Health industry plays catch-up on cybersecurity

Health industry plays catch-up on cybersecurity
© Getty Images

The healthcare industry is under increasing threats from cyberattacks and intrusions as medical providers go digital.

Hospitals and other medical businesses have worked to adopt modern information technology, including electronic health records. But at the same time, they are falling behind in the cybersecurity needed to protect confidential patient data and networks.

ADVERTISEMENT
All eyes are on an upcoming report from a Department of Health and Human Services (HHS) task force established under the Obama administration that will detail the industry’s cybersecurity shortfalls.

“We have very few specific challenges to healthcare, but a lot of the smaller individual challenges that other sectors face, we have all of them,” Josh Corman, head of the Atlantic Council’s Cyber Statecraft Initiative and a member of the task force, told The Hill.

“It’s the confluence of lots of little challenges that are particularly difficult in healthcare.”

Cybersecurity threats facing healthcare enterprises are wide in scope.

Intruders can bring down computer networks, affecting patient care; hack into records and steal sensitive patient data; or breach and alter patient records, compromising their integrity.

The federal government has also taken notice.

Officials raised the alarm over the healthcare industry’s vulnerability to so-called ransomware attacks in the wake of a breach at the Hollywood Presbyterian Medical Center in Southern California last February. 

In that incident, a hacker successfully held the hospital’s computer system hostage in exchange for $17,000.

“Healthcare enterprises face all the same challenges that the rest of us do, but a recent plague is one for them to focus on, and that is the ransomware plague,” FBI Director James Comey said at a Boston cybersecurity conference on Wednesday. “[Hackers] suddenly see the healthcare sector as a piggy bank.”

Hackers have increasingly targeted patient  records containing Social Security numbers and other sensitive information, in some cases selling them on the dark web.

HHS catalogues breaches of unsecured health records affecting 500 or more people. There have been 50 such breaches since the start of 2017, affecting over 424,000 individuals, according to a review of the public records by The Hill.

Last year, the department reported 329 such breaches, a marked increase over the 280 reported in 2015.

The HHS cybersecurity task force uncovered a number of hurdles facing the healthcare industry, including a substantial shortage of technology security talent, Corman said. The task force found that three-fourths of healthcare providers in the country — largely those of medium and small size, and in rural areas — do not have a single security person on staff.

Healthcare organizations also largely rely on older and often unsupported computer operating systems, including Windows XP, for their business.

“The use of insecure, indefensible and unpatchable systems on top of the fact that they’re connected to way too many other things without proper segmentation and isolation, and that there’s no one there to secure them even if they could — they come together in a really dangerous way,” Corman said.

Those vulnerabilities are compounded as healthcare providers find themselves increasingly connected to the internet and each other.

Recent research by cybersecurity firm Trend Micro showed how hackers could exploit a healthcare enterprise’s unsecured devices that are connected to the internet in order to breach the whole system.

The federal government incentivizes healthcare providers to adopt certified electronic health record technology and also imposes penalties on providers that expose patients’
sensitive medical information.

Still, Corman said, such incentives for the adoption and “meaningful use” of health information technology have had the unintended effect of pushing hospitals to move from paper to electronic records too quickly.

“You took tens of thousands of devices that were never threat-modeled, designed, implemented to be connected to anything, and you forced them to be connected to everything,” Corman said.

The HHS task force was established by legislation passed in 2015 to improve cybersecurity through information sharing.

The release of the task force’s findings and recommendations is imminent. The group was convened last April and given a year to complete its report.

Cyber experts and the health industry are awaiting the report, which will only increase scrutiny on their security practices.

But Corman cautions that changes will take time.

“These are wicked problems, and there will not be a simple fix,” he said.