The US healthcare industry is a gold mine for industrial hackers. Commandeering hospital systems has become stable and profitable work for those willing to execute these attacks. Despite years of embarrassing data breaches, the industry has yet to respond and remains unprepared for the threat at hand.

The US Department of Health and Human Services (HHS) has now finally stepped in. The agency has opened a new cybersecurity unit dedicated to helping the healthcare industry combat hackers. Called the Health Sector Cybersecurity Coordination Center (HC3), the new unit has a long road ahead in its mission to help curb cyberattacks.

Healthcare’s Reactionary Response To Hackers

Healthcare’s cybersecurity crisis peaked in 2015, when 143 million records were exposed in data breaches, making it the hardest-hit private industry in the US that year. Since 2015, healthcare leaders have doubled down on network security efforts, and data breaches have fallen as a result.

Unfortunately, the drama did not stop there. As large-scale breaches waned, targeted ransomware attacks replaced them. In January 2016, Titus Regional Medical Center (in Mount Pleasant, Texas) lost complete access to its electronic health record (EHR) and patient data due to a ransomware attack. The hackers encrypted medical records and demanded a bitcoin ransom to restore them. For the next weeks, doctors and nurses delivered care on paper charts.

Just two weeks later, the same story played out at Hollywood Presbyterian Medical Center in Los Angeles. Hackers demanded over $3 million in bitcoin to restore access to encrypted patient data. At the time, an assistant special agent working for the FBI’s cyber and counterintelligence efforts, Joseph Bonavolonta, said, “The easiest thing may be to just pay the ransom. The amount of money made by these criminals is enormous, and that’s because the overwhelming majority of institutions just pay the ransom.”

Ransomware attacks continue to grow year-over-year. In 2018, a ransomware attack took down cloud-based EHR vendor Allscripts, locking more than 1,500 providers out of their patient record systems for a full week. A recent study found that ransomware attacks in healthcare grew threefold from 2017 to 2018. The new HHS unit, HC3, will attempt to reverse these trends. To do so, a broad range of issues will need to be addressed. HC3 is certainly flying into headwinds on this effort, primarily because:

  • Healthcare is an easy target. A 2018 national audit of healthcare preparedness found that only 45 percent of businesses followed the NIST Cybersecurity Framework. Furthermore, over half of all connected medical devices are considered “at risk” of security compromise. Forrester’s upcoming medical-device cybersecurity report dives deeper on these alarming trends. Cybersecurity is still not keeping pace with technology adoption.
  • Healthcare is a profitable target. Medical record data sells for far more on the dark web than financial data. Medical records can be used to support insurance and tax fraud, which can go undetected longer and generate more revenue for cybercriminals.

This is not the government’s first attempt at organizing a response to these attacks on our healthcare infrastructure. In 2016, the HHS stood up a separate department focused on the very same topic. In the short time that it was operational, it was roiled in ethics investigations, leading to both its senior leaders resigning and the organization itself folding.

What It Means

Cybercriminals will continue to prey on US healthcare organizations (HCOs) because it is easy and profitable. For rank-and-file HCOs, this threat is very real and requires attention. HCOs have been waiting for the government to coordinate a national response, but we are three years into this battle and that response has yet to materialize. Health leaders need to act independently to take network security to the next level by:

  • Implementing a Zero Trust architecture. Phishing is the leading cause of cyberattack. Zero Trust networks limit the damage a credentialed hacker can cause by treating all network traffic as a potential threat.
  • Cultivating digital acumen. Employees are every network’s weakest link. Engage employees at every opportunity to cultivate a more sophisticated digital acumen. Deliver ongoing targeted education to drive down risk.
  • Investing in robust backup solutions. Once ransomware infects the network, IT leaders turn to backup systems to restore patient access. The closer to real time those backups are, the more valuable they will be when they are needed. The current climate necessitates a robust backup solution.

My name is Jeffrey Becker. I invite you to join me in the coming months as I take a deep dive into the technology optimization and patient engagement strategies that are driving change at healthcare organizations pursuing the IHI Triple Aim. Connect me via Twitter, briefings, or inquiries.