While the WannaCry cyberattack against hospitals, clinics and device makers was largely unsuccessful, future hacks might be used to imperil patients. Experts worry the U.S system is still too vulnerable and health IT departments are under-resourced.
Medical devices breached
It was only a bit of good luck that prevented hackers from bringing down much of the U.S. healthcare system on May 12, 2017. The infamous WannaCry attack infected more than 300,000 devices in 150 countries, including 48 hospitals in the U.K. The virus was spread through older versions of the Windows operating systems. Fortunately, an IT expert figured out how to shut down most of the attack before it had more than “extremely minimal impact” on patient care, according to officials, and before it jumped the ocean to the U.S.
In some countries, the hackers—in demanding payments to restore control of the computers and access of health records—disrupted hospital processes. In the U.K., for example, 40 hospital and clinic sites had to turn off their computers and cancel all but emergency surgeries and other treatments.
A little more than a month later, another worldwide attack—the Petya ransomware virus—spread with even more efficiency than WannaCry, though the dollar amounts collected from both attacks were paltry in comparison to the havoc the viruses wreaked. About $40,000 over several weeks was collected in ransom for both viruses, and the hackers have yet to try to retrieve the funds. This has spurred fears among health IT leaders that, perhaps, money wasn’t the ultimate goal of the attacks.
[[{"fid":"23525","view_mode":"media_original","type":"media","attributes":{"height":1038,"width":600,"style":"width: 600px; height: 1038px; margin-top: 5px; margin-bottom: 5px;","alt":" - IT-priorities","class":"media-element file-media-original"}}]]
In the future, the threat could be even bigger than ransomware, with cyberattacks used to harm patients, warns one IT consultant who, fearing reprisal, asked not to be named. “Right now, ransomware such as WannaCry is a money problem,” says the consultant. “But I can guarantee you that terrorists are thinking about how to use health IT hacking as a weapon.”
Several sources interviewed for this story concurred, theorizing that terrorists could kill or injure scores of Americans by getting into electronic health records or medical devices to alter protected health information, such as blood type or medication and procedure orders.
Such fears were magnified when it was revealed that WannaCry was the first hack to breach medical devices. As reported by Forbes, a Medrad/Bayer radiology power injector-monitoring device was hacked in at least two U.S. hospitals. The Health Information Trust Alliance, a private company, said that Siemens equipment in the U.K. was affected by WannaCry. Last fall, before the WannaCry attack, Johnson & Johnson revealed that its line of insulin pumps was vulnerable to such threats due to a lack of encryption.
Abbott was in the spotlight at the beginning of the year, when the Food and Drug Administration (FDA) announced that cardiac devices developed by St. Jude Medical, which
Abbott had recently acquired, were vulnerable to hacking. Candace Steele Flippen, an Abbott spokesperson, told CVB the company is aiming to lead a growing medical device manufacturer effort to toughen cybersecurity standards. Abbott’s strategy includes a multi-department group that “focuses on ensuring that cybersecurity is part of the [product] design process, … [extending to] … manufacturing and sourcing, as well as product commercialization”; educating physicians and patients about cyberthreats; limiting partnerships to those that work with experienced third-party cybersecurity research companies; and participating in FDA/Department of Homeland Security efforts to develop standards and continuous cyber quality improvement.
Despite risks, little urgency
Complacency about cybersecurity is too common in hospitals and practices, according to several health IT experts interviewed by CVB. WannaCry, for example, was launched through older versions of Microsoft Windows, even though a defensive patch for such a threat had been available since early this year. And some of the affected U.K. hospitals were using 15-year-old software that Microsoft had stopped supporting in 2014.
“Too many people in the industry are buying into the ‘someone else is taking care of it’ mentality,” says Brand Barney, HCISPP, CISSP, QSA, an analyst at SecurityMetrics, a data security and compliance solutions firm headquartered in Orem, Utah. “They are not looking at the true risk involved, the big picture. They may think they’re not at risk, and this affects the safety and welfare of the patient.”
Among hospital administrators’ many competing priorities, spending on cybersecurity often has taken a backseat to purchasing equipment and systems that will generate revenue. As a result, expensive, systemwide software upgrades may be delayed until something goes wrong.
For hospitals, the consequences of getting hacked are significant. According to a 2016 PwC Health Research Institute report, 40 percent of consumers would abandon or hesitate to use a hacked health system and 50 percent would avoid or be wary of using a medical device if a breach was reported.
Jennings Aske, JD, chief information security officer at New York-Presbyterian Hospital, says that health IT departments tend to be underfunded. “Cyberthreats like WannaCry illustrate the need for increased investments in advanced cyber controls,” Aske says. “The need for increased cybersecurity investments is a topic that hospital leadership must raise to a Board of Trustees–level discussion.”
No hospital is immune, he adds. “Management has to allocate resources aligned with the current cyber-risk environment.”
Basic protections go far
Hospitals and health systems can take steps to protect themselves, starting with putting up barriers to thwart hackers and rethinking the pros and cons of open vs. segmented networks. While open networks facilitate interoperability—or the ready sharing of patient health information among hospitals and between hospital and physician practices—they also enable cyberattacks, explains Brian Jacobs, MD, vice president and chief medical information officer at Children’s National Health System in Washington D.C. He advocates segmentation—analogous to a ship with waterproof compartments that can be sealed off from one another if something goes awry.
“At Children’s, the IT network is segmented, which requires users to use multiple forms of authentication,” he says. “Also, if an attack is detected by our IT security staff, they can shut down connectivity between systems to isolate an attack.”
Another critical step for health systems is adopting good cyber-hygiene, says Kevin McDonald, director of clinical information security at the Mayo Clinic in Rochester, Minn. He recommends several basic security controls that even small hospitals can take to reduce their cyber-risk fairly quickly and by about 75 percent. In addition to segmentation, privileged accounts need to be managed and legacy devices—older medical devices, such as infusion pumps, that still work well but were manufactured before current security features—should be examined.
Dan Dodson, president of Fortified Health Security in Franklin, Tenn., also stresses the importance of elementary cybersecurity precautions. “You need to do basic blocking and tackling, like making sure known patches are installed,” he says.
Rethink resources before threats worsen
According to Chris Strand, senior director of compliance strategy at Carbon Black in Waltham, Mass., WannaCry got hospital administrators’ attention as much by the uncertainty it created as the actual attack on systems. His biggest concern is that “there are still far too many critical medical systems that are running outdated and unsupported embedded systems.”
For health IT departments, updating software systems, switching to a segmented network and other protective measures may be easier said than done. Taking these steps requires both financial and staff resources. While 41 percent of IT professionals responding to an early-2017 TechTarget/College of Healthcare Information Management Executives survey reported their budgets increased over 2016, enhancing cybersecurity didn’t top the list of reasons for the bump. More than half said improving the quality of patient care was a key driver behind their healthcare IT budget changes. Cybersecurity concerns ranked fifth on the respondents’ list of drivers.
The Health Information and Management Systems Society (HIMSS) also fielded a survey of health information security professionals in early 2017. It found that 7.9 percent of respondents had no monies allocated for cybersecurity.
Both surveys were conducted before WannaCry made headlines worldwide. Its impact, plus the news about subsequent global attacks, including Petya and the Equifax data breach in September, may have nudged physicians to speak up for improved cybersecurity.
Jim Whitfill, MD, chief information officer for Scottsdale Health Partners, a multispecialty network in the Phoenix area, believes such issues are on clinicians’ minds. “It really gets clinician attention when such attacks now can threaten their ability to care for their patients,” he says. “We’re paying more attention to cybersecurity than five years ago. But I’m not sure we’re changing quickly enough and in the right direction. Because these threats are changing fast.”