s CEO, said paying the ransom was the “quickest and most efficient way” to restore its systems.
With the scale of recent data breaches that have taken place, ransomware attacks are a great cause for concern. In the data breaches outlined below, healthcare organizations were compromised, exposing millions of medical and financial records. These breaches didn’t involve ransomware, but they represent the large degree of damage resulting from breaches in this industry. Given the sheer volume of data lost or compromised, it’s conceivable criminals could be asking for sums much larger than $17,000 in the near future.
The largest healthcare breach to date is Anthem. In late January 2015, the medical insurance provider notified 80 million individuals their personally identifiable information was compromised in a December 2014 cyberattack. They noted hackers may have accessed “names, dates of birth, social security numbers, healthcare ID numbers, home addresses, email addresses, and employment information, including income data,” and did not believe medical or credit card information was released. In response, Anthem set up a website where affected customers could learn about their credit monitoring services and identity theft repair.
Anthem has been notoriously secretive about their cybersecurity and has been accused of trying to avoid further embarrassment. Several months after their breach was brought to light, they refused a request for an audit, noting an audit would require them to disable their anti-virus software, causing IT outages.
In March 2015, Premera — a large medical insurance company — reported a hacker had accessed their network compromising the data of 11 million individuals. The company didn’t specify how the hacker accessed the information, but it did disclose they might have accessed “social security numbers, birthdays, emails, physical addresses, bank account information, clinical information, and detailed insurance claims” to both past and present customers, dating back to 2002. A Premera web page set up to release information about the breach disclosed the company learned of it in January 2015 but the original breach had taken place nine months earlier, in May 2014.
- Community Health Systems
In August 2014, Community Health Systems — which owns and operates over 200 hospitals across the U.S. — reported a massive cyberattack that compromised the records of over 4.5 million patients. According to InformationWeek, the information gathered, which included “patient names, addresses, birthdates, telephone numbers, and social security numbers,” was the result of an exploited SSL vulnerability, Heartbleed. Interestingly, cybersecurity analysts have speculated that this breach and the Anthem breach were linked.
Mitigating Cyber Risk In The Healthcare Sector
It’s worth noting there has been cause of alarm in healthcare dating back to 2014. While nobody foresaw ransomware becoming a common threat for healthcare organizations, there are signals the industry as a whole is susceptible to malware infections and machine compromise.
There’s nothing fundamentally different about how breaches happen in this industry. A cybersecurity incident takes place for one of three reasons:
- Because of someone on the outside — like a phishing scam where someone is sent an embedded piece of malicious code in an email.
- Through a trusted insider who chooses to exploit their privilege of data or intellectual property.
- Through an attack to your supply chain when someone can manipulate the hardware or software your company uses to gain access to an infrastructure or network.
Just because these attacks aren’t unique doesn’t mean they don’t hold unique consequences. In a recent USA Today article, Ann Patterson, the senior vice president and program director for the Medical Identity Fraud Alliance, explained why these types of breaches could be far worse than credit card breaches, saying, “You really can't change your birth date. So when that kind of [personally identifiable] information is out there, the type of fraud that is perpetrated in the healthcare sense involves your well-being, your life.”
The recent ransomware attacks on hospitals serve as reminder healthcare needs to invest heavily in cybersecurity. In addition to exposing medical records, organizations that experience data breaches now face the possibility of significant financial and operational loss — whether they decide to pay ransoms or not. Allocating greater resources towards security in order to reduce the likelihood of a breach is an obvious first step.
About The Author
Jacob Olcott is vice president of business development for BitSight Technologies. He previously served as legal adviser to the Senate Commerce Committee and as counsel to the House of Representatives Homeland Security Committee.