Ransomware attacks on hospitals have been in the news a lot lately. Have security professionals done a good job of understanding and communicating that risk to healthcare executives? To be effective as security professionals we need to understand the business of the organization we are protecting. A hospital, or any health system, is a unique type of organization. If we don’t understand a hospital’s risks, we can’t be effective at understanding its cyber risks.
Let’s begin with some basics.
Principle 1: In healthcare, data confidentiality is not the main concern.
We’ve all heard of the C-I-A triad. Security is about protecting the confidentiality, integrity, and availability of information. When we think about cyber risk for healthcare organizations, we usually think first about protecting the confidentiality of patient information – Protected Health Information (PHI). For many companies and industries this can be the primary concern. However, it is not the case for hospitals and health systems.
Why? Let’s look at the economics of a recent case study:
Premera Blue Cross (PBC) has agreed to pay $6.85 million to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to implement a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules related to a breach affecting over 10.4 million people. This resolution represents the second-largest payment to resolve a HIPAA investigation in OCR history. PBC operates in Washington and Alaska, and is the largest health plan in the Pacific Northwest, serving more than two million people.
(Emphasis mine.) Note that this was the second largest fine in history, and it amounted to $6.85 million for 10.4 million records, or 66 cents per compromised record. I imagine Premera pays more per year for mailings explaining benefits than this fine.
On March 17, 2015, PBC filed a breach report on behalf of itself and its network of affiliates stating that cyber-attackers had gained unauthorized access to its information technology (IT) system. The hackers used a phishing email to install malware that gave them access to PBC’s IT system in May 2014, which went undetected for nearly nine months until January 2015….OCR’s investigation found systemic noncompliance with the HIPAA Rules including failure to conduct an enterprise-wide risk analysis, and failures to implement risk management, and audit controls.
(Emphasis again mine.) PBC had systematic noncompliance in 2015 (and probably many years before that). Five years later (September 2020) they were fined 66 cents per compromised record. The money they saved by years of “systemic noncompliance” was probably at least $6.85 million. We will of course have to see how the state attorneys general deal with PBC, so this is not over. However, despite the headlines, this will be a small price to pay, as most confidentiality breaches are.
More importantly, ransomware attacks on hospital systems such as Duesseldorf University Hospital and UHS have the potential to harm patient safety. In fact, one patient death was reported as a result of the Dusseldorf Hospital breach. Patient safety liabilities can dwarf the costs of data breaches.
Principle 2: Loss of revenue is more important than one-time breach costs.
Compromised PHI results in expenses due to fines, potential lawsuits, and agreeing with regulators to improve security practices. But these expenses are usually “one-time hits” to the balance sheet. As a healthcare security veteran once told me, “people don’t cancel their surgeries if their health information is hacked.”
Ransomware changes the economics of a data breach. A health system should be more concerned about integrity and availability of information (and patient care systems) than confidentiality. Hospitals today are vitally dependent on information systems. Labs, radiology, patient records, billing, and medication dispensing are all dependent on information systems working properly. Think of just a few of the revenue impacts:
- Cancelled surgeries. Surgeries may ultimately be rescheduled. But keep in mind that hospitals have two customers – doctors and patients. Hospitals compete for doctors. Doctors that funnel their patients to other hospitals (which have working systems) mean a loss of recurring revenues.
- Diversion of patients to other Emergency Rooms (ERs). This was the cause of the Dusseldorf Hospital death. The emergency patient had to be diverted to a different hospital farther away and died during transport. This is a human tragedy and also a revenue issue. ER visits are a significant source of new inpatients. Closing the ER means fewer beds are being filled upstairs in the hospital.
- Billing losses. Hospital billing for medications, labs, and diagnostic tests are all based on electronic systems. For example, many hospitals bill for medications when the drug is pulled from the dispensing system and its bar code is scanned. If computer systems are down, nurses and technicians billing becomes a manual paper-based process.
Principle 3: HIPAA isn’t helping much.
Unfortunately, HIPAA has fostered a compliance-based approach to security for many organizations. Often, senior management simply wants to know if their health system is HIPAA compliant, which does not always equate to good security. Again, the threat was traditionally seen as a privacy breach of patient data. The ransomware threat changes that. Today’s ransomware threat actors are using fairly sophisticated tools and some of them don’t care about the patient safety implications. Today, every HIPAA risk analysis should have a ransomware threat/vulnerability component and explicitly demonstrate how they will defend and, importantly, test their organizations against ransomware threats.
Hospital ransomware attacks are a serious and frightening threat. Security professionals need to understand healthcare economics in order to mitigate this threat effectively.