By Rob Quinn, Vice President of Global Product Marketing at BridgeHead Software
Healthcare cyberattacks pose a major threat to healthcare organizations worldwide. According to the endpoint security firm Cylance, healthcare is one of the most targeted industries for ransomware attacks.1 Perhaps most common among the methods employed in healthcare cyberattacks, aside from phishing, is ransomware: a virus designed to lock medical professionals out of access to patient information. The general feeling is that the healthcare space is especially vulnerable at present with increased COVID-19 related malicious cyber activity.Although the consequences of getting hacked can be enormous, and the threat is palpable, the battle is not lost. As corporations and public entities have begun treating cyber-security more seriously, the annual number of overall ransomware attacks has decreased steadily since 2016. This is not to suggest that it has become trivial – over 43 million cyberattacks still happen every year. The value of the medical and billing data found in healthcare databases makes it a tempting target for any hacker. And the war against hackers is primarily fought through preparation, policy, and procedures. Yet healthcare as an industry tends to lag when it comes to adopting new technology – and this makes it a low hanging fruit primed for any hacker to exploit. Consequently, in the 21st century, healthcare cyberattacks are less of a question of “if” than “when?” – have you prepared yourself?
Emerging Risks in Healthcare Data Security
Fresh examples of the risk posed by hackers are constantly in the headlines. On October 1st of 2019, three Alabama hospitals announced that they had implemented emergency protocols following a cyberattack on their shared systems.2 The attack was overwhelming – it encrypted not only the primary database, but the backup systems as well. Medical records were lost, and doctors had to revert to handwritten notes when tending to patients – without access to their full repository of patient records.
Globally, the outlook of healthcare cyberattacks is even more ominous. In 2017, the United Kingdom’s National Health Service was thrown into disarray when a ransomware program called WannaCry infected thousands of computers.3 Around 20,000 appointments were cancelled, and while no deaths were recorded, a recent study shows a strong correlation between data breaches and a hospital’s 30-day mortality rate.4 Regardless of the size or location of your organization, ransomware and other healthcare cyberattacks are extremely costly.
Patient records are critical to the daily operations of healthcare, so it should come as no surprise that most hospitals pay the ransom and move on with the important business of caring for patients. Today, the vast majority of healthcare records are stored digitally, and the risk associated with losing access to those records is too great to ignore.
The costs that accompany a ransomware attack don’t end when the ransom is paid. In addition to ransom fees and diminished revenue (due to the significant dent in productivity, e.g. cancellation of surgical operations), healthcare organizations must also endure other costs. Legal fees, regulatory fines for HIPAA and GDPR compliance failures, as well as damage to reputation and market share, all add to the total cost of remediation.
No matter how you look at it, ransomware is an expensive problem that doesn’t stop with the initial threat. The best means of dealing with a cyberattack is to avoid it altogether by knowing the vulnerabilities of your system and proactively mitigating those weaknesses.
What or Who is Most Vulnerable to Data Breaches?
Contrary to what many might assume, the biggest target for ransomware attacks is not an organization’s systems, but its people. Phishing is a means by which hackers send emails that appear to come from reputable sources, soliciting recipients to share passwords and other account credentials or prompting them to download disguised malware. Successful phishing requires human error, so providing cybersecurity training to employees is a simple and effective way to mitigate this risk.
Though people are the primary target for hackers, they are not the only vulnerability. In recent years, hospitals have invested heavily in IT and healthcare has increasingly moved to a digitized world. But, as technology has evolved, new generations of systems have been introduced, leaving a trail of vulnerable legacy systems in its wake. Why are these systems vulnerable? Simply put, once a legacy system is out of production and no longer being updated with new security patches, it quickly becomes a major cybersecurity risk for healthcare providers. Hackers are constantly on the look-out for security loopholes – legacy applications, running on older software and/or hardware, provide perfect vulnerability points.
Security is a compelling reason for retiring or replacing legacy systems – but, it’s not the only one. Organizations are increasingly recognizing that when they rely on older systems, they have to continue paying licensing fees and incur extra maintenance costs to keep up those applications running. There’s also the risk that, as people within the organization transition (e.g. change employers, move into new roles, retire, etc.), eventually the skills required to run or support these applications will erode.
How BridgeHead Protects Your Data
As new threats are constantly being generated as hackers identify vulnerabilities in ageing systems, it is essential for hospitals to find a solution that addresses the risks associated with legacy systems. BridgeHead’s HealthStore® provides an Independent Clinical Archive (ICA) that specializes in extracting, consolidating, storing and protecting data from legacy applications. Once the data has been migrated to HealthStore, the legacy systems can then be decommissioned. All of the licensing and running costs of that system can be eliminated, whilst the data continues to formulate part of the patient’s medical record, accessible in a secure environment.
Although HealthStore provides an inbuilt, self-protecting data repository, BridgeHead also recommends a comprehensive and robust data protection strategy to ensure your mission critical data is properly backed up and recoverable in the event of intrusion or disruption. BridgeHead’s RAPid™ offers a complementary solution that works in concert with HealthStore to provide end-to-end protection of your healthcare systems and data. But, it is also worth saying, whether you consider BridgeHead’s RAPid or a product from another vendor, it is extremely important that any solution you use is underpinned by documented practices and procedures.
In summary, every day, hackers develop more sinister ways of keeping your clinicians away from the data they need to treat patients. Technological advances in machine learning and artificial intelligence will continue to fuel more sophisticated cybercrime. BridgeHead helps hospitals anticipate and mitigate the risk and damage of these attacks. While human factors, such as anti-phishing training are also essential, hospitals need strong digital defences to protect their patients, employees, and other stakeholders against hackers.
Looking to mitigate your healthcare organization against the risk of cyberattack?
In healthcare, vulnerable legacy applications have far reaching implications in terms of cybersecurity. But, what are the clinical, operational, financial and governance risks? And how can healthcare providers mitigate those risks? Download this new whitepaper to learn more.
Rob is responsible for go-to-marketing activities for their clinical data management solutions. For the last 17 years he has worked in the high-tech field helping organizations within healthcare, life sciences, and finance more efficiently manage and analyze data. Rob started his career as an engineer at Raytheon building missiles for the United States Military before migrating to Product Management and Product Marketing roles within software companies such as The MathWorks, Oracle, and Agfa healthcare.
Rob holds a B.S. degree in mechanical engineering from the UMASS Lowell and an MBA from UMASS Amherst.