Hospitals face growing hacker threat

Patient care is now being directly threatened by cyber criminals.

In February 2016, the Hollywood Presbyterian Medical Center found itself the victim of a crippling cyber attack which rendered its electronic medical record system inaccessible and forced hospital staff to resort to paper records. After the hackers were paid a ransom of $17,000 in bitcoins, service was resumed, but the incident was a stark warning of how the cyber threat to healthcare facilities has now moved on. “Two years ago, everyone was talking about the classic data breach,” says Christina Terplan, a US-based lawyer at Clyde & Co, “and now we’re talking about hospitals that can’t function normally because of an attack.”

Today, technological advances are impacting almost every area of a hospital’s operations. In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) estimated that only 9% of non-federal acute care hospitals operated electronic health records (EHR). By 2015, 84% of hospitals had adopted at least a basic EHR system. Technology – from the use of electronic health records through to the development of wireless medical devices and telemedicine to treat patients remotely – is becoming more integrated into how hospitals deliver everyday treatment to their patients. But, as a result, the opportunity to both steal data and interrupt services is growing exponentially says Stephanie Bristow, Healthcare Underwriter for Hiscox. “Hospitals are becoming more reliant on technology that can be undermined by people with criminal motives.”

In 2009, HITECH estimated that only 9% of non-federal acute care hospitals operated electronic health records. By 2015, 84% of hospitals had adopted at least a basic EHR system.

Hospitals held hostage

Ransomware – where a cyber criminal gains control of a hospital’s computer systems through the introduction of malicious software and blocks access until a ransom is paid – has become particularly problematic. “Ransomware attacks are [now] more complex and devastating,” says Bob Anderson, Managing Director at information security experts Navigant. “If attackers gain access to a hospital’s system, they unleash a virus that infects the whole system, so every computer in that hospital is locked. Hackers aren’t launching ransomware attacks on individual hospitals – they’re attacking a thousand or more in one go. So, sooner, or later, your number’s going to come up.”

One reason for this vulnerability, adds Anderson, is the outdated nature of many hospitals’ IT infrastructure. Hospitals have not yet made the same investment in IT security that has been seen in the financial services or retail arenas, says Justin Keith, Vice President of Healthcare at Hiscox. “Hospitals are much less prepared on the cyber front," Keith says. "Often, [in a hospital] it will be a risk manager heading up IT security as opposed to [it] appointing a Chief Information Security Officer, for example, and the IT spend in a hospital is actually very low. When you consider that the cyber security spend is probably only around 3% of that figure...”

McAfee Lab’s Threat Report September 2016 states: “Many hospitals struggle to integrate new technology with antiquated back-end systems and technologies, and their operating rooms run legacy operating systems that are responsible for patients’ lives. Some medical devices support only Windows XP because the hardware vendor or software provider is either no longer in business or has not kept up with requirements for newer technologies. Hackers know this, so medical devices have become easy targets for ransomware attacks.”

Quantifying an unknown risk

One of the key issues for hospitals to deal with is the relatively unknown nature of the cyber threat, which contrasts with the hospitals’ experience of their traditional medical negligence risks. “When it comes to hospital professional liability, experienced risk managers are able to identify and mitigate risk effectively. But for cyber, it’s still an unknown factor,” argues Bristow. Also, hospitals need to recognise how the line between traditional professional liabilities and cyber liabilities has become blurred, adds Keith. “If a hospital can’t treat a patient because its medical records system is out of action, for example, when does a cyber liability issue become one of professional liability?” This assessment will demand hospitals carefully assess any gaps in their insurance coverage for both cyber and professional liability.

The regulators sharpen their teeth

It is also still unclear as to how the regulators will look at ransomware attacks, for example, but institutions are being encouraged to treat them as seriously as data breaches. “Particularly on the healthcare side you’re seeing the regulators look at these situations very seriously. Recent guidance issued by Office for Civil Rights says that any ransomware attack will be considered as a data breach unless the institution concerned can prove otherwise, which is a shift in how the regulators [previously] viewed the burden of proof,” says Terplan.

If a hospital can’t treat a patient because its medical records system is out of action, for example, when does a cyber liability issue become one of professional liability?

To pay or not to pay?

In the meantime, Anderson advises that hospitals should look at their IT vulnerabilities. “Getting in IT security experts to look at its IT infrastructure and information security program gives a hospital the biggest bang for their bucks by far. Compared to what a ransomware attack or loss of personal data would cost, it’s pennies on the dollar.”

And should a hospital pay a ransom? Anderson is neutral on whether a hospital should pay but warns: “It can be hit or miss as to whether you get your data back. Some criminals will give it back once a hospital’s paid the ransom, some won’t. Sometimes, they’ll get only some of it back. But it’s important for people to understand that it isn’t like once the money’s in a cyber criminal gang’s account then someone will tap a code into a keyboard and all the data will be released. It can take a hospital days, weeks, even months to recover their data.”