“We will not negotiate with terrorists.”
Growing up in Washington, DC, I had friends and classmates from all over the world, many the children of ambassadors. As a result, international conflicts often felt quite personal, so, even at a young age, I took a keen interest.
On October 28, 1980, just prior to Election Day, I watched President Jimmy Carter and Ronald Reagan debate questions on security, domestic, economic, and foreign policy. With American hostages held in Iran for nearly a year, the US was clearly a target, and I wanted to understand how the next president would respond. Reagan famously stated, “There will be no negotiation with terrorists of any kind,” variations of which have become part of our lexicon. Of course, we now know that these situations are far more complex to prepare for and manage. As he spoke those words, many officials were working to negotiate the hostages’ release.
In recent weeks, several health care organizations have been held hostage by ransomware; hackers have been encrypting IT systems until payment is made. The malicious software is often introduced through an email attachment or by deceiving authorized users into downloading files from a website. The immediate impact can be severe and costly. But, the ultimate magnitude can be much more devastating and longer lasting that one might expect.
The initial costs of such an attack are straightforward. With systems down, productivity plummets and patient safety can be compromised. The cost of breach notifications and mitigation, public relations campaigns, legal fees, and necessary cybersecurity upgrades can quickly add up. But, longer-term costs can quickly eclipse the early stages. Loss of contracts and intellectual property, erosion of reputation, insurance premium increases, and even higher cost to raise capital can persist long after ransom is paid and systems are back online.
Why has health care become such a frequent target of cyber attacks? It’s simple:
- The data are valuable: Stolen personal health records can sell for up to $50 each on the black market, or about 50 times the value of a credit card number.1
- Penalties for a breach are high: HIPAA fines are based on the level of negligence and range from $100 to $50,000 per record, with some reaching upwards of $4 million in total.2,3
- Information is time-critical: With the adoption of electronic health records, providers now depend on systems to provide accurate, up-to-date information to make life-and-death decisions. Loss of these systems can cripple an organizations’ ability to care for patients.
- Many systems are inadequately protected: With complex IT systems, often containing outdated and, at times orphaned applications lacking appropriate controls, health care lags other industries. Additionally, only about a third of health care employees undergo security training twice a year; and 6 percent receive no training at all.4
- Vulnerabilities are expanding: With broader sharing of health information, more individuals from more organizations have access to systems. Third-party vendors and suppliers often utilize so-called “fourth party” vendors, creating additional opportunities for attack far from the source.
What can health care organizations do to protect their data? Heightened security, vigilance, and resilience will help health care organizations defend against and mitigate the impact of cyber attacks. Key considerations for organizations include:
- Secure: Has your health care organization deployed anti-malware capabilities? Does your organization encrypt confidential data, including patient data? Has your organization implemented a rigorous identity and access management system with strong authentication controls like one-time passwords?
- Vigilant: Does your organization monitor its network to enable timely detection of attacks and unusual behaviors? Does your organization have a cyber awareness program, including training on phishing attacks? Does your organization regularly perform vulnerability assessments and penetration testing?
- Resilient: Sadly, as some of the most secure systems of other industries have demonstrated, attacks will continue. And, some will succeed despite our best efforts. In this case, resilience is key. Does your organization have the right team and skills to respond to a cyber incident? Does your organization have plans to protect mission critical operations, and do you routinely exercise them? Are leaders in your organization prepared to interface with regulators, legal counsel, and law enforcement during a cyber crisis?
Many organizations are unprepared, and hackers “free” systems upon payment. Attacks are made, ransom is paid, perpetuating an unfortunate cycle. Victims quickly try to get back to business while criminals move on to their next target, confident in their future success. But, little is keeping them from coming back, so threats continue to hang over organizations.
This cycle needs to be broken, not only because of the enormous long-term costs to organizations, but also because of the threat these attacks pose more broadly. The future of health care, including the transition from volume to value, the focus on prevention and wellness, the acceleration of research, and the ability to manage population health, depends upon the secure exchange of electronic data. For these initiatives to be successful, individuals need to trust the system.
On January 20, 1981, after 444 days in captivity, the hostages were freed as President Reagan was inaugurated (and billions in Iranian assets were released). Not long afterward, my classmates and I lined the street in front of our high school, cheering as the motorcade of former hostages drove by. I wondered then as I wonder now how quickly we will be able to respond and neutralize the evolving threat of terrorism.
1 Robert Lowes, Medscape, “Stolen EHR Charts Sell for $50 Each on Black Market,” April 28, 2014
2 HIPAA Journal, “What are the penalties for HIPAA violations?” June 24, 2015
3 Max Green, Becker’s Health IT & CIO Review, “15 of the biggest data breach settlements and HIPAA fines,” October 14, 2015
4 Maria Korolov, CSO, “Non-technical health care employees are too complacent about the possibility of a data breach,” October 13, 2015