Cyber Attacks Threaten Health and Safety

By Sai Huda, author, Next Level Cybersecurity

The healthcare care sector has become a key target for cyber attackers. Take the recent case of a U.S. hospital that suffered a ransomware attack that froze all computer systems. All systems, schedules, documents, and patient data became unavailable. Patients requiring urgent care had to be transferred to another hospital.

As the hours went by, the hospital realized it could not be down for much longer; otherwise, patients could die. So the hospital decided to pay the ransom to avoid loss of patient life and regain operations.

It is not only the patient data that the attackers are after, but it is also extracting a ransom because the bad actors have realized that with ransomware, they can instead disrupt operations and hold hostage patient health and safety until the money is paid.

Take the case of NHS England in the U.K., a few years ago, that fell victim to the WannaCry ransomware attack. In my book, Next Level Cybersecurity: Detect The Signals, Stop The Hack, I cover this case in detail, along with several other healthcare cases, such as Anthem in the U.S. and SingHealth in Singapore.

In the book, I show how the ransomware disrupted NHS England, impacting patient health and safety. Had a security researcher not discovered a “kill switch” the same day the ransomware propagated, the ransomware could have caused further damage, leading to possible deaths.

The book shows what a cyber-attack chain is and reveals the common signals to look for to detect the attacker or the ransomware itself in a timely manner, regardless of whether you are a healthcare organization or other type of entity.

Bad actors such as organized crime groups and rogue nation-states are going after the healthcare sector with more cyberattacks than ever before.

Here are some metrics for the healthcare sector:

• According to Health IT Security, the average cost of a data breach per organization is $2.2 million.
• Per IBM Security and Ponemon Institute, the cost of a data breach per record rose to $408 in 2018 from $380 in 2017. This is the highest cost per record among all sectors.
   

And now, ransomware has become a key threat to the healthcare sector, in addition to theft of patient data for sale in the dark web or for espionage or blackmail purposes by a rogue nation-state.

The U.S. Department of Health and Human Services (HHS), in partnership with the healthcare sector and the Health Sector Coordinating Council in December 2018, issued the publication “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients.”

This publication sets the bar for the healthcare sector by providing practical, understandable, industry-led, cybersecurity best practices to manage cyber risk for small, medium, and large healthcare organizations:

• Small: 1 -10 physicians for a practice or 1-50 beds for a hospital.
• Medium: 11-50 physicians for a practice or 51-299 beds for a hospital.
• Large: Over 50 physicians for a practice or over 300 beds for a hospital.
   

It is a model based on the NIST Cybersecurity Framework, comprised of risk mitigation best practices mapped to five key threats and vulnerabilities specific to the healthcare sector, broken out by the small medium and large entity. The five key threats are:

• E-mail phishing attack
• Ransomware attack
• Loss or theft of equipment or data
• Insider, accidental or intentional data loss
• Attacks against connected medical devices
   

There are 5,000 hospitals in the U.S. alone, and all healthcare organizations must be proactive and not get caught by surprise by either a cyber-attack or an HHS audit or patient class-action lawsuit. The stakes are too high.

A regulatory audit or patient class-action lawsuit discovering non-compliance can be costly, but a cyberattack will be even more costly. So what can healthcare organizations do now?  Take the below five minute, five-question risk assessment. If you answer No to any of the questions, you have unmitigated risk and must take action immediately.

hEALTHCARE oRGANIZATION Five Minute Risk Assessment

Download Article

About the Author

Sai Huda is a globally recognized risk and cybersecurity expert, technology visionary, and business leader with more than 20 years of hands-on experience. He is the best-selling author of the game-changing book, Next Level Cybersecurity: Detect The Signals, Stop The Hack. It is a book like no other. It is based on intensive reviews of the world’s largest data breaches and ransomware attacks and reveals the secret to cybersecurity success – detect cyber attackers’ signals early. The book shows what those signals are and how to detect them in time to prevent loss or damage.  He served seven years as General Manager, Risk, Information Security and Compliance Solutions at Fidelity National Information Services, Inc. (FIS), a Fortune 500 company serving more than 20,000 clients globally. Under his leadership, FIS attained number 1 ranking in Chartis RiskTech100®.

Prior to FIS, he was the founder and CEO of Compliance Coach, Inc., an innovative company providing risk management software and consulting services to more than 1,500 clients in financial services, healthcare, and government sectors. Compliance Coach helped clients manage Information Security, Operational, and Compliance risks. Compliance Coach was acquired by FIS.

He serves as an expert consultant to boards and executives on risk and cybersecurity best practices. He is also a frequent keynote speaker at industry conferences. To find out more, visit the author’s website at www.saihuda.com. To obtain his book, Next Level Cybersecurity, please visit Amazon.