Hospitals run the cybersecurity gauntlet

While the focus of healthcare administrators has understandably been on Covid-19 over the past two years, it is imperative that these same administrators re-double (if not triple) their efforts when it comes to privacy and cybersecurity. The rise of Covid-19 has coincided with a rise in healthcare-related privacy concerns, as well as a growing number of cybersecurity attacks on healthcare organizations.

Indeed, just last month, Jackson Hospital in Florida found itself the subject of national headlines due to a cybersecurity attack that appears to have been partially thwarted and can serve as a lesson to other organizations.  

To aid in efforts to mitigate similar attacks, this article addresses:

• Why healthcare is an attractive target for threat actors (those carrying out cybersecurity attacks);
• The types of threats healthcare organizations are facing;
• How healthcare organizations can prepare for and/or mitigate the impacts of cybersecurity attacks;
• And, the potential ramifications for healthcare organizations from a cybersecurity attack.

Why Healthcare Organizations are Attractive Targets

A well-regarded cybersecurity expert is fond of saying that “data is dangerous.”  This is because data in the wrong hands can be used to realize illicit profits and to inflict other harm (such as embarrassment) on the subjects of that data. Thus, larger amounts of sensitive data present more danger than smaller amounts of less sensitive data. 

Given the sheer volume of data in the possession, custody and control of healthcare organizations, to say nothing of that data’s sensitivity, it is no wonder that the last several years have seen a marked increase in the number of cybersecurity attacks on healthcare organizations. In fact, according to a story published by HIPAA Journal in December, the U.S. Department of Health and Human Services’ Office for Civil Rights recorded 686 healthcare data breaches of 500 or more records in 2021, the highest number ever recorded by the agency. Additionally, these breaches resulted in approximately 45 million healthcare records being exposed or stolen.   

Because the data held by healthcare organizations can, at minimum affect the physical and mental well-being of patients, and can, in certain circumstances, quite literally mean the difference between life and death, the loss of such data by healthcare organizations creates, in the words of the fictional Col. Nathan R. Jessep, “grave danger.”  Unscrupulous individuals and organizations seek to leverage that sensitivity to advance their own goals by attacking the electronic systems relied on by both large and small healthcare organizations. Given their critical role in society, healthcare organizations have little choice but to identify and implement the quickest path to recovery from a cybersecurity attack, irrespective of what collateral consequences that solution may entail.  This makes them amongst the most attractive cyber-targets.

Covid-19 has greatly exacerbated this danger.  For example, numerous healthcare organizations, some of which did not even exist before the pandemic, have grown exponentially.  That growth has been accompanied by the acquisition of vast amounts of sensitive health and financial data.  And, due to the large number of employees working remotely, the number of data access points has also increased (the more access points, the more opportunities for threat actors to wreak havoc).  Unfortunately, in some cases, Covid-related growth has come at the expense of sound, well-thought-out information security systems, and only time will tell how many healthcare organizations have proceeded prudently in racing to gain a physical presence on what seems like every street corner in America. 

Another point of concern is that many non-healthcare organizations have now found themselves entrusted with healthcare information.  For example, schools and employers are now tracking vaccination status, the basis for vaccination exemptions, Covid-positivity status and the like.  Importantly, they may be doing so without the infrastructure necessary to protect this information.  

While some may discount the value of a sliver of seemingly innocuous healthcare information provided to an employer (such as vaccination status), skilled threat actors can compile information from multiple sources about an individual or organization to mount a larger and more impactful attack.  By learning a patient’s healthcare provider and/or common password from an employer, for instance, a threat actor can gain access to the patient’s more sensitive data stored elsewhere.  All of the foregoing push healthcare organizations, or organizations with healthcare information, to the top of threat actors’ target lists. 

The Types of Threats Healthcare Organizations are Facing.     

Ransomware is by far the most common threat that healthcare organizations are facing.  In a ransomware attack, a threat actor blocks access to electronic systems until the victim pays a ransom for its return, usually in the form of cryptocurrency. There are a number of tools a threat actor may use to deploy ransomware – by “hacking” into the system through weak security or stolen or easy to determine passwords, through a social engineering attack (tricking a user to grant access), and/or by sending malware (harmful programming) to an unsuspecting user (usually by means of a “spoofed” email containing a seemingly innocuous, but actually dangerous link). 

Another threat (and one that allows for the easier spread of ransomware) is the failure to deploy adequate resources for robust cybersecurity.  Especially in the age of Covid-19, budgets at healthcare organizations are stretched thinner than ever due to a variety of factors, such as increased labor costs and lack of revenue from postponed or cancelled elective or non-critical procedures.  As a result, cybersecurity may seem like a reasonable place to balance budgets, but it is not.  Reducing spending, or not sufficiently increasing it, can mean that hardware and software are not upgraded/patched and can fail, even without threat actors inflicting harm on those systems.  It also means that end-users are not sufficiently and regularly trained in recognizing attacks (such as not opening suspicious attachments that could result in the installation of ransomware) and dealing with the aftermath of an attack (such as a doctor who does not know how to order a test or medication without electronic systems).  Finally, as healthcare organizations grow, consolidate, and in some cases close, care is often not taken to ensure that the data that is transferred as a result of that closure or acquisition is properly protected or if necessary and appropriate, destroyed. 

How Healthcare Organizations Can Prepare For and/or Mitigate the Impacts of Attacks    

Healthcare organizations, like all organizations, must take a “when, not if” approach to cybersecurity.  They should, if large enough and required by law, employ a chief information security officer (“CISO”) to manage all aspects of information security for the organization.  The CISO should work closely with internal and external information technology personnel, as well as with external experts in the field to evaluate and remediate electronic systems as necessary. 

All of this should be done under the supervision and direction of qualified outside counsel so as to maximize the ability to shield these communications under the veil of attorney-client communication/attorney work product should regulators and/or a litigant later seek a roadmap following a security incident. For more information on this topic, read this article published last year by the New York State Bar Association (NYSBA).   

Organizations should have a written plan on paper, easily accessible to all employees, describing how the organization will respond to a cybersecurity attack – who will be involved and what will their roles be.  Critically, in a healthcare organization, a cybersecurity response exercise cannot just be a boardroom exercise involving those whose job functions include cybersecurity matters.  All employees, from doctors to nurses to pharmacists must know how to continue to provide patient care in the event they are blocked from their usual electronic systems, as would likely be the case in a ransomware attack. 

And this type of practice cannot just be the purview of large organizations. Smaller organizations are just as, if not more vulnerable to attack.  Just because an organization is not well known does not mean that threat actors do not have their eyes set on it.  In fact, they may be more of a target if they are perceived as “low hanging fruit” that is easy to reach and easy to “squeeze juice from.”  As a result, they too must be just as vigilant when it comes to cybersecurity. 

In healthcare, an inability to “revert” to the delivery of healthcare without sophisticated information technology systems can be fatal, as alleged in a recently filed wrongful death case in Alabama, where the plaintiff alleges that a newborn died as a result of medical delivery failures stemming from the shutdown of a hospital’s information technology systems due to a ransomware attack. Fortunately, many healthcare organizations are preparing for these possibilities, with the aforementioned Jackson Hospital being one example – a quick acting IT professional appears to have recognized and mitigated the extent of an attack, while the healthcare professionals appear to have seamlessly transitioned to analog systems to continue to deliver patient care without disruption or incident. 

Cyber-insurance can also be an important part of attack mitigation.  Organizations should be cognizant of exactly what is covered and what is not covered under their policies.  They should be sure to comply with the coverage conditions required by their policies and they should avail themselves of the resources offered by their insurer in terms of professional assistance before and after an incident, as well as training and other services. 

The Potential Ramifications For Healthcare Organizations from a Cybersecurity Attack Are Many

Besides dealing with the attack itself (paying ransomware, lost revenue, cost of rebuilding systems and retention of outside professionals to recover from the attack), there are numerous other potential costs for healthcare organizations following a cyberattack.  First, regulators may impose fines and/or alter or revoke licensing as a result of violations of applicable privacy laws (state or federal, i.e., HIPAA).  Second, as previously described, private actions may be instituted by patients whose healthcare was impacted by the attack and/or by those whose data was improperly exfiltrated.  Third, if the organization pays the ransom, it may run afoul of federal anti-corruption laws and/or their own insurance policies.  Fourth, if the attack was motivated by something other than money, such as attempting to make a political point, the organization may be forced to make detrimental policy changes or pronouncements.  Fifth, if the attack results in the release of private information about patients, patients may lose their faith in the organization, resulting in a loss of future patients (and revenue). 

In sum, there are a great many issues relating to privacy and cybersecurity that all organizations, not just those involved in healthcare, should carefully consider and prepare for in advance.  These challenges are best addressed with the assistance of capable professionals with the requisite legal and technical knowledge and experience. 

About the Author: