Why healthcare cyberattacks are getting worse

The data breach isn't new. Even the cyberattack has been a business risk since the late 1980s when the Internet was first widely used. For years, cyber criminals have been after hidden information not intended for them, both within and outside of healthcare. But in recent years it appears as though these attacks have intensified in two ways: They are more frequent and they are more severe.

Some of the large-scale attacks began in the mid-2000s. In 2007, retailer TJX, parent company of TJ Maxx and Marshall's, reported a cyberattack in which hackers stole debit and credit card information of approximately 45.7 million customers starting from January 2003 to November 2007.

Fast forward six years, and the healthcare industry suffered a cyberattack affecting nearly double the number of individuals in the TJX attack when Indianapolis-based Anthem reported the protected health information of 78.8 million had been breached.

The past couple of years have seen some pretty outstanding cyberattacks. In addition to the hack on Anthem, Mountlake Terrace, Wash.-based Premera Blue Cross reported a breach in March affecting 11 million patients, Los Angeles-based UCLA Health reported a breach in July also affecting 4.5 million individuals and Franklin, Tenn.-based Community Health Systems reported a breach in August 2014 affecting 4.5 million. All these breaches stemmed from cyber criminals hacking network servers.

Matt Comyns, global head of the cybersecurity practice at executive search firm Russell Reynolds Associates, says the market is getting worse with each passing year. He says there are three main reasons why cyberattacks are occurring more frequently and causing more damage.

First, Mr. Comyns says cyberattacks are relatively inexpensive to carry out, especially the ones orchestrated by nation-states with bountiful capital. Federal investigators looking into the cyberattacks on the U.S. Office of Personnel Management reported in late May and early June that affected approximately 21.5 million Americans believe the attack originated in China. Some cybersecurity experts suggest the hacking techniques used in the OPM breach are similar to those used in the Anthem and Premera breaches, leading experts to believe they come from the same source.

Secondly, cyberattacks are relatively anonymous. Hackers use pseudonyms and code names and are veiled by the sheath of anonymity inherently provided by the Internet.

Finally, if the perpetrators are identifiable, more often than not they are operating in uncooperative foreign governments, which Mr. Comyns says is a growing concern. "The last piece, which is increasingly becoming a problem, is [cyberattacks are] pretty well organized," Mr. Comyns adds. "You have pretty sophisticated cybercriminals at this point that are now collaborating."

And, in healthcare specifically, hackers have more of an incentive to infiltrate networks, as the value of information is much higher than data sources like credit and debit card information. Not only does sensitive health information open the door for medical identity theft and insurance fraud, but even physical medical devices may be a threat to patient safety.

In late July, the U.S. Food and Drug Administration issued a report warning healthcare facilities that hospital infusion pumps could be vulnerable to cyberattacks. Hackers can access the pumps remotely through the hospital's network. If they access the pumps, hackers can control the device and change patient dosages, a potentially lethal situation.

The threat of hacking medical devices has very real ramifications. In 2007, former Vice President Dick Cheney's physician disabled his pacemaker's wireless capabilities, including the ability for physicians to fix the pacemaker virtually. He did so as a precautionary measure to thwart any attempt of assassination by means of hacking the pacemaker.

Jonathan Reiner, MD, Vice President Cheney's cardiologist, said in a CBS interview alongside Vice President Cheney that the threat was credible.

"It seemed to me to be a bad idea for the vice president to have a device that maybe somebody on a rope line or in the next hotel room or downstairs might be able to hack into," he said in the interview.

This new, connected healthcare environment may be a boon to care quality, but it inevitably comes with risks. While cyberattacks aren't unique to healthcare, this industry is highly targeted, and cybersecurity investments and strategies are becoming necessary to function in this landscape.

"It's going to be an [increased] cost of doing business," Mr. Comyns says. "It's a cultural change for companies. It's a different way of thinking."

More articles on cyberattacks:

16 latest updates on data breaches, privacy incidents and HIPAA violations
The difficulties of cybersecurity: 5 insights from IBM vice president Marc van Zadelhoff
3 healthcare CIOs on talent recruitment, cybersecurity

© Copyright ASC COMMUNICATIONS 2019. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.

 

Top 40 Articles from the Past 6 Months