Cybersecurity Threats Continue to Vex Health Systems
This past July, one of the largest clinical laboratories shut down temporarily after discovering suspicious activities on its computer network. An internal investigation revealed that the North Carolina–based company LabCorp Diagnostics had been hit with a ransomware attack that infected thousands of its servers.
Just a few weeks later, the midwestern hospital network UnityPoint Health fell prey to a phishing attack. This breach—the second at UnityPoint in months and the largest in the United States this year—compromised as many as 1.4 million patient records, containing names, laboratory test results and, in some instances, Social Security numbers.
These cybersecurity breaches are hardly the only ones to affect the health care industry this year. A 2018 report from the health care analytics company Protenus revealed that 3.14 million patient records were compromised in the United States between April 1 and June 30.
“There has been a dramatic increase in cybersecurity threats in the health care industry,” said Mike McKee, the CEO of ObserveIT, a cybersecurity company.
Investigations made by Verizon mapped this escalation in cyberattacks worldwide. In 2012, data breaches in health care represented less than 1% of breaches across numerous industries. By 2017, that figure had climbed to 24%.
“When it comes to cyberattacks, it’s not a matter of ‘if,’ it’s a matter of ‘when,’” said Mohammad Jalali, PhD, a research faculty member studying organizational cybersecurity and public health at the Massachusetts Institute of Technology Sloan School of Management, in Cambridge.
Although health data may be the main target for hackers, medical equipment is vulnerable, too.
Ben Ransford, PhD, recognized the potential threat to medical devices a decade ago while working for his computer science doctorate in Kevin Fu’s laboratory at the University of Massachusetts, in Amherst.
“We realized there was a trend we couldn’t ignore, a trend toward making therapeutic devices more computerized,” Dr. Ransford said. “The natural question for us was what kind of security features do these devices have and could someone with malicious intentions disrupt their therapeutic benefit?”
In 2008, Drs. Ransford and Fu, along with a team of experts, performed the first hack of an implantable cardioverter defibrillator. The researchers were able to reprogram the device and intercept patient data. Although the real-world risk to patient safety was minimal because the hack required close proximity to the pacemaker and experts to interpret the data, the findings did reveal a security gap that could allow outsiders to tamper with equipment and disrupt patient care.
“These designs were based on old-world principles that no one will mess with medical devices,” said Dr. Ransford, now the co-founder and CEO of health care cybersecurity company Virta Labs, based in Seattle. “But over the past decade, every manufacturer has had to wake up to the reality that computerization of care brings new security risks and failure modes. Regulatory scrutiny has ratcheted up accordingly.”
Since then, security experts have been teasing apart medical equipment in an effort to pinpoint vulnerabilities. In 2014, security researchers at the system Essentia Health in the upper Midwest demonstrated they could hack their own hospital’s equipment—including implantable cardiac defibrillators, infusion pumps, refrigerators and MRI machines—and alter their function. Examples were that the team could change the drug dose infusion pumps delivered to patients and the temperature of refrigerators that store blood.
In 2015, computer scientists at the University of Washington, in Seattle, hijacked a surgical robot, the Raven II, showing the feasibility of overriding a surgeon’s commands. The team concluded that “an attacker can easily and quite efficiently disrupt a surgical procedure.”
Earlier this year, Douglas McKee, a senior security researcher for the digital security company McAfee (no relation to Mike McKee), described modifying a patient’s vital signs in real time. “Such an attack could result in patients receiving the wrong medications, additional testing and extended hospital stays—any of which could incur unnecessary expenses,” Mr. McKee wrote in his report. However, he noted that a hacker would need to be on the same network as the devices and be privy to the networking protocol.
Although some experts have highlighted how easily hospital equipment can be hacked, the threat to patient safety remains unclear. Earlier this year, hackers known as Orangeworm infected medical imaging systems throughout the United States with malware but so far have not harmed the devices or patients, according to the security firm Symantec.
“The take-home message for doctors and patients is don’t freak out,” Dr. Ransford said. “Hacks of medical devices remain largely theoretical threats to patients. The risk of becoming a target of a malicious and elaborate hack of a medical device is slim.”
What are the major cybersecurity threats in health care? According to Fernando Martinez, PhD, the answer is email, specifically phishing emails. These emails are designed to compel recipients to click on a hyperlink or download a file that subsequently infects their computer or an entire network.
“Phishing emails prey on people’s trusting nature,” said Dr. Martinez, the founder of the Texas Hospital Association Center for Technology Innovation, in Austin. “It just takes one employee to fall for a phishing email to infect a whole organization.”
Outdated software can make it easier for malware to spread. In 2017, two major ransomware attacks—Petya and WannaCry—exploited a vulnerability in the Microsoft Windows operating system. Although Microsoft issued an update to fix the issue, some companies failed to install it, making them more vulnerable to attack.
Theft of health information from workspaces or cars is another way to access private records. “The theft of laptops, which may contain unencrypted patient information, is often how a breach happens,” Dr. Ransford said.
In contrast to external threats, company insiders represent one of the most significant cybersecurity risks.
“Intentional, targeted breaches are far less common than momentary lapses or mismanagement of data,” Dr. Ransford said. “Human error will always be a major factor. That’s why training is essential.”
According to Verizon’s 2018 report, more than half of health care breaches in 2017 came from people inside an organization. Most breaches were caused by either error (misdelivering or misplacing information), or misuse (employees motivated by financial gain or curiosity, such as snooping on family members).
“Insiders pose a major threat because they have full access to sensitive patient data and medical devices,” said Mr. McKee of ObserveIT. “When this data gets into the wrong hands, it can have a dramatic impact on patients’ trust in the organization, as well as deal a massive blow to the organization’s reputation.”
Protecting the Network
Despite the rise in cyberattacks, developing security protocols to protect medical records and devices remains a neglected part of the health care ecosystem.
“Many hospitals still have inadequate infrastructure to deal with the problem and some hospital boards may consider cybersecurity a luxury product, not a priority,” said Dr. Jalali.
Building a solid infrastructure is about investing in the basics. According to Drs. Martinez and Ransford, good cybersecurity hygiene is a must. Organizations should be routinely analyzing risks, installing patches and security updates, and providing ongoing training to hospital staff. Mayo Clinic, for instance, performs its own security testing on medical devices before incorporating them into the health care environment, and includes language in its contract with vendors that sets high standards for device security.
The FDA also has stepped in. This year, the agency issued its Medical Device Safety Action Plan, which includes establishing a team that investigates cybersecurity issues.
Beyond investing in infrastructure, a range of higher tech solutions exists. Blockchain, a decentralized network of nodes that allows secure transactions or data sharing, represents one promising approach to protecting health information. “In theory, a hacker can break into a blockchain, but that person would need to hack every individual node to corrupt the data,” said Ana Santos Rutschman, SJD, an assistant professor in the Center for Health Law Studies at Saint Louis University, in St. Louis.
A few blockchain pilot projects are underway in the United States. In 2018, the FDA partnered with several hospitals to test the feasibility of blockchain technology (Nat Rev Drug Discov 2018;17:529-530). But Dr. Rutschman cautioned that blockchain systems are far from a reality in this country.
“For one, the U.S. lacks the infrastructure to develop a national blockchain and privacy regulations also limit its spread,” Dr. Rutschman said. “To work, health care information would need to be connected, but data in the U.S. are spread out in silos. Encryption softwares are currently the main technology used to protect health data.”
Still, simply throwing tech at the problem won’t solve it. “There’s a misperception that if you focus on technology, you will have a secure system,” Dr. Jalali said. “What’s as important is improving the culture of security.”
When Dr. Ransford sees a hospital struggling with cybersecurity issues, he also sees not enough people with security in their job titles. “Cybersecurity is a people problem and organizations need to build cross-disciplinary teams that routinely work together,” he said. “Everyone has a role in maintaining cybersecurity.”