Don’t let cyber attacks hold your patients hostage

Published September 20, 2018 by Ashish Khosla

As our society has become increasingly reliant on IT services, our ability to protect our personal, financial and health-care data has become equally important. According to the Institute for Critical Infrastructure Technology, the health-care sector fell prey to more cyber incidents through data breaches than any other critical infrastructure area in 2015. The health-care industry is rife with vulnerabilities for exploitation given the complexity and diversity of the health-care ecosystem, which includes public and private players large and small as well as connected medical devices and software systems.

In May 2017, Britain’s National Health Service made headlines when its networks succumbed to the global WannaCry ransomware attack, which infected more than 400,000 computers worldwide and demanded payments of $300 to $600 to restore access to data on each scrambled system. While IT and executives deliberated on what to do, doctors and health practitioners were forced to revert to pen and paper after the attack impaired key systems. The New York Times reported that some affected hospitals turned away patients, delayed lab results and even cancelled surgeries, revealing just how acutely cybersecurity issues in the health-care industry become patient safety issues.

IT spending in health care has increased, and governments are taking action to establish measures to protect our most vital data, yet cyber-attacks continue to increase. Symantec’s annual Internet Security Threat Report found that security incidents within health care were the second-highest contributor in affected services industries in 2016, outweighed only by incidents in business services. Moreover, cyber criminals are escalating demands. The report also found that average ransoms in 2016 rose to $1,077, a $294 year-over-year increase. To help protect health-care systems, patients and staff from cyber-attacks, executives should employ the following proactive methods.

Recognizing an attack

Ninety-one percent of cyber-attacks start with a phishing email, according to a study by PhishMe. Email scams frequently attempt to trick a target into clicking an email link, which launches malicious software that compromises the security of the network. The FBI estimates that compromised email accounts for $3.1 billion in losses per year worldwide.

To prevent an attack, it’s important to train your workforce to look for the three most common types of email hacks:

• Fake email coming from a company executive or colleague

• Fake invoice from a supplier whose email address has been spoofed

• Fake email from an attorney requesting funds or information about a deal

Even if the target doesn’t send a payment or transfer funds in response to the email, simply clicking a link in a phishing email can cause a chain of events that compromise the network.

How data gets held hostage

Ransomware is a malicious type of software used by cyber attackers that can harm or disable computer systems until hackers receive a payoff. The health-care industry is especially targeted because it is “rich in personally-identifiable information… and the results of a successful attack can be dire    including risk to patient care,” noted the Report on Improving Cybersecurity in the Health Care Industry. According to PhishMe, these types of attacks are up 400 percent since 2016.

Ransomware works by tricking the target into opening a fake email and then clicking on a link or attachment that infects the system and locks the user out of the computer system or network until a ransom is paid. Unfortunately, paying the ransom doesn’t ensure a fix, as evidenced by the Petya ransomware attack, which hit 65 countries in June 2017. In the case of ransomware attack, it’s important to increase health-care industry readiness through improved cybersecurity awareness and education, including:

• Implementing security patches – Every time the operating system or security software asks if it can run a system or security update, promptly follow through.

• Backing up data – Back up files remotely every day on an external hard drive not connected to the internet.

• Using an antivirus program – Antivirus programs can scan files to see if they might contain ransomware. Run the program automatically before downloading files.

Bolstering defenses

The best protection against email fraud is to employ multiple lines of defense. While upgrading software and backing up data is critical, training the health-care workforce to spot warning signs is the most important proactive measure. Empower your staff to:

• Be cautious. Flag suspicious emails to IT. Additionally, never reply or open links and files within suspicious emails.

• Remain cognizant and alert your bank to unusual requests. It’s essential to inform your bank of suspicious activity so proper action is taken to stop or prevent a financial transaction.

• Remove every “dirty” PC. If a laptop or PC is compromised, remove it from the company’s network until it has been cleansed of malware.

Ideally, every health-care organization should develop processes to teach its workforce and patients to recognize potential cyber-attacks via trainings and simulations. According to PhishMe, susceptibility to phishing email drops almost 20 percent after an organization runs just one simulation. Proactive education across the health-care ecosystem is a necessary line of defense to recognize a potential cyber-attack or ransomware intrusion, and can prevent compromised private patient information, prevent monetary losses, and ultimately, spare organizational delays in delivering care.

Ashish Khosla is senior vice president and Washington, D.C., market executive for Bank of America Merrill Lynch.