On February 5th, Hollywood Presbyterian Medical Center lost access to its computers after being infected with ransomware – a type of malware that hold files hostage until a ransom is paid. Eventually, the hospital paid $17,000 to regain control of its systems, and started a national dialogue about cybersecurity in the medical industry in the process. The Cipher Brief spoke with Denise Anderson, the President of the National Health Information Sharing and Analysis Center, who says increased use of internet capable devices in hospitals is expanding the attack service, and therefore the medical industry needs to start addressing its cyber-vulnerabilities as quickly as possible.
The Cipher Brief: It seems like healthcare providers are increasingly being targeted by malicious hackers. How has the cyber-threat environment for the healthcare industry changed over the last 10 years? What do you believe has motivated these changes?
Denise Anderson: Basically, ten years ago there was no cyber threat environment for healthcare. The 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act essentially was the driver for the threat environment we see today by requiring providers to use electronic medical records (EMR) by 2015. This allowed for increased portability and accessibility of EMR versus paper records, which also made such information easier to steal. The reality of this situation hit in 2014 when Community Health announced a breach followed by Anthem revealing a breach in February 2015.
Estimates show that stolen patient health care records are valued at 10 to 20 times the cost of stolen U.S. credit card data because of the wealth of useful information they contain. So they are lucrative for cyber criminals. On top of the growing criminal interest, there are a number of other motivations. In the case of the Community Health and Anthem breaches, those were nation-state attacks with the motivation to conduct cyber espionage. Likewise, there have been attempts to steal intellectual property. Actors can have hacktivist motivations, as was seen this month in Flint, MI when the group Anonymous went after a hospital in retaliation for the Flint water crisis, or they can be insider threats, as seen in late 2015 where a staffer at a South Carolina hospital used her access to patient data for personal gain.
TCB: Hollywood Presbyterian Medical Center recently paid a $17,000 ransom to regain control of its systems after being infected by ransomware. How big a threat is ransomware to the healthcare industry?
DA: In the past, ransomware was seen more among small municipalities and businesses. Even the recent Hollywood Presbyterian attack was more opportunistic in nature versus targeted. It’s like a thief going into a neighborhood and trying doors. If a door is unlocked, he walks in. At this moment, the threat is not big. But given that Hollywood Presbyterian paid a ransom and was very public about it, that may attract more attention to hospitals and providers as targets.
TCB: How would you characterize the types of cyber attacks that target healthcare providers? Are they primarily trying to steal personal information, hold files ransom, cause damage, etc?
DA: Most of the activity in the current environment has involved personally identifiable information centered on patient data. That can certainly change at any given point, given actors and motivations. Healthcare stakeholders need to look at all of the risks they now face in conjunction with the level of threat. It’s no longer about HIPAA and fines but about keeping provider operations resilient as well.
TCB: How do you see this incident influencing future cyber-attacks against healthcare providers? On a broader level, how to do you see the cyber-threat environment changing in the future?
DA: As I mentioned previously, the Hollywood Presbyterian incident was more opportunistic versus targeted. Of course Hollywood Presbyterian could have painted a big bull’s-eye on the healthcare sector by paying the ransom. That remains to be seen. Even so, ransomware is very basic malware. If companies adhered to good basic cyber hygiene, such as prohibiting shared passwords, regular patching, and network segmentation, many incidents could be contained quickly.
Healthcare has previously not been a target, but it is increasingly becoming one, and as medical devices become connected to the internet that is going to also increase the attack surface. The threats are only going to increase and become more sophisticated. Healthcare is behind in its security posture, infrastructure, personnel, policies, and information sharing. The time is now for providers to take this threat and risk seriously and look at embracing information sharing, implementing strong cyber policies, conducting user awareness training, and establishing strong controls. Employing tactics like strong authentication, DKIM (DomainKeys Identified Mail), patch management, and encryption are necessary.
TCB: How can the healthcare industry better protect itself from cyber-threats? Is this an area where enhanced public-private partnerships could help better protect against cyber attacks?
DA: Public/private partnerships absolutely do help. At the National Health Information Sharing and Analysis Center (NH-ISAC), we collaborate with government and ISAC partners on cyber and physical threats and incidents. During the Hollywood Presbyterian incident for example, we were working with our NH-ISAC members, the FBI, DHS, and other ISACs to obtain indicators and information and then get the message out. When we can all work together, everyone benefits.
