Healthcare Under Attack

By Matt Fisher, General Counsel, Carium
Twitter: @matt_r_fisher
Twitter: @cariumcares
Host of Healthcare de Jure#HCdeJure

Not a day can go by anymore without a report of at least one data breach (and likely more) or a cyber attack on a healthcare organization. The pace of attacks seemed to increase as the world shutdown in from COVID-19 and security concerns have only continued to increase. The landscape is somewhat frightening from a privacy and operational point of view. Before considering what can be done, it is important to understand the types of threats that are occurring.

System Shutdowns

Multiple hospitals systems, highlighted by Scripps Health and the UVM (University of Vermont) Health Network, have suffered significant total downtime as a result of ransomware or other forms of cyber attacks. The attacks can provoke a couple of different outcomes. In some instances, the attack results in encryption of data or take over of systems. In that event, the organization being attacked will often move to disconnect and shutdown the IT systems. After that, a determination must be made as to whether the system can be restored from backups or other data repositories maintained by the organization. If that is not possible, then the demanded ransom will likely be paid (even if that outcome is not clearly disclosed) with the hope that not only will the data be returned, but any copies taken by the attacker destroyed.

Another common outcome from an attack is that the attack may be detected quickly enough that IT systems are shutdown with enough time to avoid the encryption or outside disruption. In that event, dealing with the attacker may not be necessary as there can be some comfort that no data were removed from the organization.

In either event, when a healthcare organization must shut off its IT systems, daily operations will suffer material impact. The impact runs the gamut from having to switch to paper documentation of patient encounters (which paper will need to be converted to electronic at some point), canceling appointments or procedures, delaying revenue cycle processes, and more. The examples of impacts are just the tip of the iceberg as to what happens when systems go down.

Aside from the immediate impact of a system shutdown, the much longer term impact is the amount of time and effort needed to restore systems. No matter the nature of the attack, care must be taken to restore all data as well as ensuring that all traces of the attack are removed to avoid retriggering the issue when systems are turned back on. Restoration is not a fast process. Reports following some of the recent reports suggest that the time to recovery will take months upon months and that revenues will be negatively impacted throughout that period.

Ransomware and Data Exfiltration

Shutdowns are not the only concern when it comes to ransomware. Initial rounds of ransomware usually only ran the risk of encryption and not being able to access one’s own data. Now, ransomware attacks are exfiltrating data before implementing the encryption. The exfiltration is enabling enhanced extortion of victims by leaking data and threatening to release all of the taken data if ransoms are not paid.

When data are exfiltrated, the risks quickly expand beyond just the ability to restore systems. The concern should be apparent that further use of the taken data as well as compromises to privacy become the overriding concerns. Once an attacker holds the data, a whole host of unknowns enter the picture. One of the biggest is gauging whether an attacker can be trusted to actually delete or destroy the taken data if a ransom is paid. However, trying to trust the honor of a cyber attacker in that regard seems foolhardy.

What Can Be Done?

A first step to potentially mitigating the harm from or even reducing the likelihood of a cyber attack is to take security seriously. It has long been stated that a data breach or compromise is a matter of when, not if. While some may have scoffed at that notion before, hopefully that perception is changing given the ever present threat and success of cyber attacks.

What does it mean to take security seriously? One item can be setting a solid foundation by ensuring compliance with relevant privacy and security regulations. In healthcare hopefully that is understood to mean HIPAA. The Security Rule under HIPAA is certainly not a guarantee of full system or data protection because it cannot predict all of the evolving threats. Instead, the Security Rule is a good basis on which more comprehensive security efforts can be built. From that perspective, the Security Rule acquaints organizations with hardcoding security into operations and ensuring that individuals within an organization are used to looking for policies and procedures and operating within the bounds of those policies and procedures.

As noted, HIPAA is the foundation, which then means determining how to further enhance security. In many instances that can mean looking to industry standards or guidance from other sources such as the National Institute of Standards and Technology (NIST). Considering NIST in particular, it produces guidance and guidelines for many different industries and categories of technology or information systems. The specific guidance also receives fairly regular updates that respond to new exposures or security issues.

Beyond implementing appropriate policies and procedures and seeking to build, at a minimum, industry standard protections, it is also important to emphasize security within the culture of an organization. If all members of an organizations from the top to the bottom do not take security seriously, then the weak links will probably grow and undermine any beneficial efforts that had been undertaken. A good culture includes reporting about security to the upper levels of management and the board of the organization along with promoting awareness of security throughout the organization. Steps to accomplish those goals have been discussed before, but include oversight, education, training, and encouraging open discussion.

The Future

The only certainty at the moment is that cyber attacks will continue at a rapid pace and healthcare will remain a primary target. If that reality is accepted, then the future should be focused on using every effort possible to make a successful attack as difficult to happen as possible. Since attackers are often a few steps ahead of defense, stopping every attack probably cannot happen. However, if an attack can be delayed or the impact reduced through system segmentation or similar measures, then success can be measured in degrees.

Regardless of what steps are taken, keeping security front and center as a concern is essential. Beginning to fight back against the ever present threat of a cyber attack will also likely be a collaborative effort. Organizations should be feel as though security occurs in isolation. All should view security as a community and group effort. Hopefully threat intelligence will become more common.

Lastly, it is easy to be discouraged by the stream of successful attacks and data breaches. While no successful attack is good, each one can be used as a learning point that optimistically better informs all organizations measures to be taken as well as the fact that no organization is too big or small to avoid an attack. Be vigilant, be careful, and ask questions.

This article was originally published on The Pulse blog and is republished here with permission.