Despite growing awareness and ramped up security efforts, the healthcare industry continues to be a prime target for breaches. That’s not surprising given the value of healthcare data, experts say. Healthcare records, which can include names, birth dates, diagnosis codes, insurance information and other data, can be worth hundreds of dollars each.
In 2017, there were 477 healthcare breaches affecting 6 million patient records reported to the U.S. Department of Health and Human Services.
Data breaches also have an outsized financial impact on healthcare organizations. In 2017, the average cost of a data breach per lost or stolen record was $380 for a healthcare organization, compared with $119 for media companies and $245 for financial services organizations.
To find out more about emerging cybersecurity threats and how healthcare organizations can defend themselves, I spoke with David Finn, Executive Vice President of Strategic Innovation at CynergisTek, a top-ranked healthcare IT information security and privacy consulting firm. David has three decades of health IT experience, including as the Vice President and CIO of Texas Children’s Hospital.
Maureen: David, What are some of the cybersecurity threats that you’ve seen emerge recently?
David: We continue to see a lot of ransomware attacks hitting healthcare organizations, as well as denial of service attacks and other types of threats. These attacks sometimes wane and then increase in frequency, but they do not go away.
The biggest one we’re currently seeing is dubbed Orangeworm, which is actually the name that’s been given to the group behind the attacks. Orangeworm has targeted several industries, including manufacturing, but healthcare seems to be its biggest target. Their approach is to use a Trojan back door to access a computer or device, collect information and assess whether the user is high-value target. If it is, the hackers can create a back door to infect other users.
In 2017, we also saw the first attacks on biomedical devices as a target, not just because they got in the way.
Maureen: Why do attackers like Orangeworm focus on healthcare organizations?
David: Unfortunately, people attack healthcare because it is often easy to attack. It’s not well-protected or well-defended and healthcare as an industry has not invested adequately in people or dollars to prevent these kinds of attacks.
Some providers and business associates have done a really great job, but we are on a continuum and you’re only as strong as your weakest link. You might have a health system with great security practices, but the moment they connect to a network doctor or a vendor that doesn’t have those protections in places, they’re vulnerable.
Maureen: With those vulnerabilities in mind, what are some of the specific steps healthcare organizations can take to protect themselves from cybersecurity threats?
David: As much as possible, every connection has to be looked at separately. We need basic good cyber hygiene, including good passwords. We still see people not using passwords on some systems, including on mobile phones. We also see a lot of remote access without multifactor authentication. Multi-factor authentication used to be clunky and difficult, but now it’s much easier. Accounts with special privileges should always have multifactor authentication and so should any remote access. You also need to make sure antivirus programs are up-to-date and working. Basic, fundamental stuff goes a long way.
When we recently looked at all of the clients we had assessed over the previous year, physician practices had among the lowest ratings, especially in terms of response and recovery. A huge step in the right direction would be to have disaster response and recovery protocols in place for when computer systems go down—and regularly review and document those procedures. Outages can be caused by cybersecurity attacks, such as ransomware, so it’s critical to have backups and redundancies in place. You need to be prepared.