With cybersecurity, one of the biggest patient safety threats is ransomware, says Anthony Chadd, global sales vice president with Neustar, a technology and analytics company based in Sterling, VA.
“It looked like ransomware attacks were on the decline in healthcare last year, but attackers have adjusted their tactics and we’ve seen several new variants emerge that have impacted all levels of the industry,” Chadd says. “In just the past few months, ransomware attacks hit the DCH Health System in Alabama, Omaha-based CHI Health Lakeside Hospital, the Premier Family Medical physician group in Utah, and the Campbell County Health system in Wyoming.”
Ransomware attacks have become easier to launch, and attackers increasingly are targeting smaller healthcare organizations where cyberdefenses may be less sophisticated and employees less savvy about how to spot threats, Chadd says. While small providers and practices may have basic cybersecurity protections in place, they typically lack a mature cyber response plan and do not have the resources and expertise needed to initiate a successful recovery process, he says.
For example, a recent attack against one California provider caused it to permanently close its doors after attackers encrypted and destroyed servers containing all EHR data, as well as backup hard drives, Chadd says. Attackers rightly recognize ransomware as an easy, effective way to garner financial gain. This dynamic is exacerbated by organizations that opt to pay the ransom — which perpetuates this cycle and leads to more attacks, he says.
Neustar is seeing a concurrent trend in the rising number of multivector DDoS attacks and an increase in the number of very small-scale attacks, Chadd says. The company’s latest Threats and Trends Report notes a 133% increase in the number of attacks (measuring Q2 2018 vs. Q2 2019) and a 158% increase in the use of smaller, less immediately identifiable attacks.
“These attacks are small enough to slip by normal attack mitigation thresholds and are becoming more targeted in their ability to degrade or disable specific infrastructure within the target,” Chadd says. “Because such attacks can continue for days without discovery, attackers can degrade specific infrastructure targeting vital business functions.”
Breaches Originate Outside
Organizations are focused on taking the necessary steps internally to ensure patient medical data and other critical information is protected, but a huge number of breaches are the result of a violation by an external cloud partner or third-party managed service provider, Chadd says. A recent Neustar International Security Council study found that 89% of senior cybersecurity leaders are concerned about someone hacking their third-party managed service providers (MSPs), and 53% said they would change cloud providers if they could.
Most institutions work with multiple MSPs, and system compromises due to a third-party security violation will increase unless they take extra steps to secure their systems and ensure partners adhere to the same set of strict security standards, Chadd says.
“This includes developing a risk register to determine what their most critical assets are, and ensuring they have the appropriate DDoS protection in place to secure against a wide range of attack vectors,” he says. “Proactively, healthcare organizations should ensure that any third-party MSP they work with adheres to a rigid set of security principles and practices. Ideally, these should be put into place in the negotiation phase before a partnership is struck.”
Patient Matching Often Fails
Patient matching and identification will continue to be a safety hazard in 2020, says Andy Aroditis, CEO of NextGate, a healthcare data management company based in Monrovia, CA.
“Moving into 2020, the healthcare industry continues to endure dramatic change and, in turn, evolving risk,” he says. “With increased use of technology in relatively every aspect of healthcare, subsequent risk imposed on patient safety as part of digitization is only expected to grow.”
Duplicate records often occur because of multiple name variations, data entry errors, and lack of data standardization processes, Aroditis explains. A typo or absence of a single digit in one’s birth date, address, or phone number can result in the creation of a duplicate. Patients move, marry, divorce, and visit multiple providers in their community, where new records are created and the potential for duplicates grows.
“While EHRs have become commonplace, the disjointed, competitive nature of systems contributes to an influx of duplicate and disparate medical records. The issue of poor patient identification becomes exponentially more problematic and dangerous as more data are generated and more applications are introduced into the healthcare environment,” he says. “Without consistently and correctly matching individuals to their health data, patients and providers alike will continue to suffer the consequences.”
Attention to accurate patient identification has accelerated in the past few years, with all sectors of the industry working to develop a better understanding of the issues and identifying potential solutions, Aroditis says. While healthcare’s massive transformation is forcing federal officials to rethink current approaches for patient matching, the nation’s longtime ban on a universal patient identifier remains intact, he notes.
“When Congress dismissed the concept of a national patient identifier in the early 1990s, healthcare’s IT infrastructure was still relatively immature. Today, however, in the wake of digitization, healthcare organizations are inundated with data, and widespread information-sharing across settings remains a decisive goal,” he says. “The absence of a unique identifier has forced regulators to engage the private sector to help develop a coordinated strategy that will promote patient safety by correctly linking patients to their healthcare data.”
Patient matching functionalities within EHRs often lack the complexities to unify information from external systems, Aroditis says. Poorly designed systems that fail to integrate or communicate with one another exacerbate inefficiencies, generating millions of duplicate and incomplete records that lead to patient safety errors, skewed reporting and analytics, administrative burdens, and lost revenue, he explains.
“As healthcare becomes consumer-driven, it is equally critical to consider use of other identification mechanisms to ensure that patient demographic information is accurate and up to date,” he says. “Use of personal smartphones, for example, to streamline registration and allow patients to play an active role in managing and updating their data can help improve patient matching efforts at key stages where data errors often occur: during enrollment and at registration.”
One of the biggest cyber risks for 2020 will be the continued proliferation of malware attacks via business email compromises that inject malware designed to find vulnerabilities in the system and compromise sensitive data, says Steve Leatherman, managing director for healthcare with BlackRidge Technology in Reno, NV. The FDA recently issued a warning about cybersecurity vulnerabilities in some medical devices that connect to the internet, he notes.
The vulnerabilities, referred to as URGENT/11, allow a malicious actor to potentially take control of these medical devices and steal data, change the settings, or turn them off completely, he explains. As medical technology advances and more devices are connecting to the internet, the exposure of vulnerabilities such as those documented in URGENT/11 will become increasingly common, he says.
“The continued proliferation of insecure internet-of-things devices throughout healthcare networks is an urgent and pressing trend. This connectivity creates challenges across many fronts,” he says. “The root of the problem is that security remains an afterthought in the development of many connected devices, as product developers and manufacturers prioritize speed to market. The faster you can get a new product in the hands of consumers, the more likely you are to capture market share, but this means many new connected devices lack anything beyond very basic security features.”
In the case of medical devices, this can lead to compromises of sensitive medical data, vital equipment coming under cyberattack, and even the death of a patient, he explains.
Added connectivity poses a wide range of challenges, Leatherman says. Within a hospital/clinical setting, connectivity creates added vulnerability around the protected health information (PHI) of a patient, he says. Connectivity also creates risk within patients themselves. For example, smart implants like pacemakers contain vulnerabilities that, if exploited, can create a potentially life-threatening situation for a patient, he says.
Additionally, the rise of telehealth solutions to assist external patients creates new security challenges for hospitals and healthcare practices. The U.S. now has more than 7,000 designated Health Professional Shortage Areas — or healthcare deserts — affecting a geographic footprint that is home to 80 million people across much of rural America, Leatherman explains. Health tech companies are working to close this gap with a range of telehealth and remote patient monitoring solutions that can share real-time patient data with remote doctors to eliminate the need for on-site monitoring and reduce readmission rates.
In terms of keeping patient data (and patients themselves) safe from malware attacks, one of the main areas of focus should be advocating for a shared responsibility model, Leatherman says. Addressing insecure medical devices and protecting PHI is the responsibility of both vendors and hospitals, he notes.
The implementation of a “zero trust” model that incorporates network microsegmentation and authenticated identity represents a smart, multilayered defense strategy — and is increasingly critical as the amount of interconnectivity increases, Leatherman says.
Zero trust requires authorization before any attempt at a network connection can be made, even for users already within the network perimeter. Microsegmentation divides the network into smaller and smaller nodes, creating additional access points to verify identity, Leatherman explains. Authenticated identity ensures that with every communication request, from the first connection to each move within the network, identity is re-verified before a connection is made.
“This approach can prevent malware attacks, or at least mitigate the damage that can be done once a bad actor is inside the network, confining them to the point of entry and ensuring they aren’t able to create more damage,” he says. “Solutions like this can be monitored by the vendor company, but must be advocated for by physicians, administration officials, and accreditation bodies on behalf of their patients.”
Leatherman notes that the biggest direct risk to patients right now is not the hacking of PHI. Rather, it is at the patient care level, where test results are attributed to a patient.
“Think about a patient coming into the emergency room. That patient may get bloodwork and then possibly be rushed up to surgery,” Leatherman says. “How can the surgeon be certain that the results from the bloodwork, which are guiding decisions about the surgery, have not been tampered with?”
One challenge is that a hospital’s IT department is a non-revenue-generating department, Leatherman says. Unlike a new medical device or procedure that benefits the hospital because it saves time, money, or benefits the patient’s outcomes, the IT department is an expense — one that typically is 10 years behind the curve in terms of implementing leading-edge technology, he says.
“Risk managers should be advocating for an adequately funded IT department. With the proliferation of connected medical devices being added to the network, new attack vectors are constantly emerging,” Leatherman says. “In an urgent scenario, unsecured patient information can lead to harm or death, opening the hospital up to liability for not properly protecting the data. Implementing a zero-trust framework with microsegmentation and authenticated identity to restrict access to the entire network is something that should be implemented with urgency.”