Common Spirit Health is one of the latest major hospital groups to grapple with cybersecurity issues that not only affect operations but could compromise patient privacy.
In October the hospital system reported it was the victim of a ransomware attack, interrupting operations at the Chicago-based system that operates 140 hospitals and more than 1,500 care sites in 21 states.
The cybersecurity experts we consulted said attacks on hospitals are likely to increase, posing risks to patient privacy.
Matt Mullins, senior security researcher at Cybrary, a cybersecurity training firm, says hospital networks are significantly more vulnerable than standard networks for the simple reason that healthcare has a unique focus compared to other industries. That’s because the data has to always be readily accessible for practitioners.
Not only is it easier for hackers to access that data, Mullins says the data is highly prized information.
“It can be used for blackmail or phishing, and it can be used for fraud,” Mullins told ConsumerAffairs. “This data is more useful in that it is easier to access and it allows for identity theft. Identity theft is much harder to ‘shut down’ than it is to roll a new credit card number or account!”
Valuable data
In a cyber attack, Frank Ricotta, CEO & founder at BurstIQ, a health data management company, says hackers go for patients’ personally identifiable information (PII) and personal health information (PHI) because it’s considered more valuable.
“The value of health data sold on the dark web can get upwards of 500 times more than other personal information such as Social Security numbers or credit cards,” Ricotta told us. “This data can be used to file false medical claims, get prescriptions and medical treatment, and more. And unlike a credit card breach that can be identified and resolved quickly, PII and PHI can be used long after a breach has been detected and used repeatedly.”
Irina Tsukerman, president of Scarab Rising, Inc., a media and security strategic advisory group, says networks aren’t the only area of hospital technology vulnerable to hackers. That vulnerability poses the risk of more than just compromised data.
“A recent study found that half of internet-connected devices in hospitals are vulnerable to exploitation, with IV pumps - a direct risk to patients - being a particular vulnerability,” Tsukerman said. “The Cynerio report analyzed data from over 10 million devices at over 300 hospitals and health care facilities globally, which the company collected through connectors attached to the devices as part of its security platform. This makes hospital one of the most desirable targets for hackers.”
Hospitals spend less on security
Sanjay Raja, vice president of Product Marketing and Solutions at Gurucul, a security analytics firm, says economic factors also play a role. He says hospitals continue to bear the financial burden of treating COVID-19 patients which reduces other, more profitable services.
“This has led to a shortfall in revenues from other services causing constrained budgets, a lack of resources, and overburdened security teams,” Raja said. “Threat actors have purposefully targeted healthcare providers knowing how overwhelmed IT and security staff already are and how catastrophic ransomware or other disruption can be in the treatment of patients.”
Is there anything hospitals can do to better protect their networks from attack? Raja says perimeter defenses and patches have proved “fairly useless” against a hacker determined to get inside.
He recommends an accurate and more automated threat detection, investigation, and response solution that provides earlier and more accurate threat detection.
Mullins says he believes that, up until now, hospitals haven’t approached cybersecurity with enough “seriousness.”
Tsukerman says hospitals need to train all personnel in "best industry" practices in cybersecurity and enforce and reevaluate recommended security protocols, which should include physical maintenance and strengthening of networks.