Cyber attacks on hospitals and healthcare providers have become a regular occurrence. On Feb. 1, it was Easton Hospital in Easton, Pennsylvania. On Feb. 4, it was the Catawba Valley Medical Center in Hickory, North Carolina. On Feb. 20, it was the Calbrini Hospital in Melbourne, Australia.
As more and more hospitals suffer ransomware attacks, cybersecurity experts say the healthcare industry must up its cyber game before their patients suffer the consequences. Stuart Madnick, a professor of information technology and engineering systems at MIT’s Sloan School of Management, told InsideSources that hospitals are experiencing up to 70 percent of all ransomware attacks.
They’re an easy target, he said, because when hackers hold health records and sensitive patient data hostage, hospitals have no choice but to pay the ransom. Refusing to pay means patients could lose control over their personal health information (PHI), or worse, have life-saving surgeries postponed.
In 2017, North Korean hackers used a “WannaCry” ransomware attack on Great Britain’s National Health Service, which resulted in canceled operations and delayed medical appointments.
According to a July 2018 Maturitas study, electronic health records (EHR) and individual medical devices (like pacermakerss) are highly vulnerable to cybercrime. The study concludes that “cybersecurity is critical to patient safety, yet has historically been lax,” and the industry may need regulation to make cybersecurity “an integral part of patient safety.”
Digitized medical devices for patients, in particular, can pose a serious cyber risk to patients’ health.
“One of my nephews has diabetes and he has Wi-Fi connected insulin pumps and can control it from his phone, and when he goes to the doctor, the doctor can download the data,” Madnick told InsideSources.
Part of the problem lies in the healthcare supply chain. Hospitals almost never focus on cybersecurity as a top priority, so when they order new equipment — which is increasingly digitized and connected to the cloud — they don’t necessarily ensure the equipment hasn’t been tampered with or ensure it isn’t susceptible to malware.
“When it comes to buying a new MRI machine or a new firewall, it’s easy to understand where the emotions lie. They’re not thinking about putting their patients at risk,” Madnick said.
Suppliers are to blame as well, he said. As technology advances rapidly, the priority for a healthcare supplier is to develop new, affordable equipment and get it to market as quickly as possible and thus solidify its place as the primary supplier.
But another major contributor to cyber vulnerability is the decentralized nature of the healthcare system. The industry is increasingly specialized, so there’s not always an incentive for cardiologists to talk to a neurologist about cyber concerns with regard to medical equipment and computers. Because many departments may not talk to each other, developing a bird’s eye view of the cyber ecosystem within any particular hospital is difficult.
“A lot of the clout rides in the practices, so there isn’t a good way to rally people together,” Madnick said. “You go to the head of cardiology and say, we want to take some of your budget and invest in cybersecurity instead of a new MRI machine, and that’s not an easy sell.”
A February 2017 Technology and Health Care study pointed out that hospitals are notoriously slow to update their technology, and as a result, do not “keep up with the [cyber] threats.” As hospitals race to modernize with new equipment and devices from healthcare startups, many don’t even realize the risks they’re taking.
To meet the need, more and more cybersecurity startups specialize in the healthcare industry. For example, ClearDATA provides information security for healthcare providers, ID Experts helps the industry combat fraud, Protenus monitors a patient’s EHR for suspicious activity and issues alerts, and Senrio offers cybersecurity services for medical devices.
As of 2018, there are more than 125 startups specializing in healthcare cybersecurity across the U.S. and Canada. But changes won’t happen overnight for an industry not known for its tech-savvy.
“Hospitals are beginning to respond,” Madnick said. “Two to three years ago, this wasn’t on their radar.”