Who's Afraid of the Big Bad Breach? - Part 1

You should be.  It’s not a matter of “if.”  It’s a matter of “when.”  Cybercrime had become such a huge industry that cybersecurity experts agree that hospitals should count on eventually becoming a victim.

This week’s blog will present some disturbing statistics and some vulnerability points, and the next installment will outline some risk mitigation strategies.

Here are some recent notorious breaches:

·         Yahoo! – 1,000,000,000 accounts

·         LinkedIn – 165,000,000 accounts

·         Target – 110,000,000 accounts

·         DropBox – 68,000,000 accounts

·         Home Depot – 54,000,000 credit cards compromised

·         Sony Pictures Entertainment – Significant exposure of their inner workings and data

And who can forget the infamous hacking of the Democratic National Committee’s servers?

If these “household name” organizations were unable to adequately defend themselves, why would a hospital or healthcare vendor think they are immune?  Experts estimate that hacked medical information is worth 10x to 20x that of hacked financial records.  For one thing, medical data cannot be easily changed.  Also the medical data often also includes social security numbers and credit card information.  Physician practices and smaller hospitals may think they are less likely to be hacked because of their relatively smaller pool of data.  However, hackers sometimes target them specifically because they assume they have fewer defensive resources and are, therefore, easier to attack.

Modern Healthcare had an extensive special report called “Building a Better Cyberdefense” in its January 23, 2017 issue.  Consider these statistics:

·         There were 8-1/2 times more healthcare breaches in 2016 than in 2006.

·         87% of healthcare attorneys believe that their clients are at greater risk than other industries.

·         At 78,800,000, the March 2015 breach of Anthem wins the prize for the largest healthcare breach ever.

And let’s not forget one of the newest threats:  ransomware.  Hollywood Presbyterian Medical Center’s patient data was recently held hostage until it paid $17,000 to restore it.

Most people consider the biggest threats external hackers who conduct direct attacks, seek vulnerabilities created by patches or interfaces among various internal systems, or intrude through connected medical devices and other parts of the “Internet of Things.”  They are clearly sources of major risk.  But the highest percentage of breaches are actually caused by internal sources such as disgruntled employees, sloppy actions by employees who are lured by phishing or other attacks, and lost laptops or other devices. 

Or how about the threat vector called “shadow IT”?  In order to bypass the hassle of layered security requirements, some hospital staff (including clinicians) may log onto the hospital’s public Wi-Fi system, thereby potentially exposing any protected health information on their machines.  That reminds me of one of my favorite sayings:  It’s hard to design a foolproof system because fools are so ingenious.

Some may think the answer is to minimize their exposure through limiting technology.  This is unlikely to help since every organization with any type of technology such as internal computer systems or electronic medical records is already vulnerable.

So what’s a hospital to do?  The next installment will offer some strategies.