Last week's international WannaCry ransomware attack exposed what many in the healthcare industry already know but seldom discuss publicly: Hospitals are highly vulnerable to cyberattacks.
While it had little impact in the U.S., the attack froze computers at many hospitals in the United Kingdom, forcing some to suspend services or turn patients away. The HHS said it had evidence the attack occurred in the U.S. but did not provide any details. Forbes recently reported the hack hit a piece of radiology equipment in a U.S. hospital, but there was no reason to suspect it compromised patient safety.
While it may take time to assess the total impact of the WannaCry attack that struck at least 112 countries, U.S. hospitals should take heed of the new style of ransomware attack and begin incorporating patch management into their routines.
"We are facing security challenges on a level that we have never experienced before," Dr. Robecca Quammen, CEO at healthcare consultancy MyConsultQ, recently told Healthcare Dive. "A word to the wise is start investing in intrusion testing and rapid remediation of all issues detected in the testing now. This is no longer an exercise to meet regulatory (HIPAA Risk Assessment) requirements. it is your first defense against an attack that should be considered imminent."
Here are four of the biggest takeaways from the cyberattack:
1. Patch, update and backup — right now
One of the largest lessons for healthcare stakeholders is to keep patch management up to date, David Finn, health IT officer for security software company Symantec, said, adding machines should be tiered and critical systems may need more timely patches — potentially within 30 days.
Data backups are also critical, and the momentum for maintaining them should come from top executives, Kurt Osburn, health IT security expert at managed security firm ControlScan, told Healthcare Dive in an email.
“Most of the organizations I’ve assessed have had backups, but many do not regularly test to see if their backups can be restored,” he said. “Having restorable backups can mean the difference between significant business disruption and a simple restore.”
What's best of course is preventing attacks from every getting into the system in the first place.
"Although hospitals can’t insulate themselves 100% against cyberattacks, user education and an updated infrastructure are key in keeping systems up and running, and patients safe," David Ting, co-founder and CTO at IT security company Imprivata, told Healthcare Dive.
The event has already prompted some facilities to rethink and alter operations. Randy Myers, CIO at Rehoboth McKinley Christian Health Care Services (RMCHCS), told Healthcare Dive the provider has been working to create "a hard shell" around its network to protect its internal systems. For one, the provider is restricting and reducing access to its systems from remote workers such as builders and coders. RMCHCS is also educating users to not accept external attachments and not to click on suspicious emails.
HHS this week released the third update to its healthcare cybersecurity guidelines. “International Cyber Threat to Healthcare Organizations” includes information for health systems that want to receive healthcare intelligence from a nonprofit group affiliated with the FBI and again suggests organizations “request a scan to assess operational and business networks for external vulnerabilities and configuration errors.”
Antivirus software alone isn’t enough and organizations need next-gen solutions to “provide detection and response capabilities for the incremental protection that is now needed,” Osburn wrote in a recent blog post.
“The fact is, malware has advanced to become more complex and automated, while the malware protection most businesses have come to rely on has not kept pace,” he wrote. “These traditional, signature-based antivirus technologies are simply unable to identify the kinds of threats that are making the rounds today.”
Since keeping patch management up to date has been the main messaging following the WannaCry event, Quammen offers some next steps and precautions healthcare providers should consider:
- Be prepared to launch an incident response even if your organization has not had a specific instance;
- During an event, listen to facts from credible sources;
- Have a communication plan to alert the organization to certain actions — i.e., don’t open emails, don’t engage tech support to provide access that may have been denied for security reasons, and take caution when dealing with technology for the duration of the event;
- Understand that there will be “copycat” activity to follow this event; and
- Conduct a post mortem to review the facts/activities in your organization and formulate a plan to continue activity (the tendency will be to breathe a sigh of relief if not impacted and then move on to normal operations).
2. It can take a culture change — and that starts at the top
Cybersecurity has traditionally been low on hospital executives' totem pole of priorities. It isn't an intentional slight; no one in the provider community actively wants to leak patient data. However, tight operating margins and old technology (which can cost big bucks to upgrade) creates an unfortunate breeding ground for cyberattacks as health data are some of the more sensitive data for patients — and the most lucrative for hackers.
A key aspect of improving cybersecurity is getting the attention of the C-suite and persuading them to make it more of a priority. Robert Lord, co-founder and CEO of Baltimore-based cybersecurity firm Protenus, has seen a recent increase in spending on such efforts and believes cybersecurity will rise as more of a strategic priority for healthcare providers.
But making cybersecurity a strategy priority is only the first step. Empowering CIOs to have a bigger voice at the table in addition to budgeting for such priorities is the next layer that hospital administrators will need to tackle. Though such conversations can be tough, they are easier than any conversation after a cyberattack event.
Executives in particular will keep an eye on the bottom line when there are cybersecurity decisions to be made. There may be disagreements about how much an organization should spend in this area, but the focus should be less on the dollar figure and more on how much security it provides, Steve Weber, director of the Center for Long-Term Cybersecurity at University of California, Berkeley, told Healthcare Dive.
“I feel like there’s an awareness of the vulnerabilities but there isn’t a clean path to resolving those vulnerabilities because the costs of changing that stuff is so high,” Weber said.
However, the WannaCry attack should show hospital administrators that cybersecurity efforts take time but they are beneficial in the long run — especially in order to prevent having to make the decision whether to turn patients away from care because of a hacking incident.
"Healthcare is woefully under-protected with relation to cybersecurity and privacy protections," Lord told Healthcare Dive. "There's a systematic lack of investments and board level and C-suite support" in addition to a historical lack of cybersecurity preparation. While businesses can expect another cyberattack with its eye on ransomware, malware is ever-evolving.
3. The healthcare industry is new to using IT
Truth be told, most healthcare providers are new to the idea of a digital environment. Other industries have had a lot longer time to figure out how to keep their systems secure.
It wasn't that long ago the federal government enacted the Meaningful Use program that led providers — kicking and screaming — to adopt EHRs. In addition, technology rollouts such as EHR implementations are costly and can take a long time.
By the time the money is spent and the switch has been turned on, it could already be time to think about security upgrades, which involves personnel time and labor costs. It's no surprise the process sounds exhausting to any administrator who may want room to breathe after turning a health IT tool on before dealing with system maintenance.
Health systems also have to ensure they are complying with patient privacy and laws like HIPAA. The law’s strict regulations that are meant to ensure patient data stays private create roadblocks for organizations looking to outside software for more protection, Weber said.
“Some things that would be common sense in other parts of the economy are different because of privacy issues,” he said, adding interoperability is also key to a successful EHR but it only creates more vulnerabilities.
“This is basically a rule of security for the most part — when we make things more convenient we make them more risky,” he said.
4. Ransomware is not new, but this attack was more frightening
Ransomware attacks came to the surface in the healthcare world last year after Hollywood Presbyterian Medical Center and the Maryland-based MedStar hospital system were breached. Both were said to have spent days reverting back to pen and paper while systems were locked down.
According to a 2016 analysis by Protenus, hacking of all varieties, including ransomware, accounted for 26.8% of all healthcare data breaches. Of the 120 hacking incidents studied, 30 involved ransomware, and another 10 involved other forms of extortion regarding accessed data. A more recent report from Protenus found the number of affected healthcare records from a breach skyrocketed in March compared to the year's earlier months.
About 1.5 million patient records were affected in March across 39 separate breach incidents. Of these events, 28% were attributed to hacking, though Protenus noted the lack of detail in HHS data makes it difficult to pinpoint the different varieties of hacking.
Cybersecurity experts are still assessing the global damage from WannaCry but there are some key elements of the attack that should be highlighted. The unprecedented global scale certainly makes the WannaCry attack frightening — especially considering the event breached not just into hospitals but a variety of businesses. But what also makes the attack unsettling is the malware acted differently from traditional ransomware attacks.
Ransomware can hijack a hospital system and demand a payment to return the system's control to the healthcare provider. Generally, these attacks have been executed via phishing email efforts. In WannaCry's case, the malware acted as a worm, spreading throughout computer to computer automatically through a systems' vulnerabilities.
Finn of Symantec summed up another important takeaway. "The lesson for all of us is there will always be another attack," he said, adding it's always an unknown what an attack will be. So it's important to be current with systems and share information through informal networks or shared facilities to promote education and awareness of bad actors.