As anyone who isn’t living in a cave—and perhaps some individuals who are living in caves—must be aware, the current landscape around cybersecurity is the most urgent and challenging ever. Just to take a single example, as Senior Contributing Editor David Raths wrote on May 14, “As San Diego-based Scripps Health continues its efforts to restore online systems after a cyberattack on May 1, a ransomware attack has caused the Health Service Executive, the publicly funded healthcare system in the Republic of Ireland, to shut down its IT systems to protect against further attack. A BBC story noted that Ossian Smyth, minister for public procurement and eGovernment, spoke to reporters and said it was an international attack. ‘These are cybercriminal gangs, looking for money,’ Smyth said. ‘What they're attempting to do is to encrypt and lock away our data, and then to try to ransom it back to us for money. It's widespread. It is very significant, and possibly the most significant cybercrime attack on the Irish State.’ The BBC also reported that the National Cyber Security Centre (NCSC) has said the HSE became aware of a significant ransomware attack on some of its systems in the early hours of Friday morning. In a tweet, Ireland's Health Minister Stephen Donnelly said the incident was ‘having a severe impact on our health and social care services today, but individual services and hospital groups are impacted in different ways.’”
The BBC article reported a number of very alarming elements in the Irish disruption, among them that “Dublin's Rotunda Hospital has cancelled outpatients visits, due to a ‘critical emergency,’ unless women are 36 weeks pregnant or later. All gynecology clinics are cancelled. It said those with any urgent concerns should attend”; “The National Maternity Hospital in Dublin also said there would be significant disruption’ to its services on Friday ‘due to a major IT issue’”; and “Children's Health Ireland (CHI) at Crumlin Hospital advised people there were delays and all virtual/online appointments had been cancelled.”
And as I wrote on April 27, “The Westport, Connecticut-based cybersecurity consulting firm Coveware has just released a report that confirms the very worst: ransomware attacks are intensifying across all U.S. industries, including healthcare. Indeed, the firm estimates that, in the first quarter of 2021, 11.6 percent of ransomware attacks hit healthcare, putting the healthcare industry in a tie for second place, together with the public sector, and behind professional services at 24.9 percent, but far ahead of such industries as transportation (4.9 percent) real estate (3.6 percent), utilities (3.1 percent), and retailing (2.7 percent). What’s more, the average ransom paid to hackers in the first quarter of 2021 was $220,298, up fully 43 percent from in the fourth quarter of 2020. Entitled “Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound,” the report was published on Coveware’s website on April 26.”
Note that healthcare was in a tie for second place among all industries in the first quarter of this year—tied with the public sector, though behind professional services—yet far a head of transportation, utilities, and retailing—and with devastating financial consequences for our industry. As the Coveware people noted, “Data exfiltration extortion continues to be prevalent and we have reached an inflection point where the vast majority of ransomware attacks now include the theft of corporate data. Q1 saw a reversal of average and median ransom amounts. The averages in Q1 were pulled up by a raft of data exfiltration attacks by one specific threat actor group that opportunistically leveraged a unique vulnerability.” Indeed, Coveware noted that “The average ransom payment increased 43 percent to $220,298 from $154,108 in Q4 of 2020. The median payment in Q1 also increased to $78,398 from $49,450, a 58 percent increase.” For patient care organizations in our industry, such payouts are already terrible, and could become devastating. There’s also this important line from the Coveware report: “The data will not be credibly destroyed. Victims should assume it will be traded to other threat actors, sold, misplaced, or held for a second/future extortion attempt.”
Clearly, things are getting worse—and worse. And yet, in a moment in which many patient care organizations across the U.S. are only now beginning to regain financial traction, following the virtual shutdown of elective procedures during the spring of 2020, the funds to spend on cybersecurity tools are going to continue to be fairly constrained inside budgets in hospitals, medical groups, and health systems nationwide, for some time to come. What’s the solution?
Well, honestly, one of the elements in all of this will be governance and project management around the purchase of cybersecurity tools and around the operationalization of those tools. Healthcare cybersecurity experts have been telling us at Healthcare Innovation that one big problem has been that many leaders in hospitals, medical groups, and health systems are still just “going out and buying stuff”—meaning that the lack of governance and project management around cybersecurity tool purchases can significantly negatively impact the optimization of the use of those tools.
But here’s the good news: we will be discussing this very topic next Wednesday, May 26, during our digital event on “Securing Your Digital Future.” During our very first session of the day (10-11 AM eastern time), entitled “Investing in the Right Cyber Tools and Services for Your Organization,” I’ll be discussing this topic with a panel of provider leaders and solutions providers. We will in fact be plunging into these issues, and I anticipate that the discussion will be helpful to those in our audience who are managing these issues and evolving forward their organizations’ implementation of these extremely important tools.
I think it will be an excellent discussion, and we welcome everyone to attend. And, as always, the industry-wide dialogue will move forward in this area. It will be fascinating to see what it’s like five years from now, or even two. And of course, the reality is that the threat vectors are only intensifying over time, so this is not a level playing field—and patient care organization leaders will always need to be catching up.
