Washington, D.C., is reeling from the news of a hack at MedStar, one of the largest medical providers in the area. A computer virus infecting the organization’s computer systems forced MedStar to shut down much of its online operations Monday.
The exact nature of the attack is not yet known, but MedStar is just the latest victim in a string of cyberattacks that have hit the health care industry hard. Here’s what you need to know about how health care providers became the latest digital battleground.
Q. Why would cybercriminals go after the health care industry?
A. The health care sector has a lot of information that could be valuable to criminals and that makes it a juicy target.
First, health care providers often have a bunch of personal information that could be used for traditional financial fraud — things like your name, Social Security number and payment information. They also have health insurance information, which can be sold for even more on online black markets because it can be used to commit medical fraud — things like obtaining free medical care or purchasing expensive medical equipment — that often isn’t caught as quickly as credit card or bank account fraud.
A particularly plucky cybercriminal could even leverage compromising medical information guarded by health care providers into a blackmail scheme — although that hasn’t become a major avenue for attack yet, according to Ben Johnson, co-founder and chief security strategist at cybersecurity Carbon Black.
However, several U.S. hospitals have also now been hit with ransomware, a type of malicious software that basically lets an attacker hold a computer hostage. Once ransomware gets in a system, it starts quietly using hard-to-break encryption to lock up the information stored there, making information inaccessible to the legitimate user. After the software has finished locking things up, it typically pops up with a message demanding a payoff in a difficult-to-track digital currency like bitcoin in exchange for the digital key needed to get back into the data.
This is a nightmare scenario for health care providers because more and more of them rely on electronic medical records to keep things up and running.
“Health care is a bit unique in that up-time is really important,” said Johnson, which means providers may be more likely than other targets to pay quickly so they can get back to work.
Q. Just how vulnerable is the health care sector to cyberattacks?
A. Things aren’t looking good.
According to cybersecurity firm TrendMicro, health care was the sector that was hit hardest by data breaches from 2010 through 2015. Not all of those breaches involved hacks — two-thirds were actually due to the loss or theft of things like laptops, smartphones or thumb drives — but it still demonstrates a major problem with the way the industry approaches keeping data safe.
“It’s a big environment with a lot of different pieces — and not a lot of investment in cybersecurity,” Johnson said.
Part of the problem is that hospitals and doctors’ offices often have to oversee a mishmash of different types of equipment running different types of software — and they can’t always apply standard security practices, like regular updates, without risking instability because it might break the connections between systems, according to Jay Radcliffe, a senior security consultant at cybersecurity company Rapid7.
The FBI warned health care providers that they needed to boost their digital defenses in April 2014. “The health care industry is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely,” said a private notice the FBI distributed to the sector that was obtained by Reuters at the time.
In 2015, several big health insurers suffered major breaches. One hack at Anthem, the nation’s second-largest health insurer, left information on up to 80 million people exposed. Another at Premera exposed data on 11 million people, including medical information.
Last month a ransomware attack hit Hollywood Presbyterian Hospital in California. Staff members were forced to resort to paper record-keeping for a week and divert patients to other hospitals, according to local reports. The hospital eventually paid the attackers roughly $17,000 to regain access to its data. Two other hospitals in Southern California also reportedly were hit with similar ransomware this month — as was a Kentucky hospital, which declared an “internal state of emergency” after the attack.
Q. What is the health care sector doing to fix all this?
A. The industry has its own groups dedicated to helping coordinate how it responds to cybersecurity threats, including the National Health Information Sharing and Analysis Center, which was founded in 2010. Such efforts are useful because they can help industries work together to help stem the spread of a particular type of threat early on.
And there is at least one bright side of all the recent breaches and hacks in the health care sector: “They’re really waking up to the fact that they are a huge target,” Johnson said.
Even once an organization has committed the funds to build up its digital defenses, plotting the best path forward can be difficult, Johnson said, because it takes time to figure out which tools to put in place and whom to hire.
The latter part can be difficult for health care providers because there’s a shortage of security professionals across all industries.
“I’ve literally talked to health care organizations that have 300 open security positions and are struggling to fill even a handful of them,” Johnson said. “It’s going to be a rough few years.”