Hospital Digital Tools Increase Risk of Cyberattack-The HSB Blog 02 22 21
Hospital Digital Tools Increase Risk of Cyberattack
Our Take: Hospital cybersecurity controls need to be stronger. Early last year as the COVID pandemic started, hospital cyberspace gained vulnerability as healthcare workers went remote and cross-border licensure rules were eased to deal with the pandemic. While government and private hospitals were warned of an increased risk of ransomware attacks, according to a report from Check Point Software Technologies , there was a 45% increase in cyber attacks targeting global health care organizations from the beginning of November 2020 through the end of the year. These cyberattacks did not just impact their primary targets (hospitals) but also impacted their patients given the breach of patient data, confidentiality and research. While cybersecurity controls in hospitals are high priority, healthcare organizations need to be even more vigilant and agile in taking precautionary measures to safeguard themselves and their data from attacks.
Description: For some time, cybercriminals have seen medical providers and hospitals as fruitful sites for hacking given the broad amount of personal information they maintain on patients. Given clinicians' need for immediate access to patient data during the pandemic, data, applications, and systems may become even more targeted due to potential lapses in normal security measures. For example, due to the global shortage of ventilators during the pandemic, public health agencies undertook emergency procurement efforts to obtain them. However, given the urgency of the situation, they may have exposed organizations to security break ins or potentially exposed sensitive data since many devices went unchecked for any ePHI that had already been stored on them. In addition, the dramatic increase in the use of telehealth caused a similarly dramatic increase in the number of potential exposure points for providers. According to a study published in the JAMA Network, reported telemedicine services grew by more than 1000% in March and more than 4000% in April of 2020. As the reliance on healthcare technology has increased, so has the risk with U.S. healthcare data breaches increasing 14% in 2020, compared to 2019. Among the forms of malware used for these cybercrimes the most common were worms (a type of computer software that spreads copies of itself from computer to computer and can replicate itself without any human interaction); a rootkit (typically malicious, designed to give a person or computer access to software or a portion of a system to which it normally wouldn’t be allowed), and rogue security software such as ransomware (software that affects an infected computer system in some way, and demands payment to bring it back to its normal state). Due to the life and death nature of hospitals work hackers use malware to target the most critical parts of the organizations in order to give them a higher chance of getting paid. According to a report on CBS News, during September ransomware attacks targeting U.S. hospitals, ransom demands went well above $10million per target, and criminals on the dark web were reported to be discussing plans to attempt to infect more than 400 hospitals, clinics, and other medical facilities. Healthcare organizations can be infected in many ways but three very common methods include: 1) phishing emails where a malicious link or attachment infects the computer systems; 2) weak infrastructure/ legacy systems- in general, many systems fail to install security patches and available updates, and, 3) misappropriated vendor/supplier credentials, security credentials that are stolen by vendors/suppliers or their employees that can provide physical access as well as access credentials for technological systems and data repositories..
Implications: With the increase in cybercrimes targeted at the healthcare system, healthcare systems need to take critical actions to safeguard themselves. As the old saying goes, “an ounce of prevention is worth a pound of cure”, 1) It’s better to invest in cybersecurity than to have to pay the ransom after a breach in the system. Stay on high alert for certain types of malware and have playbooks for different types of attacks using tabletop exercises; 2) Establish an anti-phishing strategy, which includes training employees to recognize malicious emails and sites or use email systems with integrated anti-phishing solutions.; 3) Use two-factor authentication where possible and have unique passwords for different services; 4) Make sure automatic system updates and patching is performed routinely, and deploy ransomware protection as well as antivirus systems; 5) Actively scan each new medical device added to your network making sure the device is input into the hospital’s inventory system and restored to the manufacturers default settings to prevent the release of any PHI that might be stored on the device. With the rapidly growing dependence on healthcare technology and virtual platforms, cybersecurity threats will only continue to increase. As healthcare systems more broadly deploy technology in clinical medicine healthcare providers, government bodies, and regulatory experts must ensure that all aspects of patient safety, data protection, and privacy, are the highest priority.
“Cybersecurity Forecasts for 2021: The Good, Bad and Ugly in Healthcare” (HIMSS NY Webinar);FBI Warns of "Imminent" Ransomware Attacks on Hospital Systems; 10 Quick Cybersecurity Tips for Hospitals in the Midst of COVID-19
Pattern Health Collects $1.5M to Scale Platform for Increased Adoption
Event: On February 16th, a report in the Triangle Business Journal stated that Pattern Health had raised $1.5 million to increase growth particularly in marketing, sales and engineering. Founded in 2016 by CEO Ed Barber, Pattern Health is a user-friendly way to research, develop and validate new and novel digital health programs. Cofounders Capital and The Launch Pad, provided the funds.
Description: According to the firm, Pattern Health’s no code platform enables researchers and clinicians to create and deploy their digital tools, including condition specific digital health programs, rapidly and efficiently. In addition, Pattern’s tools allow organizations to collect data more rapidly, validate evidence and “when appropriate translate programs into real-world, highly scalable solutions.” The company states that it’s turn-key connected care platforms promise faster, more scalable and economic innovation than custom developed mobile health apps given the lack of development costs (which average over $400K), dramatically quicker development time (which can take from 12-24 months) and potential to share costs.
Implications: The ability to develop and deploy evidence-based digital tools rapidly will be key to monitoring, assessing and eventually improving the care of populations in the near-future. As demonstrated by the Coronavirus, healthcare tools which provide the flexibility and agility to respond to health crises will prove invaluable in an ever more interconnected and global world. In addition, the ability to easily customize tools based on patterns of care and validated by evidence of their ability to motivate behavior change and promote adherence should allow the providers and payers the ability to design applications for specific patient populations, thereby improving adherence. Despite the labyrinth of data privacy and security laws and regulations as well as all the never-ending complexity of healthcare IT environments, healthcare needs to find a way to make digital tools much more user friendly, consumer oriented and responsive to the market.
Backed by Big Hospitals, a Former Microsoft Executive Wades into the Messy Business of Selling Patient Data
Event: On February 17th, STAT+ published an article highlighting a new for-profit venture named Truveta that aggregates and sells de-identified patient data and will be used to create new medical devices and treatments to tackle ongoing issues like COVID and cancer. The company is led by former Microsoft software engineer Terry Myerson, CEO and was formed by a partnership of 14 U.S. health systems
Description: Truveta aims to bring scientific integrity and health inequities to the forefront by adding de-identified patient data to train artificial intelligence tools. Truveta will function as a public utility, parsing out data from electronic medical records. The company's goal is to use the data to benefit patients by providing solutions to public health problems and building research datasets representative of a diverse population. Data will be stored with a third-party cloud provider, and health providers will maintain control of how data is used and what the use cases are. Myerson and executives at hospitals investing in Truveta explained that patient data used from electronic medical records would be carefully stripped of its identifiers, as required by HIPAA. Moreover, Truveta will use the data for "ethical" research projects, not for advertising. Health data experts concluded that several important decisions would determine Truveta's success or failure, including: (1) which entities will Truveta share data with? (2) how much will it charge? (3) how will it interact, if at all, with patients whose data is being used to power research products and the products derived from them?
Implications: The article noted that "patient data is a commodity that can be bought and sold," which has and continues to be an issue for providers, payers and patients. Stakeholders consider patient data as something owned by the individual, who has the inherent right to direct how it is being used. Loss of control over patient data is dangerous and can lead to a loss of privacy, discrimination, and many other problems. Although Truveta is using de-identified data, pieces of information could be used to re-identify patients by those who have malicious motives. The most ethical way to utilize patient data to improve outcomes is to be transparent with patients and ask for their consent in sharing the data. Conversely, because Truveta is a for-profit entity, there is a potential that the lure of money could lead one to stray from the path of the highest ethical standards. As such they must ensure that standards are updated regularly, data privacy controls and de identification methods are routinely tested for weakness and that all policies and procedures are subjected to regular internal and external audits.
The Coronavirus is Here to Stay - Here’s What That Means
Event: On February 16th the journal Nature published an article that attempts to envision what life will look like in the future as the Coronavirus continues to linger throughout the population. According to the article, despite the discovery of many vaccines, scientists think the virus will continue to exist in certain regions but will eventually be classified as endemic (instead of a pandemic), if several important measures are adopted. Although it is difficult to make concrete predictions at this time, telemedicine, vaccination, and herd immunity are key essentials that will be needed to return to some form of normalcy in the future.
Description: Given the dramatic impact that COVID has had on human life, as well as the recent discovery of several vaccines to help eradicate it, Nature asked 100 immunologists, infectious disease researchers, and virologists who have worked with the Virus whether it could be completely eradicated. Ninety percent of those asked do not think so. According to the article, over time, these researchers believe the virus will transition from a pandemic (an epidemic that spreads over multiple countries) into an endemic (a disease that belongs to a particular person or country and which can have a constant presence in a particular location). For example, while select areas of the world such as Western Australia, have been coronavirus free for this past year, this was only achieved through heavy restrictions on travel and imposing lockdowns at any point when case counts rose. Although this may seem like the best alternative, many scientists do not think this is likely or sustainable. When considering the impact of vaccines, many countries have begun distribution and expect to see a reduction in severe illness, but the vaccines’s longer term impact still needs to be understood. Unfortunately, it will take longer to see how effectively vaccines can reduce transmission of the virus from person to person. Although early data from clinical trials have suggested that the vaccines that prevent symptomatic infection might also prevent asymptomatic people from passing on the virus, which is essential to protect the entire population, the data is not conclusive. Although distribution is in full swing, scientists are heavily considering additional steps needed to completely experience some relief.
Implications: As noted in the article, there are many things that need to occur to transform this pandemic into an endemic. First, there needs to be a reduction in transmission through vaccination. Once vaccinated, individuals will both build antibodies to fight off future infection but also contribute to the development of herd immunity from this virus. In addition, researchers must closely monitor the wild animal population to ensure that the virus does not establish itself in wild animals. According to the article, several diseases once thought to be brought under control, such as yellow fever, Ebola, and chikungunya virus, persist because animal reservoirs, such as insects, provide opportunities for pathogens to spill back into people. Lastly, the use of technology to continue to track and monitor individuals is needed. Through the tracking of any symptoms such as a rise in body temperature, cough, chills, etc., people will be more attuned to the signs of COVID and can quarantine. This will help diminish the spread of the virus to outside populations. If other regions, aided by these factors, aimed for a similar zero COVID strategy, then the world may rid itself of the virus. In the meantime, the key to transforming this pandemic into an endemic is to promote testing, using technological monitoring devices, vaccination, and herd immunity.
Addressing Mental Health in the Workplace in 2021: Three Ways to Give Support
Event: A recent article on the MarketingProfs website, addressed the need for increased resources and attention to the mental health needs of employees during 2021. The article noted that during the pandemic, millions of workers have faced higher than usual stress on their mental health due to a number of factors. It noted that employers can take an active role in combating stress and improving mental health for their employees.
Description: According to the article, many workers have been met with atypical conditions that strain their mental health during the pandemic, such as having no division between work and living space, needing to provide care for vulnerable relatives, or stepping in to educate their children. The article also highlighted that according to AARP’s 2020 Report on Caregiving, one in four caregivers found it difficult to take care of their own health, and 23% reported that having to provide care for others had made it worse. Employers have a responsibility to take a role in improving the mental health of their employees, and can use their platform within an entity to bring employees together and foster a supportive environment. MarketingProfs, employers can use three approaches to help support employees mental health: 1) Provide tangible mental health resources to workers, which they define as services workers can use such as giving employees free counseling sessions annually, or launching benefits specific to working parents; 2) Invest in workplace mental health training. A 2020 survey by Vyond suggested 45% of employees who are isolated at home want education in mental health strategies from their employers which should include real-world examples of work-related stress management as well as tools to help managers lead their teams in reducing stress; and, 3) Prioritizing ongoing communication, this should include leaders opening up about the individual challenges they are facing and sharing how they are implementing their own wellness routines.
Implications: Moving forward through the pandemic, mental health and wellness should be a primary concern for internal communication from management and leadership. It is essential that employers utilize their resources to take care of their workers to preserve both the productivity and health of their employees. During an international crisis, it is essential that people receive proper support from their workplaces to ensure their health and safety in the future. Moreover, deploying these resources can have practical impacts on employee satisfaction and productivity. According to a Gallup poll, when people feel inspired and motivated, they do more work and the work they do takes less of a toll on their health and energy. Moreover, the same poll also noted that lack of communication from managers was a top 5 reason for burnout, a key driver of turnover.