On May 12, 2017, the world’s biggest ransomware attack nearly crippled Britain’s public health system and forced doctors to turn patients away. The WannaCry worm, which experts believe to have come from U.S. National Security Agency (NSA) hacking tools released by Wikileaks, spread quickly to companies and critical infrastructure worldwide. A White House homeland security adviser said that more than 300,000 computers across 150 countries were hit. One cyber risk modeling firm put the total economic damage at $8 billion. Since the attack occurred, security researchers have already identified a new strain of malware that could be much more dangerous.
We will see more cyberattacks like WannaCry in the months and years to come. They are increasing in frequency and sophistication. But they are also preventable.
Typically, healthcare organizations use sophisticated encrypted software to manage and protect patient data. Does the existence of these more sophisticated platforms mean that there is no risk to the medical practice or to the hospital? The answer, unfortunately, is no.
For decades, security experts have been saying that one of the best ways to protect yourself from a malware infection or security breach is to keep your software up to date. Running outdated versions compromises your system. Microsoft released a patch in March 2017 that addressed the NSA exploits. But many organizations forgot or overlooked the patch and were left vulnerable.
While few healthcare organizations in the U.S. are known to have been impacted by WannaCry, many remain vulnerable to this type of attack. The industry generally uses older hardware and outdated software, which makes healthcare organizations extremely vulnerable to this type of attack. According to the Verizon 2017 Data Breach Investigations Report, ransomware accounted for 72 percent of the malware attacks on the healthcare industry. And a 2016 study from IBM and Ponemon Institute noted that breaches in the U.S. healthcare field cost $6.2 billion each year and approximately 90 percent of hospitals have reported a breach in the past two years.
Just this year The New Jersey Diamond Institute for Fertility and Menopause reported that a breach exposed the health information of 14,633 patients. Harrisburg Gastroenterology breach revealed 93,323 patient records. The cancer center Singh and Arora Oncology Hematology notified 22,000 patients of a breach. It doesn’t end there, as experts project that healthcare will be the most targeted sector, with new sophisticated attacks emerging.
Every organization, and especially healthcare organizations, need to make cybersecurity a fundamental part of their business. But how that do they do that? Here are my top five tips for hospitals and medical practices:
Update your software. Make it a regular habit. Turn on auto-updaters—both Microsoft and Apple provide this option. If you haven’t updated your software, now is the time.
Provide employee awareness training. According to cybersecurity research firm Mandiant, phishing emails, which trick people into clicking on a link, account for 95 percent of successful breaches and have a 90 percent success rate. Institute a training program for staff at all levels and go over the basics such as don’t open emails from senders you don’t know and don’t run unknown USBs.
Leverage IT application whitelisting and layer your security. Healthcare systems are fragmented in their management of systems and data. Their ability to patch legacy systems and employ cybersecurity staff varies enormously. Therefore, application whitelisting is essential. Rather than blacklisting known malicious software, an application whitelist prevents the launching of any executable program (known or unknown) that does not have explicit authorization. This, in combination with strong firewalls and network segmentation tools like micro-segmentation, provides stronger security.
Get cyber insurance. According to Beazley, an insurer offering cyber policies, healthcare accounts for 55 percent of the incidents they have handled in 2017. With healthcare data breaches on the rise, cyber liability insurance can help you recover faster in terms of financial coverage and remediation. If you have cyber insurance, check your liability limits to determine if you need to increase your coverage. In 2015, U.S. healthcare data breaches cost companies an average of $363 per record, the highest of any industry, according to the Ponemon Institute. A HIPAA violation of a breach of unencrypted personal health data can run into the millions of dollars.
Backup your data. Make sure you are backing up your data regularly, either to servers or to the cloud, and that you can restore it easily. WannaCry malware threatened to delete crucial files unless ransoms were paid. If files were backed up, losing the data wouldn’t have been a concern to those who were attacked.
Recent cyberattacks have been devastating. They’ve cost billions of dollars, angered and potentially endangered patients, eroded the reputation of healthcare organizations, and left institutions and individual physicians exposed to HIPAA violations. Cybersecurity is no longer just an IT issue. Every employee and every organization needs do their part. It is imperative that we all make cybersecurity part of our job. Because now, it is.
The guidelines suggested here are not rules, do not constitute legal advice, and do not ensure a successful outcome. The ultimate decision regarding the appropriateness of any treatment must be made by each healthcare provider considering the circumstances of the individual situation and in accordance with the laws of the jurisdiction in which the care is rendered.