State of Cyber Attacks in Hospital Emergency Management 2019
Cyber attacks in hospitals are on the rise. In a 2019 survey of hospitals, 83 percent said that they had seen an increase in cyber attacks over the past year. Among those surveyed, 66 percent also said that cyber attacks had become more sophisticated.
Often these attacks involve ransomware, a type of malware that locks users out of their data until the victim pays a ransom. A 2016 US Department of Justice report found that that in 2016, on average, there were up to 4,000 ransomware attack attempts a day, a 300 percent increase from 2015. Between Q4 2018 and Q1 2019, hospitals saw a 195 percent increase in ransomware attacks.
These trends underscore the importance of making up-to-date cyber attack preparedness a standard part of hospital emergency management. This is a journey with many steps, specifically:
- Understanding what makes healthcare a frequent target of attacks
- Assessing the impact a cyber attack can have throughout your facility
- Implementing strategies and tools to mitigate the effects of a cyber attack
This blog is the first in a three-part series to help you strengthen your hospital’s emergency operations and continuity of operations and plans. You’ll also learn how to develop or enhance processes to make your cyber attack response more effective.
Cyber attacks increasingly target healthcare
The frightening fact is that the healthcare industry has become the leading target for cyber attacks, according to Steve Curren, MSFS, of the US Department of Health and Human Services. “Part of that trend is better reporting on healthcare breaches,” Curren said, “but it’s also an increased targeting of healthcare.”
Hospitals are particularly vulnerable. In a 2019 assessment of more than 20 industry sectors, Moody’s Investors Service rated hospitals among the four sectors with the highest risk of exposure to cyber attack. (The other three sectors were banks, securities firms, and financial market infrastructures.) Moody’s high-risk rating reflects the extent of the disaster that a cyber attack would cause, in particular the impact of financial losses. However, there are several other factors contributing to hospitals’ susceptibility to attack.
Increase in health IT adoption: Among the most significant factors is dependence on electronic health information. By early 2018, more than 95 percent of hospitals and 90 percent of office-based physicians had adopted electronic medical records. These records hold essential information, from current medications to patient care directives. Without fast access to this data, patient safety would be seriously jeopardized. In many hospitals, pharmacy and lab services, imaging, and even treatment devices also depend upon connections to the network.
Outdated security and communication systems: Reliance on technology has increased in healthcare settings, but cybersecurity has not. Though hospitals and other facilities direct their resources toward new and better IT, 95 percent of spending goes to implementation and adoption, with less than 5 percent of the IT budget spent on security. Staff may be trained on the importance of HIPAA compliance but receive little to no education on IT security. And new technologies are being developed faster than security measures can be devised to protect them. Finally, if hospital communication systems are dependent on the very network under attack, mitigation and continuity of operations can become crippled by disconnection.
History of cybercrime success: When the first hospital was hit with a ransomware attack in 2016, they negotiated a payment with the attackers. Hollywood Presbyterian Medical Center in Los Angeles eventually paid $17,000 to regain access to their network. From a short-term perspective, this amount might appear small compared to the potential revenue loss from interrupted services. This was also the case during the wave of SamSam ransomware attacks, where many hospitals paid a ransom to get back online. The effectiveness of this tactic makes it an attractive exploit for future cybercriminals.
Expanding attack surface: As the applications for health IT grow, so do the opportunities for malicious actors. As of 2017, 76 percent of hospitals used a telehealth system to provide healthcare services to patients remotely, a number that continues to rise. Patient portals are even more common, with an adoption rate of 92 percent. An increasing number of monitors and personal medical devices are connected to the hospital network and the internet. Securing all of these connections has become a Sisyphean task, creating huge vulnerability gaps.
It’s not surprising that so many of these factors revolve around the use of technology. As organizations begin to take stock of their cyber attack preparedness, it will be essential to consider emergency management solutions that do not depend on the network under attack. A cloud-based solution, such as LiveProcess Emergency Manager, provides hospitals a separate but secure means of continuing essential operations.
Consequences of a cyber attack for hospitals and other healthcare facilities
Hospitals that have experienced a cyber attack describe the impact as all-encompassing. According to one hospital administrator:
“This was by far the most far-reaching and devastating event I’ve ever been involved with in all my years of being in healthcare.”
The potential for catastrophic consequences reaches across every area of the hospital, with risks to data, patient care, facility operations and safety, and the organization’s reputation.
Pernicious data breaches
Data breaches are a highly publicized area of concern. The exposure of a patient’s protected health information (PHI) is a violation of HIPAA, and penalties are applied for each individual patient record exposed. Although penalties vary, fines apply even when the healthcare organization did not know and could not have reasonably known about the breach. But PHI is only the beginning. Hackers have also stolen provider and insurance data, which is often sold on the dark web. Using this information, criminals can forge physician identities and falsify prescriptions, health insurance cards, and drug labels.
Disruptions to patient care
Whether or not providers are locked out of their network, cyber attacks pose tremendous risk to patient care. As noted above, lacking access to EMR data would make many care decisions impossible. Without diagnosis information, lab results, or allergy lists, the possibility for provider error is high. One hospital administrator whose hospital experienced a cyber attack reported that even simple care became impossible:
“If [our Electronic Medical Record] goes down, we can’t check blood sugar levels … because our glucometers are set up to work after scanning a patient ID, so that it will automatically input the value into that patient’s chart. If you can’t scan the patient’s ID, because [the EMR] won’t receive the function, you can’t check the blood sugar.”
However even if data is accessible, it may not be trustworthy. The EMR can be tampered with, and researchers have even demonstrated how deep learning can be used to add or remove evidence of medical conditions from volumetric (3D) medical scans. This tactic could be used for purposes such as insurance fraud, research sabotage, or terrorism.
A failure in cybersecurity can also lead to diminished on-site security. Badge readers and security cameras may no longer be functional. If this happened, high-risk security areas and entry points would no longer be visible, putting staff and patients at risk. If the HVAC is on the network, it could become impossible to monitor or maintain appropriate temperature and ventilation. In such an event a facility could be forced to evacuate. These examples have been documented repeatedly in research on healthcare cyber attacks, but it is also possible that other areas, such as elevators, have been hacked into and stopped. If communication has also been shut down, situational awareness will be impossible to obtain.
Damage to reputation
Healthcare organizations that experience a cyber attack will also face the consequences to their reputation. Even when the organization is not at fault, some patients may feel that their care or their private information is not safe. There is even the possibility that a patient who experienced a poor outcome during a cyber attack could claim hospital liability, leaving a court to decide whether or not the cyber attack was a factor.
Current state of healthcare cyber attack readiness
While healthcare organizations are aware of the potential threat posed by cyber attacks, preparation for managing an attack is not at a mature stage in many facilities. In a recent survey, 70 percent of respondents reported that their organizations included cybersecurity in their facility risk assessment at least annually. Among those surveyed, nearly 70 percent also said that they were confident or very confident that their organization is able to handle cyberthreats to their network.
Yet when asked about specific preparedness actions, responses were less robust. Nearly half of respondents said either their organizations had never drilled or exercised a cyber attack scenario or they did not know if such drills had taken place. Only one-third had both an all-hazards emergency plan and business continuity plan in place that could be used for cyber attacks. This is in keeping with another survey of health IT professionals, in which 60 percent of respondents were not confident in the ability of their medical devices security strategies to protect patient care.
The top three barriers to healthcare cyber attack preparedness identified by respondents were the lack of financial resources, the lack of appropriate personnel, and the volume of new and emerging threats. Currently, funding for cybersecurity is surprisingly low. Federal funding for the Hospital Preparedness Program was cut by 50 percent from 2003 to 2017. In addition, while healthcare is the second biggest sector of the US economy, the healthcare industry spends about half as much on cybersecurity as other industries. As the rate of attacks and the cost of response continues to rise, it may be time to revisit how cybersecurity is prioritized.
How to prepare your healthcare organization for a cyber attack
This survey of the cybersecurity landscape makes three things clear:
- Healthcare organizations need to re-evaluate their cyber attack emergency management plans with a broader understanding of the risk.
- Healthcare organizations need communication and continuity solutions that are not dependent on their regular network.
- Healthcare organizations need enterprise and emergency management tools that enable situational awareness and collaborate across departments, facilities, and agencies.
A comprehensive emergency management platform such as LiveProcess can help organizations meet these needs. The next blog posts in this series will provide detailed information on cybersecurity risk assessment and mitigation strategies to reinforce your efforts to defend against cybercrime.
LiveProcess Emergency Manager is a proven system for emergency preparedness planning, mass notification and mobilization, real-time coordination and tracking. Hospitals and health systems, ambulatory centers, skilled nursing facilities, long-term care organizations, home health agencies, and public agencies use Emergency Manager to prepare for and respond to disaster events and for everyday disruptions.
More resources for cyber attack emergency management resources in hospitals and healthcare
The following sites provide valuable resources on this topic:
Read a case study about how a hospital used LiveProcess to provide continuity of services during a ransomware attack.
Read a blog post about all-hazards risk assessment.
Download our white paper about continuity of operations planning in healthcare.
Explore more resources for hospital emergency preparedness.
Learn about LiveProcess Emergency Manager.