Welcome to our new series exploring cybersecurity executive perspectives by industry. We will take a deep-dive into key sectors, starting with an industry that directly impacts every single American: the healthcare industry.
Following the ransomware attacks of the United Kingdom’s National Health Service in 2017, the topic of ransomware has been top of mind. Many of the popular American healthcare TV dramas have leveraged the ransomware theme. On NBC’s Chicago Med this season, a doctor anonymously paid the ransom when that hospital was shut down by a hacker. On ABC’s Grey’s Anatomy, the hospital’s Chief of Surgery used the wits of an intern who happened to have an undisclosed hacking background to “hack back” and get the hospital’s network back online following an attack. Fact or fiction, if you’re an executive in healthcare, your perspective should shift directly to two efforts: preparedness and proactivity.
Healthcare is the most costly U.S. industry when a breach occurs. According to Ponemon Institute’s 2017 Study, the healthcare industry has a staggering average cost of $12M per data breach in comparison to the retail industry which has an average cost of $6M per data breach each.
KEY STATISTICS ABOUT HEALTHCARE BREACHES
- 15% of all data breaches in 2016 involved healthcare organizations.
- $380 per healthcare record lost within U.S. companies, well above the overall mean.
- $225 is the average organizational cost per record lost within U.S. companies.
- $7.35M is the average total cost of data breach in the U.S.
- 209 days on average to detect an incident; 79 days on average to contain it.
WHY ATTACK A HEALTHCARE ORGANIZATION?
There are many reasons why threat actors would choose to target a healthcare organization over an organization in any other industry. For one, electronic health records (EHR) are personal and often contain sensitive information, such as medical history, prescriptions, and current or past insurance information. The value of Protected Health Information (PHI) is high, selling for ten times the cost of a credit card number on the Dark Web. This increased value can be used for a broader set of fraudulent activities including pharmaceutical fraud. This creates a great desire for hackers to target a healthcare organizations. They can sell the data on the black market, threaten to make the data public, or use it for extortion (ransomware), all for financial gain.
Next, espionage plays a large role in why healthcare organizations become victim to attacks. Healthcare organizations that conduct medical studies have valuable data related to clinical trials or other advanced medical research. Nation States, or sometimes even competitors, may attempt to leapfrog past the R&D stage and undercut the first-to-market advantage or market value by stealing this sensitive information and Intellectual Property (IP).
Furthermore, testing capabilities have an effect on why healthcare organization get breached. The digitization of medical records creates great vulnerability. An increase in the interconnectedness of networks, systems, and medical devices expands the potential cyber attack surface and gives hackers more options to cause harm.
Healthcare organizations are facing key challenges when it comes to protecting their network.
WHAT ARE THE KEY CHALLENGES?
Human error is often the weakest link within an organization. Employees, medical staff, and vendors, not always attentive to potential social engineering efforts, may accidentally fall prey to attack patterns such as phishing attacks where malicious attachments or links are embedded in an email and opened/clicked on.
Ransomware attacks are becoming increasingly more common. If organizations do not regularly back up their data, hackers may attempt to extort their victims by accessing and encrypting sensitive data using ransomware. Although some ransomware incidents may not breach the confidentiality of ransomed data, all ransomware incidents must be reported as a breach as per the guidance by the U.S. Department of Health and Human Services. According to the Verizon Data Breach Incident Report, ransomware accounts for 72% of malware incidents within the healthcare industry.
Privilege misuse is still one of the top ways pertinent data is accessed and compromised within any organization. According the the Verizon Data Breach Incident Report, 81% of privilege misuse breaches were carried out by an insider. This proves that organizations need to be more aware of who has access to sensitive information. Employees may be mishthereandling data which could cost the organizations significantly.
NOTABLE INCIDENTS & BREACHES
In February of 2015, cyber attackers executed an attack against Anthem Blue Cross and Blue Shield to gain unauthorized access into the company’s IT systems which held the information of their current and former members and employees. Personally Identifiable Information (PII) of 78.8 million people was stolen which included their names, social security numbers, email address, birthdays, employment information, and even their income. This was the largest healthcare breach ever recorded. In 2017, Anthem agreed to paid $115 Million to settle class action lawsuits related to the 2015 breach.
One year later, in February of 2016, a ransomware attack locked down all of the computer systems in the Hollywood Presbyterian Medical Center for more than a week. Patients were forced to drive hours away to other hospitals to get their test results. In order to decrypt the encrypted files, cyber attackers requested 40 Bitcoins, equivalent to approximately $17,000 at the time. Hollywood Presbyterian did pay the ransom in order to return the network to its working condition. Due to the lack of sufficient backed-up data, paying the ransom was the most efficient way to restore their systems, and was in the best interest of their consumers and normal business operations at that time.
In May of 2017, the UK National Health Service was attacked by the “WannaCry” malware that threatened to delete cruicial files unless ransoms of $300 and $600 were paid. Computers at hospitals and general practice surgeries in the UK were hit in almost 100 countries by malware that was stolen from the National Security Agency in the U.S. Over 50 National Health Service Trusts were impacted by the attack, including roughly 600 scheduled surgeries and more than 19,000 appointment cancellations. The attack shut down business operations at 16 hospitals.
TAKING ACTION: TOP 3 MUST-DOS
First and foremost, establish cybersecurity policies. This can help healthcare organizations not only save money, but save personal information from an attack. Policies should include how data will be backed up and which security programs are implemented. Backup systems should be in place so that when an attack does occur, the backups can be used to restore the data and not fall under the control of the hacker.
Secondly, executives should ensure their incident response plan and business continuity plan are regularly updated and tested. These plans are necessary when responding to a cyber incident or breach and can make or break a company when the unfortunate occurs.
Lastly, it’s important to educate employees and senior leaders. Healthcare organizations often fall short in educating their employees about the dangers of cyber attacks. Having a training program in place that educates employees on cybersecurity issues and senior leaders on managing cyber risk is paramount.
Is your healthcare organization prepared? Do you, as a healthcare senior leader, understand cyber risk as an enterprise risk? We can help. Check out our Cyber Resolve seminars, tabletop exercises, and other executive cybersecurity training programs for your team.