The recently disclosed ransomware attack against Hollywood Presbyterian in Los Angeles is yet another in an increasing number of attacks against the healthcare industry and again highlights the vulnerability of these patient-focused environments.
For years, retailers and others involved in processing credit card transactions were the juicy targets of choice, but the industry took great strides in improving the protection of this information, making it much more difficult to steal. This effort, combined with the vastly improved fraud detection systems, has drastically reduced the value of a stolen credit card.
So why attack the healthcare industry? In the words of infamous bank robber Willy Sutton, “Because that’s where the money is.”
The Growing Value of Healthcare Data
Recent studies estimate the value of a stolen medical record — ranging from $10-$50 per record — is at least 10 times greater than that of a credit card. With healthcare data, there is increased opportunity for fraud given the amount of personal, medical and financial information in a typical record.
Even better for criminals, the life of a stolen health record is much longer. Fraud detection is nearly non-existent and the typical person doesn’t pay much attention to the information or is easily able to monitor it.
While this attack has not yet yielded the loss of any medical records, these attackers have used a more direct approach to monetizing their work — encrypting the information on the computers inside the hospital and demanding a large ransom to unlock the data. It was widely reported that Hollywood Presbyterian paid as much as $17,000 to re-gain access to their own data.
Although the concept isn’t new, ransomware attacks are on the rise and have shifted more toward larger organizations from their roots against individuals. Rather than trying to extract records (a difficult task) from a breached environment, these attackers are able to introduce malware (a relatively easy task) into a network where it spreads and encrypts the contents of the infected computers, rendering them useless.
Are Hospital Networks Defenseless?
The simple answer today? Yes. Today’s hospital networks are among the most complex. Virtually every piece of equipment is connected (think IoT on steroids). These complexities grow when you consider the number of mobile endpoints in the hands of healthcare workers — many of which are not owned by the hospital — and the multiple number of wireless networks (some of which serve guests). The result is a virtually indefensible network.
The task of introducing malware into such an environment is relatively simple. The large number of staff, many operating at a very fast pace with limited sleep, make it simple for an attacker to craft an email or text that looks legitimate under light scrutiny. Any number of staff will open or click a link and unknowingly infect a system.
From there, the malware can spread to other systems and communicate out to the attackers. This effectively gives them access to the network where they can take their time finding other vulnerabilities for exploitation to gain access to sensitive data or, in this case, simply locking the hospital’s data, rendering their systems inoperable.
Is Healthcare’s Situation Hopeless?
Not at all. There are steps healthcare organizations can take to improve security and make it more difficult for attackers to exploit their networks. You’re never going to stop them from getting in, so you have to assume they will — or already have — gained access. Below are a few steps to consider.
- Improve Training
Security awareness training is still the most cost-effective defense. The better prepared your users are for the types of attacks they will face, the less likely they will fall victim to them.
- Understand your Data
Most organizations don’t fully understand where all of their sensitive data resides or how it flows through their various systems. If you don’t know what you have and where it resides, it’s very difficult to protect. By mapping and classifying your data types, you will be better able to determine how to protect it.
Use existing security and compliance frameworks (e.g., HITRUST CSF, PCI DSS, NIST800-53, etc.) as guides for implementing a best practices security program to meet your HIPAA compliance requirements. A security-first approach is always preferred, but following compliance guidelines will provide a basic foundation for your broader security strategy.
When in doubt, simplify. Remember, to your systems and applications all data is just 1’s and 0’s. There are only so many ways to protect data while it is being transmitted, processed or stored. Treat all of your sensitive data, regardless of type, the same. That will allow you to create a single, comprehensive security program that will meet all of your compliance requirements.
- Seek Assistance
Healthcare organizations have one primary objective: patient care. Should you also be required to be cybersecurity experts? The mission is already difficult enough. Consider outsourcing security to trusted and proven cyber defense organizations that understand the unique challenges (e.g., ePHI data, disaster recovery requirements, compliance) of the healthcare industry. This isn’t a war you have to wage alone.