EXECUTIVE SUMMARY

The recent worldwide cyberattack highlighted the vulnerability of healthcare computer systems. The United Kingdom’s National Health Service was virtually crippled by the attack.

  • Experts expect more such cyberattacks on healthcare organizations.
  • Legacy computer systems and internet-connected medical devices offer openings to hackers.
  • The U.S. government has proposed sweeping improvements in healthcare to safeguard against future attacks.

The threat to patient safety and the potential for resulting liability from a cyberattack was illustrated in the recent WannaCry attack that crippled the United Kingdom’s National Health Service (NHS) and affected thousands of organizations around the world. American risk managers should count themselves lucky their hospitals and health systems weren’t hit as hard, but the effect could be much worse next time.

The malware in the global cyberattack, also known as WanaCrypt0r 2.0 WannaCry and WCry, infected computers in 150 countries, entering IT systems via an email attachment and encrypting data files, including patient records. The hackers demanded ransom to unencrypt the files. The malware caused many hospitals and clinics in the NHS to close their doors for fear that patient safety would be threatened without access to electronic medical records (EMRs) and other computer files.

Healthcare providers should have been prepared for this because it is nothing new, says Marc S. Voses, JD, partner with the law firm of Kaufman Dolowich Voluck in New York City, and co-chair of its data privacy and technology services practice. It is just the scale of the event that is unique, he says.

Healthcare providers were not a special target for the hackers in this attack, Voses says, but many providers, including the NHS, turned out to be the softest target because tight budgets resulted in a failure to fund cybersecurity.

“The NHS didn’t have the money to upgrade from the Windows XP operating system, which was at end of life in 2014, which means there were no more patches available from Microsoft,” Voses says. “Even if you could afford to update your software, you still might not be able to because you have other dependent software that is vital to running your business and will run only on the outdated, unpatchable operating system.”

The WannaCry ransomware attack hit U.K. healthcare organizations especially hard because many internet-connected medical devices are running older versions of the Windows operating system, says Moshe Ben-Simon, co-founder and vice president of services at TrapX, a company in San Mateo, CA, providing cybersecurity defense. In most cases, the healthcare providers know the devices are out of date but still face hurdles in plugging the security holes.

“Due to compliance regulations, including HIPAA, healthcare network administrators cannot easily update internet-connected medical devices with the newest operating systems and patches. These devices are sealed to protect the equipment from failure in the event a software update inadvertently affects the operation of the device,” Ben-Simon says. “While this ultimately protects patients from potential harm from a malfunctioning device, it has the potential to leave the network open to attackers who are finding new ways to exploit old vulnerabilities, such as the recent WannaCry attack. If these devices aren’t updated by the manufacturers immediately, they will continue to be susceptible to these types of attacks.”

Risk Management Must Anticipate Attacks

Any potential electronic disturbance that disrupts healthcare services must be addressed in a healthcare provider’s risk management protocol, Voses says. Prompt access to backup files and systems is necessary to minimize the damage caused by these types of catastrophes, he says.

“This is going to happen again. Having protocols in place to either ignore the threat and shift to backup systems or a plan to promptly pay the ransom to acquire the encryption key is of paramount importance,” Voses says. “Yet again, luck favors the prepared.”

Voses notes that cyberthreats to patient safety are not new, though the risk appears to be growing. On Feb. 17, 2016, he points out, Hollywood Presbyterian Medical Center paid a ransom in bitcoins equivalent to about $17,000 to hackers who infiltrated and disabled its computer network. On March 28, 2016, MedStar Health, a nonprofit healthcare organization headquartered in Maryland, also was attacked by ransomware.

Although MedStar denied there was any significant effect because they quickly shut down their computer system, some employees stated that the virus still disabled access to patient records, Voses says. The hackers demanded 45 bitcoins (the equivalent of about $19,000) in exchange for the decryption key.

In addition to requiring payment, a ransomware attack could result in liability if the computer system breach is severe and involves key operating data, Voses says. For example, if a hospital lost access to its computer systems, patients’ lives may be at risk.

Voses says that the risk of an organization falling victim to a ransomware incident is increasing due to the shotgun approach taken by criminals to find victims.

Backup Processes Vital

To better protect hospital networks that are using internet-connected medical devices, Ben-Simon recommends reviewing and beefing up backup processes. It is essential to run an offsite backup daily, he says, and more important is a robust, tested disaster recovery process that ensures core IT systems can be brought back up in a few hours.

“Most hospitals have backup in place to support compliance, of course, but really cannot restore key applications and recover operations fast enough in the face of a ransomware attack. When an environment faces a true disaster, even a well-planned disaster recovery strategy will typically take days until full operations are restored,” he says. “Do the work to make sure this takes only a few hours.”

In addition to keeping software systems updated and other technological barriers, there are methods to counterattack malware if it does get into the computer system. Ben-Simon’s company uses technology that employs deception to stop an attacker in the network before the attack can take a substantial foothold, tying up the ransomware encryption process with false data on decoy network shares. Deception tools are designed to fool attackers and their ransomware exploits, keeping them from your real devices and real data, Ben-Simon says.

“Once they start trying to encrypt these fake file systems, they will be identified, shut down, and the hospital can return to normal operations,” he explains.

Ransomware attacks on healthcare organizations are likely to increase, says Stacy Leidwinger, vice president of products at RES, a company in Radnor, PA, that provides digital workspace software addressing the risk of ransomware. The fact that some NHS hospitals and clinics had to suspend all non-urgent activity is a testament to how much they rely on their data to operate, she says.

“It’s becoming more common an occurrence to see ransomware attacks against healthcare organizations. After all, they are a prime target for attackers due to the nature of the data they hold,” she says. “The real problem is that it’s not just a monetary loss when it comes to medical facilities. It’s life and death.”

The WannaCry attack is clear evidence that many healthcare organizations still need to invest in an integrated approach to security, Leidwinger says. The most important defenses are education, vigilance, and proven technology such as context-aware access controls, comprehensive blacklisting and whitelisting, read-only access, automated access termination, and adequate back-up, she says.

Feds Recommend Security Fixes

Immediately after the WannaCry attack, the federal Health Care Industry Cybersecurity Task Force released a draft “Report on Improving Cybersecurity in the Health Care Industry,” which addresses the identified risks and offers a substantial number of proposed recommendations and action items for Congress, the Department of Health and Human Services (HHS) and other government agencies, and private industry.

The authors concluded the recent attack should be a wake-up call for the healthcare industry.

“With the exception of IT security personnel, many providers and other healthcare workers often assume that the IT network and the devices they support function efficiently and that their level of cybersecurity vulnerability is low. Recent high-profile incidents, such as ransomware attacks and large-scale privacy breaches, have shown this vulnerability assumption to be false and provided an opportunity to increase education and awareness about the benefits of cybersecurity in the healthcare community,” according to the report. “Moreover, recent ransomware incidents have also highlighted how patient care at healthcare delivery organizations can be interrupted due to a system compromise. Members of the health ecosystem reported that prior to these breaches, many security professionals had difficulty demonstrating the importance of cyberprotections to organizational leadership, including how risk mitigation can save money and protect against reputational damage in the long-term. Making the decision to prioritize cybersecurity within the healthcare industry requires culture shifts and increased communication to and from leadership, as well as changes in the way providers perform their duties in the clinical environment.”

(The full report is available online at: http://bit.ly/2ssHkfB. See the story in this issue for sample advice from the report.)

The task force’s recommendation for a unified response to cybersecurity issues for the healthcare industry is of vital importance, says Lee G. Petro, JD, an attorney with the law firm of Drinker Biddle in Washington, DC.

The report’s recommendations extend throughout both government and private industry, and highlight the urgent need for the identification and empowerment of an individual within HHS to coordinate the varied effort, Petro notes.

“The proposal reflected a comprehensive approach to considering the need for cybersecurity protections across the widely diversified healthcare industry. The proposal’s reliance on existing National Institute of Standards and Technology [NIST] frameworks reflects the importance of NIST’s work and the need for the completion of its efforts to update to the Cybersecurity Framework Version 1.1,” Petro says.

Several of the report’s action items will affect seemingly nonrelated federal laws and statutes, necessitating the close coordination between the executive branch and Congress, Petro notes. The financial effect on agency budgets will be significant, and will need to be taken into consideration during budget negotiations, he says.

“The recommendations that will impact small- and medium-sized healthcare providers will also be significant, possibly impacting their financial health in the short-to-medium-term future,” he says.

SOURCES

  • Stacy Leidwinger, Vice President of Products, RES, Radnor, PA. Telephone: 1 (800) 893-7810.
  • Lee G. Petro, JD, Drinker Biddle, Washington, DC. Telephone: (202) 230-5857. Email: lee.petro@dbr.com.
  • Moshe Ben-Simon, Co-Founder and Vice President of Services, TrapX, San Mateo, CA. Telephone: (855) 249-4453.
  • Marc S. Voses, JD, Partner, Kaufman Dolowich Voluck, New York City. Telephone: (212) 485-9600. Email: mvoses@kdvlaw.com.