Health care organizations are striking back at cyberattackers

In 2018, throughout the United States, the health care sector saw 15 million patient records compromised in 503 breaches. This was three times the number seen in 2017, according to the Protenus Barometer report, a quarterly snapshot of disclosed breaches impacting the health care industry.

Cyberattacks in health care are similar to attacks on enterprise organizations: publicly available vulnerability exploit kits (or preconfigured hacking tools) combined with misconfiguration and coding errors provide an open door for an aspiring hacker.

In fact, hacking has turned into a lucrative day job with better hours, higher pay and less risk/consequence compared to other illegal activities. It only takes one vulnerability in a single device to shut down an entire network and/or hospital until a ransom is paid. And on the black market, a single patient health record can sell for $1,000.

Hackers probe and scan the state of Minnesota's computers 3 million times per day. As a major health care hub, Minnesota has a host of high-profile health care insurance companies, medical device manufacturers, and provider networks, all of which face threats against cybersecurity every day.

Recently, we spoke with several health care IT experts in Minnesota, who all said cybersecurity has become a pivotal focus in their day-to-day planning activities. Whether securing protected personal health information (PHI) or safeguarding against targeted device attacks, cybersecurity is no longer an afterthought but, instead, something that is addressed in the early stages of IT development.

The threats include:

Device-specific attacks. There are many types of health care cybersecurity attacks. Perhaps the most sensationalized, yet the least likely, are attacks to implantable cardiac devices, whereby a hacker can hijack the device and administer shocks on command, disable the features, and intentionally wear out the battery. Similar vulnerabilities have been identified in drug infusion systems and insulin pumps.

Given the importance of cybersecurity, the FDA has updated its draft guidance for implementing security measures during device development. Security measures are no longer considered after a device is developed.

Phishing campaigns/targeted e-mail attacks. Health care organizations are high-value targets for cybercriminals due to the vast amount of personal information they store. The U.S. Department of Health and Human Services and health insurance company Anthem reached a settlement for $16 million following a phishing campaign that breached 78.8 million records.

E-mail fraud attacks have increased exponentially in the past two years and typically use the subject line "Payment," "Request," and "Urgent."

Some of the most effective methods for reducing successful phishing campaigns can be knowledge-based training simulations; upgrading security gateways; and deployment of Domain-Based Message Authentication, Reporting and Conformance (DMARC). DMARC is an e-mail authentication protocol designed to protect e-mail domain owners from unauthorized use, commonly known as e-mail spoofing.

Ransomware attacks. The 2017 worldwide "WannaCry" ransomware attack leveraged existing known vulnerabilities in Microsoft Windows operating systems and encrypted data on infected devices. In ransomware attacks, malware locks computers and demands a ransom in order to unlock the system. The vulnerable targets can range from common workstations to MRI machines to any device connected to the internet.

Two years after the first attack, 40% of health care organizations have experienced at least one WannaCry in the past six months. Armis, a system that tracks managed and unmanaged devices within an organization, issued a report that estimates more than 70 % of health care organizations worldwide are using an older Windows operating system (Windows 7 and older), which increases their vulnerability.

Misconfigured IT settings. An IT expert we talked with said that while collecting data to improve patient care is a worthy goal, it also increases the risk of data disclosure. Once it's out, it's out. If stolen, protected health information can't be replaced like a credit card, he said

In the case of Inmediata (a health care clearinghouse service), the personal and medical information of 1.5 million patients was exposed due to a webpage setting that allowed search engines to index internal webpages used for business operations. Fortunately, there are cybertools to help measure and test security environment and control settings.

Health care IT continues to become more complex, with extended delivery network expansion and the widespread adoption of internet-enabled devices. Local health care organizations have therefore deployed a number of cybertools, such as identity management to control access, privilege access management for password control, and web application firewall (WAF) to protect web servers and computer interfaces. They are using external resources and internal teams.

Each year, members of our corporate, academic, military and government sectors come together at an Annual Cyber Security Summit in Minneapolis to better understand the evolving threat landscape and discuss emerging technologies. The Ninth Annual Cyber Security Summit will be Oct. 28-30 at the Minneapolis Convention Center and is open to the public. See www.cybersecuritysummit.org.

Catharine Trebnickis co-chair of the 2019 Cyber Security Summit. She is a vice president and senior research analyst covering software and security at Dougherty & Company LLC. She can be reached at CTrebnick@doughertymarkets.com. Kyle Bauser is a vice president and senior research analyst covering medical devices at Dougherty. He can be reached at KBauser@doughertymarkets.com. The opinions expressed in the article are those of the authors only.

Editor's note: Submissions to be considered for publication in Business Forum can be e-mailed to doug.iverson@startribune.com. Please limit the length to 950 words or fewer and avoid self-promotion.