How cyberattacks can impact physicians

To criminals, your practice’s most valuable asset isn’t a high-tech medical device or a pricey piece of diagnostic equipment. It’s your patient records.

Those records are the asset most vulnerable to theft, too. 

What does that mean for physicians? Plenty. In an increasingly interconnected industry, an attack on one could affect many. Every player in the system—from the largest hospital system down to rural solo practitioners—is facing a heightened risk.

“There could be a consequence upstream if there’s a breach. A breakage or disruption at one site can have that cascading effect,” says Lee Kim, JD, FHIMSS, director of privacy and security at the Healthcare Information and Management Systems Society, a nonprofit organization focused on improving healthcare through information technology.

Further reading: Tips to improve cyber security and protect your practice's finances

Consider the findings from the Ponemon Institute, a public policy think tank. Its recent report, “The State of Cybersecurity in Healthcare Organizations in 2016,” found that the 535 healthcare organizations surveyed averaged almost one cyberattack per month over the past 12 months. Moreover, 48% of the IT and IT security practitioners polled said that their organizations experienced an incident involving the loss or exposure of patient information during this same 12 months.

Perhaps more telling is how respondents, who come from various healthcare organizations and government agencies, feel about their ability to protect and respond: Just one-third said they’d rate the cybersecurity at their organization as very effective.

A more chilling observation comes from the Institute for Critical Infrastructure Technology and its report, Hacking Healthcare IT in 2016. It pegged the industry as the most targeted, yet least prepared for, cybersecurity threats.

The impact of the healthcare industry’s cybersecurity stance is significant: According to the Office of Civil Rights (OCR), 2015 saw 253 healthcare data breaches affecting 500 or more individuals. Together, those breaches affected more than 112 million records. Meanwhile, the Bitglass 2016 Healthcare Breach Report has found that one in three Americans have been victims of healthcare data breaches.

More technology news: Why is EHR use dropping?

Tom Stafford, PMP, vice president and CIO of Halifax Health, a hospital system headquartered in Port Orange, Florida, says the recent rash of cyberattacks against healthcare institutions is prompting executives—board members, upper management, IT leaders and cybersecurity experts—to put even more attention on security measures.

Next: Show me the money

“It is amazing how much the waves of attacks have increased ... but we should have all seen this coming. There’s been enough discussions around cybersecurity in the past few years. So it was just a matter of time before hackers came after healthcare,” he says.

Show me the money

The cybersecurity threats impacting the healthcare sector aren’t much different than the ones affecting other industries. In nearly all cases, the cyber criminals are looking to make money, says Mark Ford, CISSP, principal at Deloitte & Touche LLP and Life Sciences & Health Care Cyber Risk Services leader with Deloitte Advisory.

The February attack on Hollywood Presbyterian Medical Center is a case in point. Hackers used malware to lock up the institution’s computers and then demanded 40 bitcoin, about $17,000, to free the system. (The hospital paid the ransom.)

Although ransom attacks are making news now, cybercriminals are much more likely to go after the data that computer systems hold—just as they do when attacking stores and financial institutions and other types of businesses, Ford and others say.

However, hackers attacking healthcare aren’t after credit card numbers; they’re looking for data-rich electronic health records (EHRs), security and healthcare experts say. “The reality is it’s profitable,” Peter B. Nichol, PMP, CSSMBB, a healthcare expert with PA Consulting Group, says of these attacks.

Top technology news: Telemedicine boosts patient engagement, should remain priority for physicians

A former chief information officer and former head of IT for Connecticut’s Health Insurance Exchange, Nichol says a credit card number sells for $2 on the black market while a health record goes for $20 or more.

Credit card numbers, and other financial data such as bank account numbers, have short shelf lives on the black market. But EHRs contain multiple types of data that can be used fraudulently but are difficult, if not impossible, to change. A typical health record has a patient’s name, address, age, employer, Social Security number and spouse’s information—all of which can be used for identity theft.

A typical record also includes health insurance information as well as prescription drug data, which thieves can use to seek medical care at the expense of someone else and/or obtain drugs that they can either use themselves or sell on the black market.

“Banks have such great analytics and they can spot an erroneous transaction and can in seconds notify you and shut down a stolen credit card number. And [hackers] know the bank can turn one off right away, which is the exact opposite of medical information,” says Ryan Witt, who, as vice president and managing director of Healthcare Industry Practice at Fortinet is working with the nonprofit organization WEDI to develop cybersecurity material for healthcare.

Next: Connections heighten risks

Connections heighten risks

One of the challenges of this increasingly networked world is enabling necessary connections while blocking the unauthorized or dangerous ones. “It’s a balance between how much you protect yourself vs. how much you’re obstructing a team member,” Stafford says.

Healthcare IT and cybersecurity experts say the sophistication of attacks has been increasing and that most cybercriminals aim to stay undetected for as long as possible, giving them more time to find as much data to exploit as they can.

Related: Top 6 ways to protect medicial devices from hackers

Hackers do that by finding weak spots in computer systems. An office administrator could fall for an email phishing scheme. A doctor could unwittingly download a malicious app. A researcher could lose a laptop with weak password and encryption protection. Hackers working in a waiting room could get in via an unsecured Wi-Fi connection, or they could drop USB flash drives near workstations to trick employees into thinking they’re authorized for use when in fact they contain malware.

And once into a practice’s system, cybercriminals may be able to go far, using it as a gateway into the vendors and partners connected to the computer system that was first hacked. “It’s a real concern and not farfetched at all, this machine-to machine type of attack,” Witt says.

Cost and consequences

The consequences of a data breach range from costly to catastrophic. In its 2015 Cost of Data Breach Study: Global Analysis, the Ponemon Institute put the average cost of a healthcare breach in the United States at $398 per exposed personally identifiable record. (That’s significantly higher than the $217 average per exposed records across various industry sectors.) The investigation, remediation, notification, credit monitoring and other possible costs, such as fines and legal bills, add up quickly. 

“The implications to a practice are very, very significant,” says Lee Barrett, executive director of the Electronic Healthcare Network Accreditation Commission (EHNAC). “When you look at stakeholder level of trust, what patients think of doctors, if their information is compromised, the patients will go somewhere else, regardless if the patient has a long-standing relationship with that doctor. The practice would have to report [the breach] to Office of Civil Rights, which can fine the practice. And it will be in the newspapers. A practice could easily go out of business.”

Others see even more serious consequences, with breaches crippling an organization’s ability to provide care. Ford, for example, says a hacker could launch an attack like the one that hit Hollywood Presbyterian Medical Center.

Next: Protect yourself

“That’s really scary because that changes the game a bit. People’s lives can be at stake if you lock up a system like that,” he says, adding that some have voiced concerns that terrorists looking to inflict harm could carry out similar types of attacks aimed at disrupting the nation’s ability to provide critical healthcare.

Think that’s far-fetched? Consider the 2014 cyberattacks on Boston Children’s Hospital that disrupted patient and hospital personnel access to certain files. The attack was allegedly carried out by the infamous computer hacker network known as Anonymous over a highly-publicized 2013 case in which hospital officials accused the parents of a sick teenager of medical child abuse.

Protect yourself

Many IT professionals are hesitant to talk about the cybersecurity measures they have in place or the challenges they face. As one security consultant explains: If they say they’re doing well, it’s like a issuing a challenge to would-be hackers. If they say they need work, it’s like painting a target on their systems.

Still, there’s widespread agreement that the healthcare industry needs to strengthen its security measures.

“To be resilient, you need to plan and think about your controls and structure and be able to adapt quickly,” Ford says. He adds that organizations must start by understanding what data they have, what they’re connected to, what protections they have and what risks they face as well as what would happen if an attack occurred.

“You have to go through some comprehensive analysis to understand what your risks are and whether you have the proper structures in place to respond,” he says.

In addition to employing standard best practices such as regular cybersecurity training for staff, Barrett says he recommends that organizations hire an outsider to review and test their security strategies as well as earn an industry accreditation or certification that shows they meet cybersecurity standards.

Stafford noted that among the best practices in cybersecurity is to require anyone connecting to your network—vendors, suppliers, insurers, medical partners—to prove that they, too, have in place appropriate cybersecurity measures. 

“You have to do the due diligence, so whomever you’re working with you know they’re doing cybersecurity audits and risk assessments, too,” he says.

Barrett, Ford and others cybersecurity experts concur, saying every organization should have in their agreements with other entities—medical facilities, vendors, insurers, etc.—provisions that specify the minimum cybersecurity measures they must have in place.

“The industry is putting the onus on those who have data to do their due diligence and make sure their systems are secure,” Ford says.