This year started off, unfortunately, on the wrong foot when it came to cybersecurity. On Feb. 15, we reported that throughout 2020, 92 individual ransomware attacks affected more than 600 separate clinics, hospitals, and organizations, and over 18 million patient records. The estimated cost of these attacks in total is nearly $21 billion, according to a recent analysis from security company Kent, U.K.-based Comparitech.
Just one day later, on Feb. 16, we reported that an examination of 30 popular mobile health apps revealed that fully 100 percent of them are vulnerable to application programming interface (API) cyberattacks that can allow unauthorized access to full patient records, including protected health information (PHI), and personally identifiable information (PII).
The study, conducted by API cybersecurity company Edinburgh, U.K.-based Approov and cybersecurity content company Las Vegas-based Knight Ink, underscores the API shielding actions now urgently required to protect mHealth apps from API abuse, the organizations’ leader assert.
Things didn’t get better as the year progressed, on May 4 we reported that the San Diego-based Scripps Health was still trying to put the pieces together and organize critical patient data following a ransomware attack over the previous weekend that hacked the health system’s technology servers, according to multiple media reports.
Later that same month, we reported on May 26 that the FBI had recently released an alert warning that Conti ransomware attacks have been targeting U.S. healthcare and first responder networks, including law enforcement agencies, emergency medical services, 9-1-1 dispatch centers, and municipalities within the last year. At that time, the Bureau identified 16 attacks targeting these organizations nationwide.
On July 30, we reported that U.S. hospitals and health systems are woefully unprepared for the intensifying cybersecurity threats facing them, the annual report of the Austin, Texas-based CynergisTek consulting firm found.
CynergisTek’s leaders, in their fourth annual report on the state of U.S. health system cybersecurity preparedness, entitled “Maturity Paradox: New World, New Threats, New Focus,” found in their analysis that fully 64 percent of organizations were below an 80-percent level of preparedness.
In August, the Healthcare Innovation team attended HIMSS21 and attended a number of cybersecurity sessions and panels. We reported live from the show on Tuesday, Aug. 10 at the Sands Convention Center in Las Vegas on the cybersecurity keynote titled “Healthcare Cybersecurity Resilience in the Face of Adversity,” stressed the importance resilience when it comes to cybersecurity strategies.
The discussion was moderated by Jigar Kadakia, chief information security and privacy officer at Mass General Brigham. The panelists were Michael Coates, former CISO of Twitter and former head of security at Mozilla; Keren Elazari, cyber security analyst, author, and researcher, Admiral Michael Rogers, former director, National Security Agency and former Commander, U.S. Cyber Command; and Alex Stamos, founding partner, Krebs Stamos Group, former CSO, Facebook, and former CISO, Yahoo.
When discussing resiliency, “The most important thing to take away with resiliency is that it should be boring. We should get away from sexy cybersecurity,” Coates said. “What builds resiliency is fundamentals. It is boring and hard doing the things you know you need to do across the board for your organization all the time, but it is what you need to do.”
Adm. Rogers added that “Because we didn’t focus on resilience, we increased the probability of successful penetration. So, what does that mean for us?” He explained that the actors are getting more aggressive, and he knew things were fundamentally changing when he saw “regular” criminals carrying out attacks that he had only previously been seen in nation state hackers, like attacking supply chain. He added that “We need to step back and reassess.”
Later, on Aug. 27, Healthcare Innovation had the pleasure of interviewing Austin, Texas-based CynergisTek’s Mac McMillan on Aug. 24, regarding the current state and the future of cybersecurity, cyber insurance, and ransomware for our industry. McMillan was reappointed CEO and president of the company in late July.
When McMillian was commenting on cyber insurance, he said that “When you look at cyber insurance, look at it as something that is only going to address the cost of the incident as it relates to the response of the incident, in most cases. It is not going to cover all of the cost of an incident. So, when you start looking at these incidents and how large they are, and the insurance companies are looking to protect themselves as well, even a $21 million payout is a significant payout.”
“So, if I’m the insurance company, how do I reduce the number of payouts that I have that meet that threshold? I make it harder for you to get the insurance,” he continued. “I up the ante with respect to the underwriting requirements, I give you more specific requirements that you have to meet, and if you don’t meet those requirements, I don’t cover you or I raise your premiums significantly. The message hospitals have been receiving recently is that their premiums are going to go up four to six times, which is huge, unless you can answer yes or have done all of these things.”
Then, on Oct. 6, as if the industry needed more bad news, we reported that the first credible public claim that a death was caused, at least in part, by ransomware was first reported by The Wall Street Journal on Sept. 30. An Alabama woman, whose 9-month-old child died, has filed a lawsuit against Springhill Medical Center (located in Mobile, Ala.), where her daughter was born.
According to a CBS News article, “Springhill Medical Center was besieged by a ransomware attack when Nicko Silar was born July 17, 2019. The resulting failure of electronic devices meant a doctor could not properly monitor the child's condition during delivery, according to the lawsuit by Teiranni Kidd, the child's mother.”
The cybersecurity talent drought is a serious issue, but some organizations are making moves to change that. On Oct. 25, we reported that he Arlington, Va.-based Cybersecurity and Infrastructure Security Agency (CISA) announced via a press release that it awarded $2 million to two organizations for the development of cyber workforce training programs. The organizations— NPower and CyberWarrior—will focus on the unemployed and underemployed, underserved communities in urban and rural areas, as well as underserved populations including veterans, military spouses, women, and people of color. These awards are the first of their kind from CISA and coincided with the third week of CISA’s Cybersecurity Summit and its theme, “Team Awesome: The Cyber Workforce.”
The Brooklyn-based NPower is a national nonprofit, rooted in community, that is committed to advancing race and gender equity in the tech industry. The Minneapolis-based CyberWarrior Foundation increases opportunity and economic mobility for people of all backgrounds via training, mentorship, and technology.
In an interview that posted Nov. 16, Healthcare Innovation spoke with cyber expert Richard Staynings to discuss the current cybersecurity talent drought and the importance of educating CEOs and boards of directors about cyber risks.
When Staynings was asked what, if anything, will drive hospital CEOs and boards of directions to prioritize cybersecurity? “New regulation,” he said. “We saw some minor updates to The Health Insurance Portability and Accountability Act of 1996 (HIPAA) through The Health Information Technology for Economic and Clinical Health Act (HITECH Act) and the Omnibus Rule. Perhaps it is going to take changes to the Joint Commission, which deals with patient safety, to say cybersecurity is now one of your major concerns around patient safety. It's no longer about people slipping on a wet floor or other clinical errors as a result of failures in healthcare. Maybe we need a new regulation that manages privacy and security and healthcare systems. Regulation was what drove cybersecurity back in the early 2000s and late 90s. I'm not a big fan of regulation, but perhaps that's what it's going to take. There seems to be, even though we've got ever rising litigations against healthcare entities, the message doesn't seem to be getting through. CEOs tend to be more short term now than they ever were before. They're there for three, four, five years, and then they're out. They take their bonuses with them, and they’re gone scot-free on to their next role in another hospital.”
Staynings added that “There's this mentality that it won't happen on my watch. A year ago, I heard CEOs say, ransomware is kind of worrying, but it probably won't happen on my watch. I'm a small hospital system. No one's going to come after me. They plainly don't understand that ransomware is a broadcast attack, and it is phishing, spam, whatever that is sent out, and they're just waiting for a user to click on it, click on a link, and then they've got you.”
“Maybe we need to change liability,” he continued. “Make CEOs personally liable for more of what goes on in their hospital networks. That won't be popular at all with hospital CEOs, but they've got directors’ insurance now, which basically absolves them from any wrongdoing whatsoever. We've also seen a growth in insurance that many are using as a form of risk mitigation and risk transference to the insurance company, rather than deal with the fundamental problems of the lack of or inadequate security to protect against the ransomware attack.”
Finally, to wrap up the year, McMillian, in a contributed statement explains what's going on right now with the security flaw involving the Apache Log4j popular open-source library, a commonly embedded and ubiquitous piece of software found in millions of systems that are web-enabled—and why this cybersecurity crisis matters.
