Jones Memorial Hospital in Upstate New York and Hancock Regional Hospital in Greenfield, Indiana recently became the latest in a growing list of hospitals to suffer an epidemic for which there is no medical cure: Hackers shut down their information systems and held patient data for ransom.
Ransomware attacks on healthcare providers are becoming increasingly common as cybercriminals realize they make easy marks. Hospitals often have lax cybersecurity protocols, stashing sensitive patient health information in shared data repositories that are relatively easy to crack. And the incentive for cybercrime against hospitals is compelling; medical data routinely fetch several times more on the black market than other personal information, such as credit-card numbers.
As a hub for both the cybersecurity and the healthcare-technology industries, the Boston area is home to companies with a unique perspective on the scale of the threat, as well as some of the ways to counter it.
In the spring of 2014, Boston Children’s Hospital was one of the first hospitals specifically targeted by a major cyberattack. It caught the hospital’s chief information officer completely by surprise.
“This was the first time, to our knowledge, that a hospital was targeted with a [denial of service] attack meant to disrupt its operations,” says that CIO, Dr. Daniel Nigrin. “Hindsight is always 20/20, and so I think healthcare as an industry sector was a bit naive, thinking that in some way, we were immune to disruptive attacks like this: ‘Who would attack a hospital, let alone one for children?’ Now we know better.”
Since then, Boston Children’s Hospital has invested more in security technology and staffing, but Nigrin says that more important, there’s a new company culture.
“It’s now a much more central discussion and evaluation point for every initiative we embark on,” he says. “We have focused quite a bit on the education of our entire workforce, from the top on down, of the critical importance of cybersecurity and that it’s everyone’s responsibility — practicing good email hygiene, being aware of social engineering attacks.”
The whole industry has woken up, Nigrin says, with hospitals in Boston and across the nation willing to share their worries about cybersecurity with one another. “That didn’t use to happen,” he says.
Jarman Joerres, cybersecurity specialist and principal at Westford-based MedAcuity Software, agrees that healthcare providers have a new awareness of the challenge facing their industry.
“Ten years ago, hospitals were probably the least aware of the risks in terms of IT of any organization out there,” he says. “Now they’re some of the most, maybe up there with the financial sector.”
There’s now a National Health Information and Analysis Center devoted to sharing knowledge across the industry. In September Massachusetts Governor Charlie Baker announced a new public center that will “connect the cybersecurity ecosystem and train new cybersecurity workers across the Commonwealth.”
The rise of cyberattacks targeting hospitals has also garnered attention from Boston-area cybersecurity firms.
“Many healthcare organizations continue to struggle with cybersecurity fundamentals,” says Mike Viscuso, chief technology officer and co-founder of the Waltham-based cybersecurity company Carbon Black. “Despite the fact that healthcare organizations are increasingly under attack, many continue to use aging or unsupported software.”
Industry leaders are the first to admit that most hospitals are full of equipment running vulnerable software; the worldwide WannaCry attack last year ravaged the British National Health Service, knocking out some CT and MRI machines, in part by exploiting a vulnerability in its outdated Windows XP operating system.
Viscuso says consumers should ask their healthcare providers what they’re doing to protect their patients’ data. While it’s rare for cyberattacks to target individuals for their healthcare data, Viscuso says consumers should use two-factor authentication and practice safe web browsing on any devices that may hold their information, just in case.
Like many cybersecurity experts, Vicusco says he’s increasingly worried about the proliferation of medical devices that may be connected to the internet without proper protection.
“That requires a change in the threat focus from just protecting the network and perimeter to extending protection to endpoints and servers,” he says.
Medical imaging machines like MRIs have already been hit with cyberattacks, and the number of mobile, networked medical devices is growing faster than cybersecurity can keep up. Last year the U.S. Food and Drug Administration approved the recall of nearly 500,000 pacemakers because of cybersecurity concerns, raising the specter of cyber attacks that not only hold hostage patient data but threaten patients’ lives.
George Gray is chief technology officer at North Andover–based Ivenix, a medical-technology company that has developed an infusion system to streamline medication delivery. He says cybersecurity threats for medical-device makers go beyond protecting a patient’s personal data.
“There’s a risk that the hacker could break into the pump, load some malware and then launch subsequent attacks from that device,” Gray says. “Every network-enabled device must put as many layers of protection in place as is feasible to prevent attacks from happening, detect when they do, and be able to respond quickly in an effective and transparent way.”
Boston’s cybersecurity and medical-device companies are eager to sell solutions to that problem. The confluence of those industries in Boston has made the area a prime market for a growing industry, but Dr. Nigrin at Boston Children’s Hospital says it has not made the area’s medical community any less of a target for hackers.
“I don’t think we’re any more or less vulnerable in Boston,” he says. “Although we do have many high-profile organizations that might make for tantalizing targets, we also have larger organizations that tend to have better technology protection and larger teams who implement and use that technology.”