By Mark Tosczak
On Oct. 8, 2017, a computer was stolen from a UNC dermatology practice in Burlington; on its hard drive were medical records for some 24,000 patients.
A few days later, Pinehurst-based FirstHealth of the Carolinas shut down many of its computer systems for two weeks as technicians battled a ransomware virus designed to lock people out of their computers.
In February, a Wilmington eye doctor and a Durham dental surgeon had their office computer systems attacked by malware.
Those are just some of the dozens of such instances where North Carolina health care providers have been attacked by cybercriminals, or patient records have gone missing.
Over the last five years, more than 385,000 patient records in North Carolina have been exposed in more than 40 cybersecurity incidents. While federal laws require attacks involving 500 or more patient records to be disclosed, smaller breaches and other types of cyber attacks aren’t always made public.
Health care IT experts say these incidents are part of a constant digital skirmish taking place across computer networks as criminals, terrorists, “hacktivists” and sometimes even foreign nations attempt to access patient records and employee information and, sometimes, even hack into medical devices.
When, not if
“If there is a trend, the bad guys are winning,” said Ernie Hood, a former health system CIO who’s now senior director, research for Advisory Board, a Washington, D.C.-based health care consultancy.
In North Carolina, organizations of every size and type have been attacked – hospitals and physician practices, government agencies, insurance companies and even non-health care businesses that deal with medical information.
Robin Lang, chief information officer at CaroMont Health in Gaston, says when she talks to her hospital’s board of directors about cybersecurity threats she uses the word “when,” not “if.”
“We’re secure right now,” Lang said, and then added quickly, “We don’t know what might be released from the government — here’s an exposure, a vulnerability.”
For Lang and her staff, and for her counterparts across the state, security is a constant preoccupation.
“This is not making widgets,” Lang says. “People’s lives depend on it. [Operating rooms] need to run, emergency rooms need to run.”
Jon Sternstein, a Raleigh based IT security consultant who works with health care companies, says the health care industry is behind other industries, such as financial services, that have been targeted by cybercriminals.
“[It’s] a little bit easier to infect health care organizations than some other organizations, such as financial organizations,” he said. “Only recently have health care organizations realized they were a target as well.”
In early February, on a Sunday, Durham endodontist Dr. Linda Levin’s office computers were infected with malware that encrypted all her data, making it impossible for her to access patient records.
“We had to cancel patients for the day since we had to wait for our backups to restore our records,” she said in an email. “We lost a day of income, had to replace a computer, and we had to analyze all of our computers to remove corrupted software.”
Levin said in the wake of the incident her practice is changing how it stores some of its larger radiographic studies and is also hiring new IT consultants with more security expertise.
Levin was relatively lucky. She had backups and was able to recover almost all of her data except for a few patient X-rays.
In many cases, viruses that encrypt computer records are part of a ransomware scheme. Targeted businesses find they can’t access their data and the malware directs them to pay a ransom in order to unlock the data.
Greenfield, Ind.-based Hancock Health was targeted by a ransomware attack Jan. 11. Attackers gained access through a hospital vendor’s administrative account at night and injected malware called SamSam, according to Becker’s Hospital Review.
Hospital officials opted to pay $55,000 in bitcoin to the attackers to recover access to their data.
FirstHealth, based in Pinehurst, was forced to shut down some of its IT systems for as long as two weeks in October when, according to media reports, ransomware known as WannaCry hit that health system. FirstHealth did not respond to inquiries from North Carolina Health News.
Lang, at CaroMont, says she and her staff worry constantly about known and unknown threats. Health care providers must comply with a variety of regulations and legal obligations to protect patient medical records, private employee information and information related to banking, payroll and other services.
“All of these keep us up at night worrying about what’s next,” she says. “Someone’s knocking on the door all the time, trying to come in.”
Knocking on the door is a good metaphor. Attackers will often work to get their software running inside a hospital network, where it scans for vulnerable devices.
Hood, from the Advisory Board, said he’s heard of a couple of instances where attackers exploited medical devices running Windows XP, an older version of the operating system software. The attackers got malware onto the hospital network, where it scanned for potentially vulnerable devices attached to the network.
The malware detected medical devices running Windows XP and exploited a vulnerability in that operating system to load additional malware onto those devices. That software “unwrapped” more dangerous malware and used the medical devices as staging platforms to attack other systems.
Hospital IT officials, Hood said, had turned off the setting in their malware software that monitored for Windows XP vulnerabilities, because they didn’t realize they had any devices running the outdated software. Microsoft stopped supporting Windows XP in 2014. But it still runs on some medical devices.
Hood and others say that medical device manufacturers and the FDA are making efforts to secure medical devices, which are regarded as potential vulnerabilities in hospitals filled with more and more devices connected through computer networks.
In 2015, a security researcher announced he had discovered a way to hack drug infusion pumps that could allow an attacker to send a fatal dose of a drug to a patient. In 2016, European researchers announced they’d found ways to hack into cardioverter defibrillators — a type of pacemaker which gives a stopped heart a jolt to restart it.
Medical devices, as part of the “Internet of things,” are a high priority for cybersecurity specialists.
“We have been spending a lot of effort and focusing on what to do about these things,” said Ed Brown, director of technology at CaroMont. “We’re doing everything we can possibly do with those devices, short of taking them off the network … and in some cases were doing just that, we’re taking them off the network.”
Besides technology, security experts say many problems can be prevented by better training and making health care workers more security conscious.
“I’d say the easiest avenue into any organization for an intruder is usually targeting your employees and sending them phishing emails,” said Sternstein, the Raleigh security consultant. “You have to educate people.”
But health care organizations are doing more than that. Increasingly, cybersecurity is becoming an issue hospital boards are watching. Providers are buying cybersecurity insurance, which can help offset some of the costs associated with attacks.
A 2017 study from IBM and Ponemon found that the average cost of a data breach for health care organizations was $380 per record — higher than any other industry. That means if an organization had 1,000 patient records exposed in a breach, it would cost $380,000 to respond — funds that could cover everything from technology costs to purchasing credit monitoring services for affected individuals.
Health care organizations are also dedicating funds and people to focus on security issues. Asheville-based Mission Health partnered with Montreat College to help educate future cybersecurity specialists. In 2016, for example, it gave the college $25,000 to help build a security operations center at the college where students can get experience.
Experts say that threats to health care cyber security will continue to be a major issue for the foreseeable future. That’s a particular challenge for small providers, which don’t have the staff or money that hospitals can muster.
“I would advise anyone to ask their IT people how their system is protected, how it is backed up and to where,” Levin, the endodontist, advised. “Ask them which security system they use and how often it scans and which kinds of threats it can intercept or block. I made assumptions that my IT folks had proper security and backups but I did not ask specific questions.
“I learned a hard lesson.”