Not long ago, it was reasonable to think that financial businesses would be the most prominent and most profitable targets of criminal activity. After all, a successful bank robbery could score you tens of thousands of dollars (or more). But these days, it’s another industry facing the brunt of criminal attacks, and it’s one with much more bearing on us as consumers: healthcare.
Ransomware attacks grew three times over last year, with healthcare organizations being the most common sources of attack. These incidents range from low-key and barely noticeable to large-scale hacks that have taken down hospitals for weeks at a time. The WannaCry cyberattack, in particular, was responsible for infecting more than 300,000 computers and devices. It’s no secret that healthcare institutions are glaringly vulnerable to these types of attacks, but the bigger problem is that even with this knowledge, we’re not doing enough to fix the situation.
The value of healthcare data
Part of the cybersecurity problem has less to do with the security flaws present in healthcare systems and more to do with the enormous value of healthcare data. Hospitals and healthcare organizations are tasked with gathering tons of personal details on their patients, including their social security numbers, medications they’re taking, and credit card information. A single patient’s record could be worth up to $1,000, and a large-scale hack could net hundreds, or even thousands of records. Naturally, this makes healthcare organizations a target.
The vulnerability of patients
It’s not just the monetary value of records or the logistical annoyances of recovering from a breach that we need to worry about. In the fields of medicine and healthcare, people’s lives could be at stake. For example, researchers in Israel have demonstrated how easy it is to falsify the presence of a tumor on a volumetric medical scan. Someone with enough gumption to follow through on this kind of attack could manipulate someone to receive treatments that aren’t appropriate for them, resulting in terrible complications.
Even if the quality of care patients are receiving isn’t directly affected, there’s evidence to suggest that 30-day mortality rates rise significantly after a hospital data breach. As hospitals are stretched thin with resources and staff members are more stressed than usual, the quality of care naturally goes down. This makes a cyberattack on a hospital much more inherently dangerous than, say, one on a financial institution.
The rising complexity of healthcare systems
Hospitals are also especially vulnerable because their tech systems are becoming increasingly complicated, and in more ways than one. For starters, medical technology is increasingly relying on an interconnected network of devices. In hospitals, this means nurses and doctors rely on tablets and mobile devices in addition to computers and monitoring equipment. In patients, this means sensors, monitoring equipment, and sometimes even prosthetics that collect information or provide treatments. All it takes is one vulnerability in one device to compromise the integrity of the entire network—and one exploit from 2017 proves that implanted devices like pacemakers are hackable.
This complexity isn’t limited to the security or integrity of devices, either. As our healthcare systems increasingly rely on digital interfaces for patients and personal medical devices, much of the security burden is placed on patients. Patients are the ones responsible for creating, maintaining, and protecting their passwords and login credentials, and may use their medical devices on unsecured home networks. Again, all it takes is one lapse in security from a patient, a doctor, a nurse, or another staff member to cause serious harm.
Misplaced attention on tech upgrades
Hospitals are always eager to get their hands on the latest medical technology, and for good reason. The cost of a state-of-the-art MRI machine is something close to $3 million, and hospitals are willing to pay it if it means better health outcomes for their patients (or, more imminently, a competitive advantage over other hospitals in the area). Meanwhile, as late as 2016, 90 percent of UK hospitals were running Windows XP as their operating system—which, even then, was practically an antique.
Healthcare tech staff disproportionately focus on bigger, better, more functional upgrades, but ignore updates to existing devices and programs. Therein lies the security problem; new devices work well and provide great value, but they don’t make up for the structural weaknesses of older tech on the same network.
The lack of understanding
Much blame can be placed on a lack of understanding in hospitals and other healthcare organizations. Many hospitals don’t have an IT department or a cybersecurity division, and their major decision makers are more focused on improving health outcomes than thinking about security. Even if there is a high-level initiative to review and improve a network, ground-level employees like nurses and physicians may not have the necessary training to conduct best practices for cybersecurity.
Part of this is simply a guidance issue; organizations like the FDA haven’t adequately prepared for the growing complexities of medical technology. Another is an interest issue; healthcare experts got into healthcare because they care about treating and improving people’s lives, not because they like working with computers. Few medical programs spend significant time educating future medical leaders on principles of tech security.
The lack of funding
Protecting against cyberthreats is expensive, especially when dealing with national- or international-scale healthcare organizations, making some leaders reluctant to invest in it. Higher tech security standards would translate to higher prices for patients (which are already egregious), and possibly more internal restrictions on the acquisition of new technologies. However, the alternative is much more expensive; the WannaCry attack cost more than $100 million to clean up when it happened. Not wanting to pay the money to beef up security and put some standards in place is no excuse to not make the initiative.
The bottom line
The problem in healthcare cybersecurity is enormous and complex, and it’s only getting worse. Many hospitals and security organizations are stepping up their efforts to improve security, but they simply aren’t doing enough. There isn’t a quick fix, but it’s obvious we need to start taking action in several areas, including better cybersecurity education for healthcare practitioners, more strategic tech replacement standards, better direction from regulatory agencies, and of course, more funding for IT maintenance.
Published April 23, 2019 — 14:29 UTC