It’s a call no IT leader wants to get. We’ve been breached.
Heather Nelson found herself on the receiving end of that dreaded call in December 2021 when her hospital’s workforce management vendor was compromised by a ransomware attack, crippling their payment systems. “Fortunately, it wasn’t a clinical care or a medical device vendor, but people still needed to get paid. It was the end of the year; the holidays were here,” says Nelson, M.H.A., senior vice president and chief information officer at Boston Children’s Hospital.
From there, Nelson and her team sprang into action. Pipelines to and from the vendor were shuttered. The business continuity team was convened, and next steps were planned—including moving to paper payments and manual processes while employee badges and time clocks were down. “We had to scramble, but it was our number-one priority,” Nelson says. Though the outage was a major inconvenience, it served as an important reminder: The cybersecurity threat is real and constant; the importance of vigilance is paramount.
More than financial risks
The stakes have never been higher for companies to protect their technology systems and the data their customers trust them to keep safe. According to the most recent “Cost of a Data Breach Report,” compiled by IBM Security and Ponemon Institute, the average cost of a data breach reached $4.35 million in 2022—an all-time high.
The price tag is much higher in health care. For the 12th consecutive year, health care topped the study’s list of analyzed industries, with its average data breach running more than $10 million—up nearly 10% from just a year ago.
And the potential damage cuts much deeper than just dollars and cents. Compromised patient data can cause irreparable harm to a hospital’s reputation and erode trust among the families it serves. Distributed denial-of-service (DDoS) and ransomware attacks can disrupt services, potentially leading to disastrous outcomes. A 2019 ransomware attack at a community hospital in Alabama hospital may have contributed to a baby being born with severe brain damage and dying a few months later. The infant’s mother alleges in a lawsuit against the hospital that the cyberattack caused her child’s death.
“I talk to my team a lot about the real impact in the work we do in keeping information safe and keeping systems up and operational,” says Angela Johnson, chief information security officer at Children’s Wisconsin in Milwaukee. “That’s one of the reasons I am very meticulous about what we’re doing and how we’re doing, making sure we’re protecting each and every one of our patients, so they have the best possible outcomes.”
Exacerbating the challenge facing children’s hospitals is the inclination of cybercriminals to target health care organizations. A recent study conducted by cybersecurity firm Sophos revealed that two-thirds of health care organizations surveyed faced a ransomware attack in 2021—nearly double the number of those attacks from the year before. But why?
Opportunism. Cyberattacks against hospitals have risen exponentially since the onset of COVID-19, as bad actors seek to take advantage of stressed staffers and health care resources stretched thin by the pandemic response.
Valuable data. Protected health information (PHI) is much more robust than financial account or credit card data, typically containing more personally identifiable details. It’s more permanent, making a breach harder to detect and resolve compared to cancelling a credit card if it is breached. And there are many ways for hackers to use that data on the dark web, including purchasing prescriptions, receiving treatment or making fake medical claims.
Ransom collection. Because a hospital’s technology is integral to its operations—and patients’ lives could hang in the balance—they are more likely to pay ransom to recover their data. More than 60% of health care organizations reported paying ransom in 2021, compared to the overall average of 46%, according to the Sophos study.
While the threat of cyberattacks is high, there are steps children’s hospitals can take to help safeguard networks and patient information. Here are five ways to create safer systems.
1. Educate staff
Johnson has seen it all during her nearly two decades working in information systems. What she sees now is a rapidly evolving complexity in the schemes hackers are using to break into networks. “Back in the day, you’d get this email with poor grammar and shoddy graphics—it just didn’t read well,” Johnson says. “Now, it’s really hard to tell the difference between something real and something fake.”
The hackers have not only become more sophisticated but also more persistent. HIPAA-compliant email provider Paubox reports that malicious emails targeting health care institutions have risen 600% since the pandemic began. As a result, phishing schemes account for 16% of data breaches, second only to stolen or compromised credentials, according to the IBM/Ponemon report.
While the massive increase in phishing attempts suggest a wide net of polished emails sent at scale, there’s also a movement toward more targeted attempts. “We have someone now who’s been texting our executives, pretending to be our CEO,” Johnson says. “They’re saying, ‘Hey, it’s your CEO, call me—I need you to do something for me.’”
The deluge of emails—and texts—isn’t likely to subside. The most effective means to combat them is education and awareness. “Embedding some of the user security education into your culture is one of the most powerful tools available,” says Edward Kopetsky, senior vice president and chief information officer at Stanford Medicine Children’s Health in Palo Alto, California. “We’re a team of 15—we can’t be everywhere—so we count on our people being able to recognize and report phishing emails.”
2. Vet vendors
Facilitating faster and better patient care today requires a dizzying array of machines and systems communicating with each other. Patient EMRs are connected to laboratory and radiology systems, insurance networks, durable equipment systems, artificial intelligence modelers and more. These interactions benefit the patient’s outcome but can also pose a security risk—they’re often managed by third-party vendors and require patient data to make the systems work.
“That’s something we take very seriously, and, like most organizations, we conduct a very detailed security assessment when we’re looking to partner with new vendors,” Nelson says. “Accountability has to be on both sides, and those third-party vendors must have security standards in writing, including how they’ll handle their clients if they have a breach.”
Beyond ensuring potential vendors have strong security governance in place and understanding contingency plans, Kopetsky adds it’s vital to have a contractual understanding around all aspects of your data before entering an agreement. “You need to start talking upfront: what are they going to do with the data, and how are they going to use it?” Kopetsky says. “And especially important, when are they going to delete it?”
3. Segment devices and networks
There’s a litany of pumps, sensors, workstations and other devices in most hospital rooms. Kopetsky says the patient rooms at Stanford Medicine Children’s Health each average about 18 connected devices. But there is—and should be—flexibility in how those machines are allowed to interact.
Microsoft says 99.9% of the compromised accounts they track every month don’t use multi-factor authentication.
Segmenting the organization’s network both reduces access points and lessens the impact of a breach. Segmentation may look like separating the guest Wi-Fi network from the Wi-Fi network connected to medical devices or allowing pumps to interact with the EMR but not have access to the internet. “We do a lot of strategic architecture within our networks,” Johnson says. “It’s like we have this 10,000-lane highway and everybody has a lane—and I’ve got concrete barriers in between the right ones.”
4. Require multi-factor authentication
Use of stolen or compromised credentials remains the most common cause of a data breach—accounting for about one of every five incidents, according to the IBM/Ponemon report. Multi-factor authentication (MFA) is a relatively simple solution hospitals can employ to ward off unauthorized logins. Microsoft says 99.9% of the compromised accounts they track every month don’t use MFA.
“Multi-factor authentication is key—it’s one of those easy deterrents, like locking your door at night.” Johnson says. It’s important to devise an MFA solution that doesn’t significantly impede workflow efficiency, according to Johnson. At Children’s Wisconsin, that means a badge tap plus password for clinical providers and a password plus random-code-generating token for non-clinical employees.
5. Build relationships
When Boston Children’s Hospital thwarted a recently attempted cyberattack, it received an assist from an outside source: the FBI. “We have a very good relationship with the local FBI agents here in Boston and nationally, and they were the ones who notified us that there was a breach within our HVAC system,” Nelson says.
The tip enabled the hospital to quickly isolate the problem before any damage could be done and before patient operations were threatened. “It could have brought our hospital operations to a halt,” Nelson says. “We couldn’t have done it had we not had that relationship.”
Beyond her contacts in law enforcement, Nelson also cultivates relationships with her counterparts in information technology and security to keep current. Hackers’ schemes are constantly evolving and becoming more complex. Cybersecurity best practices are always updating. Maintaining a strong network of colleagues is critical to staying ahead of the game.
A survey of more than 600 health care organizations found 89% experienced a cyberattack in the past year.
“Learn from others and talk to your peers to see what they are doing—I’m not afraid to ask so that I’m not recreating the wheel,” Nelson says. “In our community and groups within CHA, we lean on each other all the time, always asking, ‘What do you need? Is there anything we can help with?’”
Life after a cyberattack
No matter how well planned and executed a cybersecurity strategy may be, almost every health care organization is going to face a cyberattack at some point. A recent Ponemon Institute survey of more than 600 health care organizations found that 89% had experienced a cyberattack in the past year.
There are several things children’s hospitals can do to minimize the damage of a cyberattack. First and foremost, undisrupted patient care is the top priority. The business continuity plan should consider how the organization continues to function following attacks on any part of the technology network. The incident response plan should have clear roles, responsibilities and processes for different situations.
Emergency notification systems are essential in alerting employees about security incidents and ensuring everyone is following the business continuity plan. “A lot of organizations leverage texting and personal emails,” Nelson says. “And if cell service is down, you just have your backup plans and do the best you can to get the word out, even if it’s just people walking the units.”
In the case of a ransom for a data breach, there’s risk to complying with cybercriminal demands. Sophos reports only 2% of those who paid received all their data back and the average amount of data recovered is just 65%. In some cases, the decryption software provided upon a ransom payment is ineffective or so slow that it can be faster to rebuild the lost data from backups.
“Even if you do pay, the hole those attackers came in could still be out there, so you need to fix that before you bring things back online,” Kopetsky says. “The other piece of this is sometimes the criminal organization will download your data—and after you pay them to decrypt your data, they might come back and ransom you again for the release of the information.”
The ability to recover organizational data after a crisis is largely dependent on having the data backed up. There are multiple options available for backup storage, but the key is ensuring it’s not redundant with your primary data storage method. “If you’re hit by ransomware and you get locked down, it doesn’t help if your backup is part of that lockdown,” Johnson says. “You must have your stuff backed up somewhere that’s accessible to you but not the bad people.”
Perhaps the most important aspect of any response plan is its readiness. Regularly scheduled tabletop exercises are an excellent way to solidify the plan and staff roles across the organization. “Running a tabletop exercise of a ransomware attack on your organization with your senior leaders and your legal team, you recognize these are all decisions that you’re going to have to make really quickly,” Nelson says. “We don’t want to impact patient operations or patient care, and there are a lot of lessons learned from it.”
Kopetsky says tabletop exercises are most effective when based on situations that have occurred at other health care institutions so there’s nothing hypothetical about the drill. And he says hospital leaders who aren’t regularly conducting tabletop exercises should insist upon these eye-opening simulations because they shed light on exposures to risk.
“I highly recommend them. I don’t know if I would call it a good experience, but it’s a necessary one,” Kopetsky says. “No one was laughing and smiling after our last one, but they definitely were like, ‘Wow, this is important.’”