BOSTON — On the day before the July 4 holiday weekend, Mount Auburn Hospital’s information technology team identified some unusual activity. Alarmed, they quickly took steps to disconnect the Cambridge hospital’s computer system from the internet. They switched to backup manual procedures instead of automatic ones.
No patient data was compromised, and the Harvard-affiliated hospital continued its normal operations, according to hospital officials.
Such attempted attacks are a daily – if not hourly – occurrence at America’s hospitals. And they don’t always end as well as Mount Auburn’s did.
More than 80% of medical practices have been the victims of cyberattacks, according to a national survey. Over half reported patient safety concerns from the hacks, and 20% said that their business had been interrupted for more than five hours.
“That can be the difference between life and death,” said Wendi Whitmore, a cybersecurity expert and vice president of IBM X-Force, a commercial security research team.
And the situation has only gotten worse during the months-long coronavirus pandemic, as more employees switched to working from home, and medical facilities were cash-strapped and stretched thin because of COVID-19.
Between March and April, IBM saw a 6,000% increase in spam attacks on information technology systems, leveraging COVID-19, many of them at health care facilities, Whitmore said, describing the situation as a continuous “cat and mouse” game between criminals and institutions.
Whitmore said there’s been a huge increase in security incidents in recent months, climbing about 75% in North America and 125% in Europe and the Middle East.
Seattle Children’s, for instance, saw a doubling of attempted hacking attacks in March, specifically phishing emails, hunting for someone on the staff who would click on a malicious link and allow malware into the health system’snetwork, said Gary Gooden, chief information security officer at the Washington-based health system.
The reason: Hackers can make a lot of money. Globally, cybercrime adds up to billions of dollars a year, Gooden said.
Stealing a credit card number might be useful for only a day or two, until the person realizes it and cancels their card. But an electronic medical record is far more valuable.
The FBI reported in 2014 that a stolen credit card or even social security number was worth just $1 on the black market, while an electronic health record would fetch about $50 – $1,000 if it belonged to a celebrity or public figure.
Electronic health records, according to the FBI report, can “be used to file fraudulent insurance claims, obtain prescription medication, and advance identity theft.” Health record theft also is more difficult to detect, taking almost twice as long to recognize as normal identity theft, the report found.
Stealing a newborn or toddler’s electronic health record is even more prized, Gooden said, because thieves are rarely caught. “You have a free run for 18 years to utilize these personas.” They also try to steal the identities of children who die at the hospital, hoping they won’t get caught, he said.
Phishing attacks a favorite tactic
Cyber criminals are particularly fond of phishing attacks that entice people to click on email links that provide the thief access to their computer networks. Corporate email protectionscan identify and remove nearly all potentially malicious emails before a user within the health care system ever sees them, Gooden said. But for the final few, the vigilance of employees remains crucial.
The lures for getting people to open these spam emails have evolved over the course of the pandemic, said Ryan Witt, managing director at Proofpoint, a technology security company based in Sunnyvale, California.
In February, he said, most of the phishing attempts provided basic information about the coronavirus, often by impersonating health authorities. At the height of the early pandemic in March, the emails offered access to face masks or other personal protective gear. “We found a source of equipment for you!” was a typical offer.
Then in April, these tempting emails offered advice on how to get stimulus funding checks. Lately, they’ve shifted yet again, he said, and now the focus is on “getting first in line for a vaccine” – though one doesn’t yet exist.
Typically, there’s a seasonality to cyber-attacks, with more coming during traditional vacation times, when criminals assume defenses are lowered and staff is reduced, said Colin Zick, a partner and co-chair of the privacy and data security practice at Foley Hoag, a Boston-based law firm.
He expects phishing attacks to go up in September, if people return to their offices after working from home.
“Another change in workflow,” Zick said. “It’s the perfect opportunity for someone to send a phishing email, that says ‘I’m still out, but I want you to do this.’”
Cybersafety requires eternal vigilance
To protect against these ever-changing approaches, Gooden said, hospitals and medical facilities “have to constantly pivot and stay ahead of the curve in terms of technology and practices.”
Whitmore agrees. She advises institutions to require multi-factor authentication – using a cellphone to corroborate a person’s identity – warn staff about spam, back up their most critical information offline, and encrypt patient information.
“It’s about installing a series of tripwires that allow organizations to detect when there are attacks against their environment,” she said. “That buys us time.”
But every medical institution is vulnerable.
“You have to be eternally vigilant,” Zick said. “As long as we’ve got an open internet that is highly unregulated, that’s the downside.”
There’s not much an individual can do to protect their own medical information, Zick and others said, except trust their health care providers to do it for them.
Zick requests his medical file periodically to ensure he has access to his own records if they were ever lost for good. And he said if he saw a provider acting carelessly with his data – such as not using two-factor authentication – he would offer them some free advice.
Hacker ransom demands skyrocking
On June 3, information technology staff at the University of California San Francisco realized that their network’s security had been breached two days earlier. They quarantined several IT systems within the School of Medicine as a safety measure, and isolated the activity from the UCSF network, according to a statement from the university.
Patient care remained unaffected, the school said, but the attackers launched malware that encrypted a few servers within the School of Medicine, “making them temporarily inaccessible.”
The university paid less than half the demanded ransom – about $1.14 million – in exchange for the stolen data. The FBI is investigating.
Just a few years ago, criminals were asking for $1,200, Whitmore said, but “now we’re seeing ransomware demands ranging from $10,000 to $25 million.” Attackers do release ransomed data when paid, because otherwise organizations would stop paying, but once the criminals access a computer system they may leave behind the means to do it again.
Large institutions are getting more sophisticated at protecting themselves, Whitmore and others said. But they may still be vulnerable when one of their suppliers or, say, a small specialty medical clinic, is hacked. If the computer systems are linked, the criminals can try to access the bigger facility through the smaller one.
“Your security is only as good as your collective security,” said Dr. Titus Schleyer, a professor of biomedical informatics at the Indiana University School of Medicine and a research scientist at the Regenstrief Institute, a research organization in Indianapolis. “If you have a weak partner … all your security doesn’t help you.”
Zick said the “sweet spot” is mid-sized medical practices that have tens of thousands of health records, but aren’t big enough to hire dedicated IT staff to protect the data.
Cash and information are cybertargets
Cybercriminals range from those “have no idea what they’re doing,” to sophisticated rings of computer scientists, often from the former Eastern Bloc countries, Schleyer said.
Most attacks are aimed at getting money. But some, backed by countries like Russia and China, as well as many others, are looking for information – perhaps the results of a clinical trial for a new COVID-19 therapy, or candidate vaccine.
“You do have government actors in the hacking space, no question about it,” Schleyer said, adding that he did not know of any specific attempts to get COVID-related information.
Zick said he expects China and Russia will be looking for information, ideally without the victims knowing they’ve been spied on. More ransomware originates tends to originate from North Korea and Eastern Europe, he said, where hackers don’t care about the information, only the money it can yield.
Going forward, what cyber security experts worry about the most is quantum computing, Schleyer said. Quantum computers, which operate differently than classic ones, will be able to decode current protective systems.
“We need to be ready for that moment,” Schleyer said. “That’ll upset IT around the world when that happens.”
Health and patient safety coverage at USA TODAY is made possible in part by a grant from the Masimo Foundation for Ethics, Innovation and Competition in Healthcare. The Masimo Foundation does not provide editorial input.