“I was quite shocked. I felt like the carpet was pulled out from under me, and I was left without the tools necessary to move forward.”
Nancy Boniel is one of a group of radiologists who misdiagnosed lung cancer after a CT scan was altered by a malware last year.
The malicious code was designed and tested in an experiment by Israeli university researchers meant to highlight the vulnerabilities in critical medical imaging equipment and the networks that transmit those images to other devices.
The problem is not just that the data was manipulated but that it also distorted the radiologists’ perception even after the compromise was revealed:
“Even after the radiologists were told that the scans had been altered by malware and were given a second set of 20 scans, half of which were modified, they still were tricked into believing the scans with fake nodules were real 60 percent of the time, leading them to misdiagnoses involving those patients.”
In today’s threatscape, a malware attack could cause a misdiagnosis with life-threatening consequences. This is just one of the scenarios where cybersecurity plays a vital role. The list is growing as many others are added.
It’s not unusual to avoid dealing with the problems of the future
especially when there’s so much to fix in healthcare cybersecurity today. But firefighting is not enough to address current threats.
Motivated attackers put extra effort into finding surprising ways to infiltrate healthcare organizations, and they won’t miss a window of opportunity. They will step up attacks before the healthcare industry increases security standards and makes the attackers' lives more difficult.
Time is ticking, just as it does for the most vulnerable patients who rely on technology stay alive.
Different methods to achieve a common goal
Maintaining a healthy system - both in medicine and in IT - is a complex challenge with many moving parts.
While they use different methods, healthcare and information security share a common goal: to keep people safe and thriving.
From this common concern, the best solutions emerge.
To support medical specialists, business leaders, and IT experts in making their best decisions, we provide a rich overview of how the entire healthcare ecosystem is coping with cybercrime and practical ways to improve security.
Key numbers: impact of cybersecurity in healthcare
Ransomware in healthcare
Security specialists had been talking about the industry’s shortcomings for years before WannaCry hit in 2017, making their real-world impact blatantly obvious.
May 2017 - WannaCry's impact on the UK National Health Service
- 30% of 236 trusts across England affected
- 603 primary care trusts impacted, including GP surgeries
- 19,494 cancelled appointments, including at least 139 patients with “an urgent referral for potential cancer” (source)
- 1,200+ pieces of diagnostic equipment infected with ransomware
- Additional devices disconnected to prevent the infection from spreading
WannaCry exposed healthcare’s security weaknesses, attracting more interest from attackers. A new gold rush for medical data began.
July 2018 - Cass Regional Medical Center (US) ransomware attack
- Diverts trauma and stroke patients because of a ransomware attack
- The organization’s EHR provider shuts down the EHR system until the system was secured
November 2018 - East Ohio Regional Hospital and Ohio Valley Medical Center (US) attack
- Redirects patients to other hospitals in the area because of the attack
- Switches to paper charts to proceed with patient care and contain the infection
Data breaches in healthcare
of data breaches occur in healthcare
750 data breaches
Reported in 2018, more than any other industry
While it may not be as obvious to industry outsiders, IT leaders in healthcare know the clinical workflow is deeply reliant on cybersecurity.
For example, research by Sung J. Choi and M. Eric Johnson shows how data breaches interfere with patient care, increasing the risk of mortality:
“Hospital data breaches significantly increased the 30-day mortality rate for AMI [acute myocardial infarction].
Data breaches may disrupt the processes of care that rely on health information technology. Financial costs to repair a breach may also divert resources away from patient care.
Thus breached hospitals should carefully focus investments in security procedures, processes, and health information technology that jointly lead to better data security and improved patient outcomes.”
Data most at risk in cyber incidents targeting healthcare organizations
|1. Social security number (37%)||2. Health information (33%)||
3. Financial (19%)
of all cybersecurity incidents involved insider error or activity
Of data breaches caused by phishing attacks - the leading cause across industries
Of data breaches caused by network intrusions across industries
Financial impact of cybercrime in healthcare
Attackers unscrupulously exploit the urgency inherent to many medical procedures to extort organizations. Because lives depend on it, victims sometimes succumb to the pressure and pay the ransom.
Each year, record ransom payments increase, from $250,000 in 2018 to over $1 million in 2019.
1 in 10
Ransomware victims who paid the ransom received the decryption key
Average ransom paid in 2018 by victim organizations
The biggest ransom paid to date (that’s been publicly communicated)
The financial impact of cyberattacks on the healthcare industry isn’t limited to ransoms and business consequences. The number and value of fines had increased too.
2018 saw a new record for HIPAA penalties. Throughout 2018, the Office for Civil Rights issues a total of $28,683,400 in fines. That’s a 22% increase from the previous record, set in 2016.
In this context, IT and security specialists in healthcare companies can leverage the increasing volume of data about the industry to build business cases for increased security spending. This is especially important when advocating in front of C-level executives, whose priority is business impact.
Cybersecurity’s domino effect in healthcare
Security influences the entire organization, from core processes to relationships with service providers and regulatory bodies.
That’s why a robust cybersecurity program can lead to increased business performance as well as a better security posture.
This domino effect is especially visible in increased patient safety, where technical tools, processes, and cybersecurity education come together.
One way to reconcile medical workflow priorities with security must-haves is to build a framework around the 4 Ps of medicine:
|1. Predictive||3. Personalized|
|2. Preventive||4. Participatory|
After all, both medical professionals and IT security specialists share a common perspective on what makes and breaks a healthy system. What’s more, finding common ground can be a lot easier with a shared vocabulary.
In the next installment of this healthcare security series, we’ll explore the key threats to organizations in this sector - both external and internal, and explain the domino effect of attacks in the ecosystem.