Cybersecurity Best Practices for Healthcare Companies
The recent global ransomware attack is a reminder of the growing threat of cybercrime to businesses, particularly those in the healthcare industry. Learn how to protect your company’s digital assets.
Now more than ever, cybersecurity should be a top priority for companies across all industries. The massive global ransomware attack that began May 12—dubbed WannaCry and estimated to have affected more than 200,000 computers in at least 150 countries—is the most recent reminder of the serious financial and operational consequences when digital assets are compromised.
Historically, the financial services industry has been targeted more than others by cybersecurity threats, including distributed denial of services, malware, brute force network attacks and spear phishing. However, with more and more cyberthieves entering the profession, and an entire underground community that provides cyberthieves the tools they need, many more industries are seeing increases in cybersecurity incidents.
While WannaCry hit governments, universities and companies in sectors like telecom and logistics, some of the most notable disruptions were felt by hospitals, particularly the United Kingdom’s National Health Service (NHS). The incident underscores how, unless the healthcare industry implements stronger internal controls, cybersecurity—particularly measures that guard against ransomware—may no longer be just a matter of protecting health information, but also patient safety.
A Growing Threat
Ransomware is malicious software that can restrict access to a digital device or system—whether a smartphone, laptop or entire computer network—until the owner of the system pays a sum of money (the ransom).
According to BitSight data, the rate of ransomware infections in healthcare organizations has nearly doubled in the past year, and ransomware accounted for 88 percent of all detections during the second quarter of 2016, according to a Solutionary study.
Because of the nature of the data affected, ransomware is a particularly effective cybersecurity threat for the healthcare industry. Client records are both sensitive and possibly life dependent should they become encrypted by ransomware and held captive.
In the WannaCry cyber attack, 61 NHS organizations across England and Scotland were blocked from accessing patient data and were prompted to pay relatively small bitcoin ransoms of $300 or more to unlock each computer. Given the worldwide volume of computers infected, the total payday for the perpetrators could number in the hundreds of millions of dollars. Aside from the financial toll, NHS hospitals and clinics had to cancel patient appointments, and some even had to redirect ambulances to other healthcare centers for treatment.
In another recent ransomware attack, a Los Angeles hospital was reportedly asked to pay $3.6 million to reclaim patient information that was captured in a ransomware attack. The hospital subsequently confirmed in a statement that it paid a ransom in order to return the network to working order. The FBI does not support paying a ransom in response to a ransomware attack, believing payments are not always successful and that they embolden criminals to continue. Instead, the FBI recommends focusing on employee awareness programs and technical prevention efforts, as well as solid business continuity plans, to help fight cyber threats.
When the healthcare industry suffers a hit, it's often with bigger financial implications, according to a 2015 Net Diligence Cyber Claims study, which found that the average total claim for a breach in the healthcare sector was $1.3 million as compared to $673,767 across all industries.
Losses in the healthcare industry are significantly larger than the overall average of all business sectors because health information can be used by criminals to commit multiple types of fraud or identity theft.
Protecting your company’s and your customers’ data from the increasing threat landscape, including ransomware, requires a layered approach. It starts with how ransomware enters the company, and that typically is via the end user. Education and strong end-user controls are one of the first layers in defense. Next, the company should have some form of robust detection and response processes. And finally, a modernized backup and recovery process that accounts for ransomware.
The Critical Nature of Healthcare Data
The healthcare industry is the sector most frequently breached (at 21 percent), according to the 2015 Net Diligence Cyber Claims study.
Ransomware has the potential for great impact on human life, and thus is seen as a bigger threat in the healthcare industry than in other sectors. Healthcare providers collect, store and share patient data as well as information that can be used to conduct emergency room procedures, lab work, CT scans and pharmacy services.
Ransomware can cause operations to stop, which may delay treatment and interrupt critical processes. And that’s just in the first 24 hours of their data being held ransom. Although the WannaCry program had a five to seven day countdown timer, most ransomware has a 24-hour timer, and if the ransom isn’t paid in that time, the data being held is effectively destroyed. This can pose an entirely more complex problem; possibly restoring terabytes of data in a reasonable time to adequately care for patients.
Applying the Lessons of Wall Street
Industries can learn a lot about cybersecurity best practices from one another. For example, the healthcare industry could follow the example set by the financial services industry—which is also highly regulated and committed to protecting customer information—and its robust third-party oversight programs.
The SEC announced an initiative in April 2016 to assess the cybersecurity preparedness of the securities industry by examining more than 50 registered investment advisors and broker dealers. As a result, hedge fund managers, brokers, advisors and asset managers operate their practices within a heightened regulatory environment that requires greater protection of personal information, stronger system controls and more robust governance—and at a faster rate.
The processes and protocols that healthcare companies can adopt from financial firms include being more diligent about user training, timely system patching, updating anti-virus software, shortening incident response time and tracking asset management. The WannaCry ransomware program, for example, exploited a network vulnerability that could have been resolved with a patch that was released more than a month before the cyber attack.
Both financial services and healthcare have highly leveraged the digital age. However, the financial industry has more rapidly embraced usage, integration and rationalization of data. In this aspect, healthcare may be years behind in maturity.
At a minimum, the internal controls that healthcare firms should consider putting in place include a written security policy that addresses data breach preparedness, a process of periodic risk assessment for changes in a company's privacy and security environment, and the ability to work with forensic organizations in the event of a breach.
Whether your firm stores client financial data or medical information, internal controls should be robust.
J.P. Morgan and Chase are marketing names for certain businesses of JPMorgan Chase & Co. and its subsidiaries worldwide (JPMC). Any example of cyber or other fraud or loss in this material is for illustrative purposes only; any similarity to any actual event or person is unintended and unfounded. This document was prepared exclusively for the benefit and internal use of the party to whom it is delivered (each, a “Recipient”). The content is not intended as, nor shall be deemed to constitute or contain, advice on which the Recipient may rely; does not constitute in any way JPMC research, and should not be treated as such; and is confidential and proprietary to JPMC. The content may not be copied, published, disclosed or used, in whole or in part, for any purpose other than as expressly authorized by JPMC. This document is not intended, nor should it be relied upon, to address every aspect of the subject discussed herein. The Recipient is responsible for determining how to best protect itself against cyber threats and for selecting the cybersecurity best practices that are most appropriate to its needs. JPMC assumes no responsibility or liability whatsoever to any person in respect of such matters, and nothing within this document shall amend or override the terms and conditions in the agreement(s) between JPMC and the Recipient. ©2017 JPMorgan Chase & Co. All Rights Reserved.