In the world of information security, each new year brings new opportunities for growth and learning. From new cyber threats and mitigations to new tools and techniques, there's no shortage of new information to assimilate, new skills to master, and new lessons to take.When it comes to medical information security in particular, 2019 proved to be a year rife with lessons.
The Year That Was
For all intents and purposes, 2019 was "the year of the breach" for healthcare. With the new year right around the corner, the industry has suffered more than 400 different breaches, affecting more than 40 million people.
One of the most striking examples is the case of the American Medical Collection Agency (AMCA), where a single long-running data breach compromised more than 20 million records — including patient data, social security numbers, and payment card information. Sadly, victim compensation and theft monitoring will be elusive following AMCA's bankruptcy filing.
The case of AMCA is just another in a long line of examples underscoring the importance of taking smart, proactive, and preventative measures; eschewing the false notion that — should a need arise — you could always take reactive and remedial steps.
In fact, according to SafeAtLast, the healthcare industry lost an estimated $25 billion in 2019 just from ransomware attacks! Suffice it to say that that doesn't paint a very rosy picture of an industry on which we all so profoundly rely.
And as bad as things look, they're probably actually even worse. Chances are strong that there were some significant medical information security incidents in 2019 that we still don't know about. Some of those events we might never find out about, and judging from Solara's recent data breach (believed to affect 117,000 patients), even those incidents that do rise to public attention can see a considerable lag (seven months!) from the time of occurrence to the time of disclosure.
Medical Information Security Lessons Learned
That's why it's all the more important that we review the year that was in a prescriptive manner — not just looking at what happened, but looking to see can be learned from what happened.
Accordingly, the space of this article is devoted to extracting valuable lessons and sussing out business/strategy implications to take forward.
Medical information security is not just an IT issue, it's a care issue
No matter the industry, most people think of information security as an IT issue. For hospitals, 2019 may have changed that way of thinking. The latest example of how medical information security spills into matters of patient care came in September from the great state of Wyoming, when the Campbell County Health (CCH) community hospital was forced to close temporarily following a ransomware attack.
Last year my colleague, Safi Oranski wrote an article predicting that 2019 would see the first fatality directly as a result of a hospital hack. While thankfully that prediction was wrong, the CCH event reminds us just how close we may have come. Indeed, even as we've managed to avoid a clear case of deadly digital destruction, we did see the industry take some very big steps in that direction.
Similar to the CCH event, three Alabama hospitals were forced to closed to all but “the most critical new patients” because of a ransomware attack. Then there was the joint research paper out of the University of Central Florida and Vanderbilt University that quantified the operational ripple effect of hospital ransomware attacks. The paper concluded that — on average — 2.7 minutes were to medical response times of facilities that had recently hosted a malicious cyber event. In a health emergency like a heart attack, minutes can be the difference between life and death. Case in point: the same report noted a 3.6% increase in cardiac event fatalities at hospitals that had suffered cyberattacks.
With all that's happened in 2019, the lesson is clear: for healthcare organizations, cybersecurity can no longer be a matter of operational efficiency or future-proofing alone. Heading into 2020, cybersecurity speaks fundamentally to an HDO's ability to effectively and reliably deliver a high quality of care.
WannaCry was not an outlier, it was an early harbinger
In mid-2017, the world was hit by the Wannacry ransomware attack. The wormable attack targeted devices running unpatched Windows software, exploiting a widespread vulnerability to assume control of devices and lock out users. The attack not only prevented device use, but access as well — encrypting files and demanding payment to unlock devices and unencrypt their data. Over the course of the attack's breakout, hospitals emerged as a key proliferation vector, with the UK's National Health System especially hard hit.
Eventually, the spread of the attack ground to a halt when a security researcher found a kill-switch in the attack code. As it turned out, the attack was designed to query a particular domain address as a prerequisite to other operations. Once the researcher registered that domain, it created a "sinkhole" for malicious traffic, essentially shutting down the attack.
This all happened incredibly quickly — spanning only two days from the point of breakout until the kill-switch was activated — and still it managed to infect around 300,000 machines and wreak havoc to the tune of $4 billion globally. For its part, the NHS was estimated to have incurred over $100 million in damages.
Needless to say, an attack of this magnitude sent shock waves through both the information security and healthcare worlds and left considerable trauma in its wake. At the time, organizational cybersecurity attitudes and practices were so ill-prepared that it sparked a frantic sprint to catch up.
In the intervening years, we haven't seen anything approach the level of WannaCry, and as a result that sprint has slowed to a jog and a degree of indolence has begun to set in.
Though it's seldom articulated, most healthcare CISOs have come to view WannaCry as an outlier. They feel no crisis and they take comfort in seeing that their peers at other organization have similarly stopped scrambling to WannaCry-proof their operations. The fact is that the industry as a whole no longer feels compelled to harden its defenses in the manner required to repel some such future attack. In fact, forget about preparing for the next WannaCry — with an estimated 1+ million machines still unpatched close to three years later — the global response to the first WannaCry remains woefully half-hearted.
2019 stands as a powerful rebuttal of this mistaken complacency. Wannacry may have been the first large-scale global health system attack, but it will certainly not be the last. Serious ransomware attacks have cropped up with increasing frequency and impact throughout 2019.
In additional to the 3 Alabama hospitals mentioned above, there was the Australian network of hospitals targeted by “sophisticated cyber criminals”, the 120 hospitals in the Ramsey Health network that were "compromised", and the attack on France's Rouen University Hospital Centre that took down 6,000 connected devices and forced the 2,500-bed hospital to operate in "degraded mode" — just to list a few examples.
The point should be plain to see: WannaCry was just the foreshock. We should take any intervening calm as an opportunity to prepare rather than excuse to let down our defenses. There will be more and likely worse to come.
The key driver of hospital management technology adoption is cost savings
Reducing costs is one of the key drivers for healthcare providers when looking at a new administrative/operational technology solutions. As much as healthcare hacks and nightmare scenarios make news, they’re still not the primary motivator for hospitals looking to implement new technologies.
While the media still works according to the “if it bleeds, it leads” mantra and shapes public perception accordingly, hospital administrators are more concerned with the trials and triumphs of everyday operations. And while the specter of an incapacitating attack does increasingly factor into their considerations, it's far from front and center.
According to a Moody's analysis, hospitals are “laser focus[ed]” on productivity and expense management. That makes sense when you consider not only the thin and strained margins that HDOs operate on, but the urgent need to pass savings on to customers and patients who are beyond fed up with the high cost of healthcare.
For hospitals, budgetary allocations always boil down to operational impact and cost-benefit analyses. In those terms, cyber threats are generally too abstract and hypothetical to factor very prominently into planning. Instead, ROI is pursued with gusto and cost reduction or operational improvement initiatives are penciled on accordance to the positive and measurable expectations they carry.
Of course, if you’re a security professional, you still have to do your job and take care to guard the hospital's digital flank. Is this hyper cost-conscious environment that means that you can't always pursue your agenda on your own terms. It’s important that you learn to speak the language of business so that you can effectively make a case all the way up the chain of command to invest in security-minded technologies — buoyed by a cross-departmental value proposition.
For large, complex organizations that are subject to many operational interdependencies, that emphasis on ROI and measurable impact usually means a concerted effort to stop growing the solution stack and to instead coax more use and value out of existing solutions. In the same vein, you’ll be most likely to advance your cause by focusing on highly integratable technologies that add value and effectively shrink the solution stack, while providing broad functionality (rather than unitaskers) at a reasonable price.
Hospital silos are coming down
Process integration and interdepartmental collaboration are key to agile business operations. Unfortunately, healthcare has been slow to pick up on the lean and agile business transformation waves that have reshaped other industries.
As my colleague Safi Oranski wrote in a recent article on Forbes, "Too often, operations people think only in terms of operations, security people think only in terms of security and physicians think only in terms of care... The result is that each group operates extensively within their own bubble environments, building silos and working in ways that sometimes conflict. Until this is solved and we get better at connecting our people and processes, our connected technology will never be able to realize its potential."
Now, that's beginning to change. More and more, hospitals looking to boost synergies and improve efficiencies impress upon their staff the need for open communication, interdepartmental collaboration, and general interdisciplinism. In practice, that means getting IT, IS, Biomed, Compliance, and other hospital departments to work more together in common cause and with common awareness of each other's agendas.
The first order of business in so doing is usually redesigning — for each department — more integrated workflows to better account for the needs & practices of other teams and breaking down silos. In so far as the latter is concerned, the first step is getting everyone to work on the same systems, share the same frames of reference, and be familiar with each other's primary tool sets.
Tactics aside, the bottom line is this: to be on the right side of the industry's disruption, you’ll need to shift your strategic perspective, inject constructive entanglement across departments, and find tools to help different stakeholders get on the same page.
AI Cuts Both Ways
For most organizations, artificial intelligence is still just a buzzword; a headline grabber that doesn’t impact day-to-day operations. In healthcare though, it's a little different. For better or worse, healthcare offers what is probably the most accessible and most significant early testing grounds for AI.
It's well known that radiology labs all over the world are already making meaningful use of artificial intelligence. What's less known are some of the novel AI applications in development to predict and prevent patient falls, or to preempt complications related to sepsis. Then there are the less splashy but just as vital AI opportunities to help alleviate staffing and skills shortages acutely affecting the healthcare industry.
And still, despite all these great innovations, most healthcare conversations about AI tend to revolve around security. In addition to the important role of device security grouping and policy management, hospitals are using AI to run advanced deviation from baseline analyses to supervise their networks and defend against zero-day attacks.
On the whole though, HDOs remain slow to embrace artificial intelligence. And while they kick around the idea, bad actors are already finding wide-scale early successes using AI to carry out phishing attacks, deep fake assisted cyber theft, social engineering, and malicious chatbot ploys — among other malicious techniques.
That head start is a big problem when you consider the fact that, in some ways, the AI deck is stacked in favor of the bad guys. Put simply, "winning" with offensive AI is just a lot easier. If offensive AI is defeated or otherwise falls short, the attacker is only looking at a blow he failed to land. If, however, defensive AI is defeated or otherwise falls short, you’re looking at a successful attack — or any number of attacks.
It may still be too early to say what this means from a prescriptive perspective, but it’s entirely possible that we’re looking at the early days of an AI arms race — wherein organizations liable to be targeted for attack (healthcare organization being an always popular choice) are forced to accelerate the adoption and integration of AI-enabled cyber defense technologies simply to keep the threat in check. Indeed, this is precisely the expectation expressed by 69% of organizations surveyed in a recent Capgemini report.
The fact is that AI cuts both ways and IT and hospitals need to understand that hackers have access to the same technologies they do. The lesson here may lack a clear action directive, but it's worth saying just the same. Hospitals will have little choice but to accelerate their AI investments — especially it relates to security — but they'd be wise to keep they're eyes wide and their heads on a swivel as they proceed.
Going into 2020, the medical information security scene is looking increasingly like a battlefield — lots of noise, threats passing with increasing velocity before your eyes, dirt flying everywhere, and pitfalls opening all around you. You can't just close your eyes and hope to emerge on the other side unscathed. You need a concerted effort and coherent strategy.
That's why it's useful to review the actions and events that have happened leading up to the present moment. It helps give you a firmer orientation of where you are, what you're trying to accomplish, what dangers you face, and what obstacles are likely to impede your progress. Putting it all together, you can begin to form more reliable expectations to guide you as you plan your advance. That's exactly what I've endeavored to do in this article. I hope you find it instructive.