An analysis of the healthcare industry highlights a significant number of trends that are converging to increase data privacy and security threats. Let's review those trends briefly.
As with the rest of the world, healthcare organizations are shifting various workloads to cloud services. As a consequence, healthcare professionals are using cloud-based file-storage and sharing services, cloud-based electronic health records services, and various cloud-based services for exchanging healthcare information between providers and other players in the industry. MarketsAndMarkets forecasted a tripling of cloud expenditure within the healthcare industry from 2015 to 2020,[i] while HIMSS Analytics have tracked significant uptake for many types of cloud services by healthcare,[ii] with health information exchange and back office solutions the leading current workload in the most recent survey. The use of cloud services introduces a shared responsibility security model, the demand for new ways of securing sensitive information, and many new potential points of failure in security processes.
The impacts of phishing and ransomware cyber attacks are getting worse across the world, and are having significant negative impacts specifically in the healthcare industry – Verizon has found that the healthcare industry is the second biggest target for ransomware [iii]. SonicWALL reported that ransomware attacks grew from 3.8 million in 2015 to 638 million in 2016, a growth of 167 times in one year [iv]. Symantec tracked 4,000 ransomware attacks per day in the first quarter of 2016, a 300 percent increase year-on-year [v]. Malwarebytes noted the increased use of ransomware in various malicious forms, with the share of malicious payload growing from 20 percent at the beginning of 2016 to 67 percent by November [vi]. It has also been estimated that there are up to 1,000 new variants of ransomware being released to market, creating an incredibly challenging environment for organizations of all kinds. When ransomware affects healthcare organizations, lives are at immediate risk.
In terms of the healthcare industry specifically, consider the following:
Finally, with reports that ransomware is now available "as a service," with proceeds from the criminal undertaking being shared with the ransomware developer, it is no surprise that the threat is greatly elevated. And, as various healthcare organizations have discovered to their detriment, it takes only one employee to mistakenly download a malicious document.
As an example of ransomware-as-a-service, a hospital that serves patients in southwest Washington and Oregon fell victim to a spearphishing email that included a shortened URL. Clicking on the link redirects the user to a cloud-based storage site that allows them to download a well-crafted and realistic-looking malicious .docx file. Clicking on any of three icons in the document triggers a JavaScript that executes a variant of the Philadelphia ransomware, available for just a few hundred dollars [xii]. It takes only a single employee to mistakenly download the document and potentially infect an entire healthcare system.
Phishing, spearphishing, and CEO Fraud – all variants on the theme of delivering a malicious payload via email – are becoming more common and damaging.
Despite all of the regulatory requirements around data privacy, security, and preventing data breaches of personally identifiable health information, they have become all too common across the industry. For example, the survey conducted for this white paper found that 17 percent of the organizations surveyed have suffered a breach of healthcare-related data during the previous 12 months.
The 2015 data breach at Anthem saw the theft of medical records for more than 80 million people [xiii], while the breach at Premera, from 2014-2015, resulted in medical records for some 11 million customers being stolen [xiv]. One analysis of the US Health and Human Services data breach database found an increase from 268 data breaches in 2015 to 328 separate breaches in 2016, with more than 16 million health records of American citizens being affected [xv].
Ransomware, phishing, and data breaches all compromise core healthcare systems, which immediately undermines the ability of the healthcare organization to deliver standard and emergency care to patients. It can be a matter of life-and-death when doctors can't access a patient's healthcare record, a hospital has to turn away patients onboard an ambulance, nurses have to revert to manual processes they haven't been trained to use, the pharmacy can't get timely alerts for new prescriptions, and medical devices are locked and inoperable. These are all life-critical situations, and patients, their families, and regulators expect near-perfect uptime and availability.
For hospitals that have been compromised by ransomware, there are ongoing reputational damage and brand risks. For example, the Hollywood Presbyterian Medical Center was infected with ransomware in early 2016, and ultimately paid nearly $17,000 in Bitcoin to regain access to its own systems. The hospital was effectively out of action for 10 days, costing lost revenue. The longer term reputational impacts linger, however; for example, a Google search for the hospital puts the ransomware episode as four of the first 10 search results, leading potential patients and others to contemplate whether its health care performance is better than its competence in IT. Likewise, regardless of the great work done at the California-based health system, the impact of its recent $2.14 million fine for HIPAA security and privacy violations and the $28 million settlement of a class action suit will stay around for a long time.
With mandatory data breach notification requirements in an increasing number of jurisdictions, healthcare organizations have no choice but to tell the world when their security systems are inadequate. Data breaches and ransomware infections affect the value of the brand, and can have negative goodwill implications in a merger or acquisition situation. While not a healthcare example, consider the $350 million discount Verizon received on purchasing Yahoo! after the disclosure of two massive data breaches at Yahoo! over many years [xvi]. Perhaps it is no surprise that, according to Bitdefender last year, a majority of US organizations would rather pay a hidden penalty fee than have the details of a data breach go public. [xvii]
Security controls across the healthcare industry have received insufficient funding over many years. In England, for example, the government has appropriated capital funding set aside for buildings and new equipment to pay for day-to-day services, such as Accident & Emergency departments [xviii]. This has made it more difficult for NHS organizations to deploy the necessary preventative measures. In the United States, HIMSS Analytics and Symantec report that 80 percent of healthcare providers spend less than six percent of their overall IT budget on security, and 50 percent spend less than three percent [xix]. This is in comparison to 16 percent for the US Federal Government. Other research studies have highlighted that security is an afterthought for many healthcare organizations, with some hospitals failing to deploy even basic security measures such as intrusion detection, security assessments of current infrastructure, and the ability to remotely wipe lost or stolen devices. The US Health and Human Services department called out the general lack of encryption across the industry, stating that some 60 percent of healthcare data breaches since 2009 could have been avoided if the data had been properly encrypted [xx]. It's a sad state of affairs.
The survey conducted for this white paper found that most organizations either do not use encryption/tokenization of healthcare-related data at-rest, or they do not do so for all of their systems and applications.
The final trend of note is the growing number and complexity of communication and collaboration tools being used across the sector. As with other industries, workers face an onslaught of interaction requests and demands through email, social media, new enterprise collaboration systems, texts, and mobile device apps. Workers on the front line of delivering healthcare trust that these systems are secure and reliable, but that is untrue and these tools are often used for malicious purposes masquerading as valid ones.