Hospitals and health care organizations are increasingly targeted by cyber attackers -- which can have serious consequences for patient safety, privacy and the delivery of care. Electronic medical data has high value to cyber criminals because it can include guarded personal information, highly sensitive health information, financial information and more.
We asked Lemon Williams, partner and cofounder of Chattanooga-based cybersecurity consulting firm The Ionado Group and Erlanger Health board member, about how these sorts of threats affect the health industry and patient care.
Q. How do cyber attacks affect patient care and privacy? What sort of patient data is at risk?
A. Cyber criminals value electronic medical data because it can include personal information, medical information, financial information, and more. If a hospital or healthcare organization experiences a data breach, patient information could be stolen, leading to serious consequences like identity theft, billing fraud, and medical extortion. Medical staff are also at risk. I will also note that there is medical extortion, which is when medical information is used for personal gain under the threat of public release.
Q. How do cyber attacks, such as ransomware, disrupt a hospital system? Is patient care put at risk?
A. Ransomware or compromised vital patient records could delay non-emergency procedures, but urgent emergency care will remain timely and reliable thanks to continuity plans. Within recent months, there has been an uptick in targeted interest in patient data nationwide.
Q. What can the healthcare industry do to better protect itself from future attacks?
A. Healthcare organizations can deter, prevent, detect and respond to cyber threats by following frameworks, standards and regulations. These resources, along with buy-in from the C-Suite, can help organizations implement aggressive security practices and measures to protect data. These measures include limiting access to valuable patient information, requiring enhanced authentication methods and segmenting data across multiple databases.
Q. Are cyber attacks something that can be solved, or are they going to be an ongoing problem?
A. Always. As long as there is value in the data, there will always be malicious actors who are willing to try to obtain or ransom it. This means that total eradication of cyber threats is not a realistic goal. However, we can layer security measures in a way that makes it more difficult and costly for attackers to succeed. This can help to deter attacks and reduce the likelihood of a successful breach.
Q. Do cyber attacks often originate from outside the United States? If so, why?
A. Yes. Cyber crime is a truly international business, with attacks on U.S. companies routinely originating from all over the world. This is because cyber crime is difficult to trace and prosecute and can be done from anywhere with a cheap laptop and an internet connection. Additionally, healthcare is a critical industry that is vital to the literal health of our country. Disrupting or destabilizing our healthcare system can erode trust in our government as well.
Q. Are hospitals investing heavily in cyber defenses and countermeasures? If so, does that raise the cost of health care?
A. Yes, they are! Healthcare organizations are investing in enhanced cyber security measures, including more staff, to combat cyber threats. The cost of these measures is relatively low compared to the potential losses from a data breach. While cyber security staffing is currently at a premium, this should level off as more people enter the field. Overall, I believe that the impact to patient care costs will be as little as 3% if these investments are budgeted and managed properly.
What are the most common cyber attacks in health care?
* Phishing: Hackers send emails or text messages that appear to be from a legitimate source, such as a doctor's office or insurance company. The emails or text messages often contain links that will take the victim to a fake website to enter personal information that hackers can then steal.
* Ransomware: Malware that locks down or encrypts files on the infected computer and demands a ransom payment to restore access. These attacks are often targeted at healthcare organizations because they store large amounts of sensitive patient data.
* Data breaches: Unauthorized release of sensitive records, often posted publicly. If a healthcare organization experiences a data breach, it could lead to the theft of patient information, which could have serious consequences for patient privacy and security, like identity theft.
* DDoS attacks: These attacks prevent access to a healthcare organization's websites and online resources by generating enormous amounts of fake web traffic. This can make it difficult for patients and healthcare workers to access the information they need.
* IoT medical device attacks: These are devices such as insulin pumps that are connected to the internet. IoT devices can be used to collect and transmit patient data, but they can also be a target for cyber attacks. If an IoT device is hacked, it could be used to steal patient data or to disrupt patient care.
What can patients do to protect themselves from health care cyber security threats?
* Be aware of phishing emails and text messages. Do not click on links in emails or text messages unless you are sure that they are from a legitimate source. Call to confirm if the request is strange or makes you uncomfortable.
* Keep your mobile phone and computer software up to date. Software updates often include security patches that can help to protect your computer from malware and other threats.
* Use strong passwords and change them regularly. Do not use the same password for multiple accounts to limit the impact of a single password compromise.
* Be careful about what information you share online. Do not share your personal information, such as your Social Security number or health insurance number, unless you are sure that it is safe to do so.
* Report suspicious contact or activity to your healthcare provider.