Hospital hacks expose security weaknesses

This post originally appeared on U.S. News and World Report’s Policy Dose blog.

U.S. hospitals appear to be under a new type of IT hacking attack: crypto-ransomware. Hackers have changed their approach and instead of stealing patient data, they are now locking down the computer systems of hospitals and asking for a ransom, in bitcoin, in order to allow hospitals to have access to their own computers. Multiple hospitals in California and Kentucky and Maryland have been the victim of such attacks over the last week and despite an FBI investigation into the MedStar hack, there seems to be no solution on the horizon.

Why have hackers targeted hospitals? And should patients be concerned about these information technology breaches?

Hospitals are very easy targets for hackers. Unlike other sectors that implemented IT naturally and gradually over the course of many years, health care went digital overnight, after the government allocated billions of dollars to promote adoption of electronic health care records. According to the statistics by Office of National Coordinator for Health Information Technology, while only 9.4 percent of hospitals used a basic electronic record system in 2008, 96.9 percent of them were using certified electronic record systems in 2014.

This explosive growth rate is alarming and indicates that health care entities could not have the organizational readiness for adopting information technologies over such short period of time. Many of the small- or medium-sized health care organizations do not view IT as an integral part of medical care but rather consider it as a mandate that was forced on them by larger hospitals or the federal government. Precisely due to this reason, health care organizations do not prioritize IT and security technologies in their investments and thus do not allocate required resources to ensure the security of their IT systems which makes them especially vulnerable to privacy breaches.

After the Centers for Medicare and Medicaid Services implemented its meaningful use program, most every hospital went digital, but information security expertise and technologies were not there to protect health data. Hospitals’ main mission was to provide medical care; they were not focused on protecting data.

When it comes to data protection, big technology companies are the war ships, and hospitals are small rubber dinghies in a sea of hacker sharks. Since IT has not historically been an integral part of medical services, hospitals have lagged behind other industries on investing in security technologies and attracting top IT talents and thus became especially weak and vulnerable to IT attacks.

Hospitals cannot tolerate the consequences of computer lockdowns. If Wal-Mart gets attacked, it will likely shut down for a short period of time and fix the issue. Over that time, the company may not be able to sell products, and it may hear from dissatisfied customers and disgruntled shareholders. But such an issue will only incur a limited financial loss for Wal-Mart.

Hospitals on the other hand, are dealing with patients’ lives. They cannot stop treating patients or turn them away. They need their IT networks to be up and running 24/7, otherwise, the consequences may cause serious harm to patients by delaying their wait times. If patients are harmed and their safety and medical care is undermined as a result of a ransomware attack, which could have been prevented had hospitals not neglected their IT security, then hefty lawsuits from patients will be inevitable. That is why hospitals are more than willing to pay the requested ransom as soon as possible and gain access to their computers before it’s too late.

Given the technical vulnerability of hospitals to hackers and their willingness to pay up the ransom, we should expect many more ransomware attacks. On the bright side, it appears that hackers have found an easier and more lucrative way to make their money and have lost their appetite in stealing medical records. While these new types of attacks are a major threat to patient safety, they are unlikely to undermine patient privacy. Selling stolen patient data is much more onerous, risky and less profitable than demanding ransom.

Hospitals are now feeling the burn of their negligence in information security technologies. These incidents are a wake-up call to the industry; hospitals must understand that information and security technologies are no longer overheads but are instead integral parts of modern medical care.