Cybersecurity in healthcare: Scary Stories from the frontlines

Cyberattacks look scary no matter where you’re standing, but they’re particularly frightening in healthcare, where the stakes are often life or death.??

#ICYMI this was the topic of our Halloween Imprivata Live event "Scary Stories from Healthcare’s Frontline.” During the event, Imprivata CEO Fran Rosch and Dr. Sean Kelly, MD , Imprivata Chief Medical Officer and Sr. VP, Customer Strategy, Healthcare, discussed the direct impact of cyberattacks on patient care and the need for robust access management tools to protect healthcare organizations – and patients – from internal and external threats. The event also featured stories from other experts relaying how data breaches impact patient safety.?

Cybersecurity is patient safety?

Imprivata CEO Fran Rosch opened the discussion with a fictional story based in the all- too-true reality of cybercrime in healthcare.?

He described a patient, Jane Doe, who’s been nervous for months about a scheduled surgery to remove a tumor from her lung on February 22, 2024. She thinks she’s prepared for anything, but when she arrives at the hospital on the day, “she finds chaos. People are running around, frantically on phones and computers, banging keypads. She's like, what's going on? And what she hears is there's been a cyberattack. They say, ‘your surgery has to be canceled, and we can't tell you when it's going to reschedule.’”?

"The scariest part,” Rosch added, “is that this... actually could happen to any one of us."?

In fact, many individuals encountered this kind of terror on and after February 22, 2024, due to the Change Healthcare breach. “And that's what we're talking about this Halloween, the scary stories that happen – but more importantly, what we can do to mitigate the impact of these things.”?

Why is healthcare so vulnerable to ransomware and cyber criminals??

For years now, it’s been clear that many ransomware attacks are targeting healthcare organizations. To help explain why that is, Dr. Sean Kelly introduced Greg Garcia , Executive Director of the Health Sector Coordinating Council - Cybersecurity (HSCC), who discussed this question in a recent expert roundtable .?

“We're not just talking about the health care providers,” Garcia explained, “but the medical device companies, the pharmaceutical companies, the plans and payers, healthcare IT, and public health – they're all interconnected and increasingly interdependent due to digital technology. And the more digital technology you have spread out over more vulnerability points, the greater potential you've got for cyber threats.”?

Dr. Kelly added to this line of thought by discussing how the Change Healthcare breach was “a wake-up call for the industry… healthcare systems couldn't put in insurance claims. They couldn't get paid. A lot of pharmacies could not fill prescriptions. So, we're talking about direct harm to patient care, and also revenue implications that were severe, impacting hospitals and health care systems to the point where they weren't sure if they could pay their rent and keep the lights on. They were literally worried about going out of business.”??

How do the hackers get in??

The discussion then turned to how cyber criminals are breaking into healthcare systems. Dr. Kelly explained that the most common way is by stealing user credentials. And the ways hackers do this are, unfortunately, quite easy when users aren’t well-versed in cyber safety or when the hackers are good at social engineering tactics. Once they do a little online research into a company’s employees, a persuasive hacker can convince people that they’re someone else - someone authorized to have and change privileged credentials.??

If an organization has multifactor authentication (MFA), then those credentials won’t be enough to break in. But if authentication only requires a username and password, the consequences can be devastating.?

Dr. Kelly discussed how hospitals are often forced to shut down systems and revert to doing business on paper after a data breach. “You know, what that means for me is a lot of the systems that I'm used to, which have checks and balances and med interaction alerts and dosing alerts, and dosing for renal failure and liver failure, and all these other complex issues that our digital systems are so good at helping me navigate when I'm trying to diagnose and treat – well, all that goes away.”?

He described the consequences of this for a major U.S. hospital system with over a hundred and thirty hospitals across the nation. After going to paper due to a breach, one nurse said that he almost gave a lethal dose of narcotics to a baby because the dosage wasn’t as clear in the paperwork as it would have been when everything was electronic.?

Without EHR access and automated alerts to protect patients, “there are numerous cases of error and potential error with lab work, and administration of medicines, and clinicians not able to access data to understand that someone has an allergy to something or they're already on blood thinners. These are amazingly impactful clinical effects. It’s important to keep in mind the massive downstream and peripheral effects of these attacks.”?

Rosch elaborated, discussing the ripple effect of cyberattacks in context of what he’s seen during hospital walkthroughs. “One of the things I took away is how they kind of operate on the edge, right? They get together every morning and say, how many beds are open today? How many people have to leave so we can make room for the new people? There's so much operating on the edge without a huge amount of slack in the system. So, you can see how one hospital having a problem is going to ripple out because there’s no extra capacity.”?

How internal threats endanger patient safety??

But hackers aren’t the only threat to data security in healthcare. Sometimes the threat comes from inside the system, whether by an employee’s deliberate act, or simple human error.??

Dr. Kelly cited a recent Verizon report that found 35% of healthcare breaches can be attributed to insider threats. Even an accidental mistake can lead to HIPAA violations, financial losses, reputational damage, operational disruptions, and increased risk to patient safety.?

One of the major internal threats seen in recent years is drug diversion. Dr. Kelly spoke about how the effects of the opioid crisis can be seen among clinicians as well as patients. “Sometimes workers fall victim to this, and they manipulate the different digital systems to pull medicines, but not necessarily to give them to the patient. Or somewhere in that supply chain, they're able to take some medicines out to use or potentially divert and sell them.”?

If a hospital doesn’t have software that detects issues such as inventory discrepancies, excessive medication waste, or anomalous behavior by healthcare workers, then there’s no safeguard to prevent drug diversion. Hospitals face increased morbidity, mortality, regulatory liabilities, financial losses, and reputational damage.??

He went on to describe how identity and access management solutions aren’t just about blocking access, but also allowing convenient access to those who need it. “I'm an ER doctor, and I need access to a lot of charts at a lot of different times. But I should have a treating relationship with that patient in order to do that… now, with rules engines and machine learning and AI, there's a lot of capability that allows the people who really do need access to get in to do their work with ease. And it blocks down aberrant behavior because the data and analytics can help sniff that out and prevent it, even in the moment.”?

Third party cyberthreats?

In addition to cybercriminals and internal threats, third-party vendors also present a threat to healthcare organizations. At the same time, those vendors are essential to hospital functions.?

“There are hundreds, if not thousands, of third parties that need to get in and help monitor systems,” Dr. Kelly said. “EHR vendors, device vendors, the Internet of Things – all these things are digital now… and they require care and feeding and maintenance – not just from within, but from third parties.”?

The good news? With third-party access management and secure remote support , the spear-phishing and social engineering tactics of hackers simply can’t pay off – because the vendor or customer never actually knows the password.??

“Once that recorded session is over,” Dr. Kelly said, “they're out, and nobody else could ever get in using that same mechanism.”?

Balancing efficiency and security in identity and access management?

Ultimately, the heart of what clinicians do for patients in the digital age is all about access. On the one hand, they need convenient access to do their jobs. On the other, healthcare needs strong cybersecurity to avoid disaster. Without the right security solutions, this conflict can lead to unsafe actions by clinicians.??

Dr. Kelly explained, “If I have to manage twenty passwords and I'm always forgetting them… I do workarounds. Right? I put them on Post-its under my computer. I share them with my friends. I leave the systems open because I know it'll take me a long time to get back in. So inherently, I would say there's a collision of workflow and security.”?

Mitigating cyberthreats with identity and access management?

But there are powerful identity and access management solutions that manage this collision effectively.?

As Dr. Kelly said, “For us, and for a lot of the industry, it's all about identity. If you know who's coming in, what role they are, what they need to do, when they're doing it, why they're doing it, you can grant that access.”?

Sometimes this can be password-based, but also, “you can mix and match modalities such as biometrics, facial and fingerprint, low energy Bluetooth awareness and proximity, pass keys. There are a lot of different ways to mix and match these events, so that if you really understand identity, you can provide access to the right players at the right time, so doctors, nurses, and administrators can get in and do their jobs effectively.”?

“It's all about workflow,” Dr. Kelly said. “If you respect the workflow and you respect the security, the idea is, you don't force places to choose between one or the other. You deliver more of both.?

Check out the recording of this event to hear more, or dive in deeper with our whitepaper, Rising data breaches in healthcare: Protect yourself against vendor and third-party attacks. ?

?