In February, Hollywood Presbyterian Hospital very publicly paid $17,000 to regain access to its files after being infected with a type of malware called ransomware. As the name suggests, ransomware encrypts all files on a computer until the victim pays a ransom to the attacker. This hack, though limited in scope, is just one example of a much larger problem with the healthcare industry’s cybersecurity posture.
In 2015 alone, hackers stole the records of 11 million people from Premera Blue Cross, 10 million people from Excellus BlueCross BlueShield, and 80 million people from Anthem. In contrast, only 22 million people were directly affected by the hackers who stole information from the Office of Personnel Management. The healthcare industry has become a prime target for hackers, and the trend of healthcare providers and insurance companies being targeted by cyber-criminals shows no sign of stopping.
But why are healthcare organizations such attractive targets for hackers? In short, healthcare providers hold a lot of valuable information about patients, and they tend to be less secure than other organizations – such as those in the financial sector. Greg Porter of Allegheny Digital told the Cipher Brief “the bar to make it more difficult to get credit card data has ramped up for many attackers, so they are looking for another easy target. And in many ways, healthcare, unfortunately, falls into that demographic.” Additionally, healthcare information is very rich – meaning that it can be used for a wide variety of illicit activities.
Since healthcare providers are relatively low-hanging fruit for cyber-criminals, they are facing an increasing number of cyber attacks. The ransomware attack on Hollywood Presbyterian clearly demonstrates this. The hackers made $17,000 dollars with relatively little effort or risk on their part. There are regulations to help ensure that patient records are kept secure, such as the Health Insurance Portability and Accountability Act (HIPAA), but complying with regulations is not synonymous with having strong cybersecurity.
Cybersecurity concerns are relatively new for the healthcare industry. Denise Anderson, President of the National Health Information Sharing and Analysis Center (NH-ISAC), told The Cipher Brief that “The 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act essentially was the driver for the threat environment we see today by requiring providers to use electronic medical records (EMR) by 2015.” Healthcare providers started getting hacked shortly thereafter. The shift towards electronic record keeping occurred faster than the corresponding acquisition of network-protection systems, and this created exploitable vulnerabilities for hackers.
However, there has been greater movement towards improving cybersecurity in healthcare. The NH-ISAC was created to help coordinate the sharing of threat information across the healthcare industry. More healthcare providers and insurers are becoming aware of the threat and risk they face. Just as with many other critical industries, healthcare is rapidly learning how to better protect itself from the growing number of bad actors using cyber-capabilities to steal money and information.
The cyber-threat environment will continue to adapt, and it is unclear to what extent large, public incidents like the one at Hollywood Presbyterian will change attack patterns. Anderson says that “Hollywood Presbyterian could have painted a big bull’s-eye on the healthcare sector by paying the ransom. That remains to be seen.”
In contrast, Porter felt that “this one incident got sensationalized because of the ransomware involved.” If the theft of more than 80 million records in 2015 didn’t change things then a $17,000 ransom probably wouldn’t either. However, both agree that healthcare providers and insurers need to look beyond HIPAA and improve both cybersecurity and resilience. Whether through better training for improved cyber-hygiene, increased information-sharing, or stronger public-private partnerships, there are many ways for the healthcare industry to fix its cybersecurity problem. Otherwise, the massive theft of patient information that was seen throughout 2015 could continue, unabated.
Luke Penn-Hall is the Cyber and Technology Producer at The Cipher Brief.
