Helping Healthcare Win Its Other Big Battle: Cyberattacks
Anyone running a business is likely familiar with the phrase “building the plane as you’re flying it.” And through the craziness of the past 19 months, many of us lived the phrase, becoming pilots and engineers of our new realities overnight.
But few lived it like the healthcare industry did. They weren’t just building the plane while flying it, they were also changing flight patterns, using different airports, and training new staff in the air. In other words, they figured out how to enable a remote workforce, exponentially expand virtual care, and develop a vaccine, all while huge numbers of staff were working overtime in risky conditions to care for hundreds of thousands of critically ill people.
Let’s take a moment to celebrate this incredible upsurge in healthcare innovation. The industry took years of regulatory blockages, technical debt, and industry skepticism and turned it into digital experiences that enabled continuity of care for billions of people.
Here’s the other part. Healthcare entities accomplished all of that while coming under an ever-growing number and variety of cyberattacks. Yes, amidst a pandemic, healthcare was faced with another battlefront that created another band of heroes.
Like the staff of University of Florida Health. When UF Health was hit with a cybersecurity event in part of its network last June, staff needed to contact pharmacies to fill in missing medication information. They scrambled to find new routes for care using outside physicians. Ed Jimenez, CEO of one of the affected hospitals, gave credit to his people for getting his institution through the crisis. “Our dedicated employees are truly our heroes, as they rose to the challenge of restoring normal operations, often sacrificing time with their loved ones to work extra hours.”
Malware attacks exploit the flux of the pandemic
According to a U.S. Department of Health and Human Services (HHS) report and research by IBM, the healthcare industry has seen a 50% increase in cyberattacks since the onset of the pandemic, and those attacks were the most expensive, with an average cost of $7.13 million per incident. According to the IBM data, ransomware attacks were the most common threat — as malicious actors preyed on the need for hospital and healthcare systems to be restored quickly — followed by data theft and server access. Healthcare providers, in particular, are attractive ransomware targets because electronic health records (EHRs) can go for $1,000 each on the dark web, compared with credit card information for approximately $110 and Social Security numbers for a mere $1 each.
“Hospitals’ systems were already fragile before the pandemic,” said Josh Corman, head of the Cybersecurity and Infrastructure Security Agency (CISA) COVID-19 task force. “Then the ransomware attacks became more varied, more aggressive, and with higher payment demands.” By the fall of 2020, that aggression prompted a rare cybersecurity advisory jointly authored by CISA, the Federal Bureau of Investigation (FBI), and HHS, specifically warning healthcare leaders about imminent ransomware attacks and advising a backup approach of saving three copies of all critical data in at least two different formats, with one copy offline, out of reach of malicious code.
For many healthcare organizations, however, following that advice creates yet another difficult financial tradeoff. According to Stephen Lopez, PhD, MBA, and senior director of information security at the Association of American Medical Colleges (AAMC), healthcare organizations tend to defer cybersecurity investment. “It can be hard to divert resources to information security,” he said, “if it seems to come at the expense of patient services. But in this environment, patient services are at risk if organizations put off guarding against ransomware.” CISA concurs, noting in its 2021 medical insights report that when the infrastructure supporting healthcare delivery is attacked or held ransom, operations quickly degrade, especially in a time of crisis or urgency.
Educating staff at all levels of healthcare organizations is one key to the fight. “If you can increase staff members’ basic ‘security hygiene’ around phishing emails, you can avoid or mitigate most malware attacks,” Lopez adds. He recommends creating an education program that shows real examples of what ransomware attack messages look like, reminding staff to pause before reacting to any urgent request for sensitive information.
Security investment decisions hinge on data storage and access
Even with the pandemic still taking too many lives, healthcare leaders need to address this additional battlefront. So where to begin? At a high level, the top cybersecurity priorities are to secure access points from ransomware (in addition to training staff to detect phishing); reduce exposure of protected health information (PHI) available in EHRs as well as the intellectual property in drug manufacturing; and secure the connectivity technologies that allow the sharing of that information with external systems, partners, and suppliers (such as with the CDC and other departments of health).
Many healthcare organizations across the industry have moved their EHRs, intellectual property, and other medical data to the cloud to enhance flexibility, accessibility, and speed of retrieval. But because the migration to the cloud happened so quickly and without strong organizational planning, patient health information and other sensitive data are often hosted in multi-vendor cloud environments, which can be further weakened by misconfigurations.
This far-from-exhaustive list illuminates the range of data needed to create continuous care and reduce the potential size of a healthcare organization’s threat surface area.
Electronic health records (EHRs) — Digital medical charts, medical history, lab and test results, and other data
Patient or disease registries — Databases containing the clinical outcomes for patients who share a specific diagnosis or condition
Claims data — Billing codes data submitted by healthcare providers to insurance companies
Health surveys — Data collected by public health organizations to assess public health risks and that inform public health policy and practice
Picture archiving and communication system (PACS) — Data generated by a medical imaging device (such as a CT or MRI scan) that is archived for access by physicians, researchers, or other authorized medical staff
Clinical trial data — Data on the results of clinical studies, private or public, used in the development of medical devices, pharmaceuticals, and other innovations
Healthcare CSOs looking to reduce that threat area and take the advice of the backup approach outlined in the federal advisory — saving three copies in at least two different formats, with one offline — are increasingly looking for a hybrid approach. On-premises data storage provides them with more control over security, but it can be costly and difficult to expand at the pace needed, especially with the current explosion of health data and the digital transformation in care, both spurred by the pandemic. Public cloud data storage is more cost-effective, but organizations risk outages and a lack of transparency into how the data is protected.
A hybrid approach allows sensitive data to be kept on premises, while less sensitive data is stored in the cloud. Even this is not perfect, as security must be put in place to protect the transfer of data between the two storage types and ensure that access is limited to those who are authorized to make the transfers and view the data. Moving toward the seven key requirements for implementing a Zero Trust Network Access architecture helps enable institutions to protect their data, by granting users access to only those applications they need for their role, with further security offered by multi-factor authentication (MFA).
Ushering healthcare through and beyond the crisis
Healthcare providers are building their 21st-century digital experiences, and Akamai is honored to help usher in this new online healthcare era, with innovative ways to support care for patients and deliver successful health outcomes anywhere, anytime.
Read more about what Akamai helps make possible in the healthcare industry.