Denys Rudyi - Fotolia
Ransomware tops list of healthcare cybersecurity threats in 2019
Healthcare CIOs should get ready for a vigorous privacy debate and prepare for more destructive cyberattacks in the coming year, according to experts.
An IT vendor that services more than 100 nursing homes was hit by a ransomware attack that brought healthcare workers to a crawl in November. In October, the DCH Health System in Alabama fell victim to a similar attack that left it unable to accept new patients at three hospitals. And just this week in New Jersey, Hackensack Meridian Health said it paid an undisclosed sum to stop a cyberattack.
Healthcare cybersecurity experts believe attacks like these will only grow in frequency in 2020, and healthcare CIOs should be ready to deal with the fallout.
But that's not the only trend experts believe healthcare CIOs will have to juggle come the new year. Others expect the data privacy debate will heat up, especially as more technology companies such as Google and Apple continue to edge their way into healthcare. And preventive security measures, whether that be changing the culture or investing in technology, will be on the forefront in 2020.
2019 shows shift in attacks on healthcare
The most common attack on healthcare has involved data theft, but that's starting to change, according to Caleb Barlow, president and CEO at healthcare cybersecurity firm CynergisTek Inc. in Austin, Texas.
Today, hackers are using ransomware attacks more frequently, which have a destructive, "kinetic impact" to them, Barlow said.
"That means, you didn't steal the data, you locked it up, destroyed it or changed it," Barlow said. "When those things happen, you can't see patients."
Larry Ponemon, president of the Ponemon Institute in Traverse City, Mich., echoed Barlow's sentiments, calling 2019 "the year of ransomware." Ransomware is a type of malware that can lock healthcare systems and compromise patient data access, usually through encryption. Ransomware attackers will then typically demand that a ransom be paid before providing a decryption key.
The attack can put healthcare organizations in a tough spot: pay the ransom, which can push an organization to the financial brink, or unlock the data on their own, which can take months.
Barlow expects the ransomware trend in healthcare to only continue in 2020. He pointed to the attack that crippled 110 nursing homes in Wisconsin as the most devastating of 2019, saying it highlighted how hackers are using more destructive methods to compromise a healthcare system.
"It further underscores the movement of adversarial action from data exfiltration to destructive attacks," Barlow said. "We have to start becoming prepared for this."
Privacy should be top-of-mind
Healthcare CIOs will have to do more than focus on security in 2020.
Kate Borten, president of healthcare privacy and security consultancy The Marblehead Group in Marblehead, Mass., said the privacy conversation from 2019, sparked in part by partnerships between technology companies like Google, will continue into the new year.
One such partnership that raised eyebrows was between Google and Ascension Health. Ascension, based in St. Louis, partnered with Google in part to use the tech giant's AI and machine learning tools on millions of patients' data and has been criticized for its lack of transparency around the initiative, called Project Nightingale. Borten said the relationship raised legal, ethical and moral concerns around the use of patient data.
Healthcare organizations are turning to tech giants not only for data analytics tools, but for cloud data storage capabilities. By forming partnerships, healthcare organizations are looking to save costs in the long run on security and data storage, while also gaining insights on historical patient data.
When entering into relationships with technology companies, healthcare CIOs should dig into potential privacy questions, such as the lack of transparency to patients on how their data is being used.
"Just the volume of data and the fact that Google is really mining it intensively should be a concern to society at large and should raise questions about regulatory limits and boundaries and controls on this kind of activity," Borten said.
Healthcare organizations are not violating federal law by partnering with Google or Amazon, but Borten believes they stretch HIPAA and the privacy rule too far -- regulations she believes should be revisited in 2020. She also suggested a national privacy law similar to the European Union's General Data Protection Regulation (GDPR) be introduced to better protect patient information.
2020 healthcare cybersecurity resolutions
While healthcare CIOs should prepare to navigate relationships with companies where privacy could be a concern, they will also need to be prepared for the growing threat of ransomware attacks in 2020.
CynergisTek's Barlow believes there are three key things every healthcare CIO should institute in 2020, if they haven't already:
- Two-factor authentication, which requires two forms of identification for a user to access sensitive information;
- endpoint protection, which requires devices such as laptops to comply with security measures before accessing a health system's network; and
- network segmentation, or splitting a computer network into smaller subnetworks to better control security across the entire network.
Although preventing an attack is critical, healthcare organizations also need to be prepared for when an attack occurs. How they respond will have a direct impact on the resiliency of the organization, Barlow said.
First, healthcare organizations need to build a plan around the types of attacks that are likely and then simulate those attacks and play out how the organization will respond, not unlike how an emergency room prepares for a mass casualty incident.
"Healthcare institutions understand how to build plans, practice and simulate, but they need to add cybersecurity to that list of things they're going to do next year," Barlow said. "Their disaster drill for next year isn't the Ebola patient shows up in the ER, it's that they're locked up with ransomware."
Healthcare CIOs should also focus on eradicating bad cybersecurity practices. David Chou, vice president and principal analyst at Constellation Research in Cupertino, Calif., said that won't be easy and often necessitates foundational changes that could take significant planning and time.
Chou's message for healthcare organizations in 2020 is to build a full IT security program, which could mean a change in culture and behavior, as well as gaining the right resources and support to do it effectively.
"That has always been a challenge, especially in healthcare, because now you're starting to take investments away from other clinical areas, whether that's a new MRI machine or building that needs to get updated," Chou said. "That money is being shifted to healthcare security. These are tough decisions organizations have to make."
According to Borten, healthcare organizations should pay close attention to security when moving data and operations to the cloud in 2020.
"The way you manage security becomes quite different and it may be new and different for the IT staff," she said.