The Worst Healthcare Cybersecurity Breaches of 2017

George Steptoe
DECEMBER 29, 2017

In 2017, a spate of high-profile attacks brought the healthcare industry’s need to strengthen its cybersecurity into sharp focus. Ransomware, like WannaCry and NotPetya, has wreaked havoc in small hospitals and biopharma giants alike, and the vulnerabilities appear widespread and acute, experts said.

The ECRI Institute, a nonprofit research organization, identified ransomware and other cybersecurity threats to healthcare—and the danger they pose to patients—as the top health technology hazard for 2018. A Department of Health and Human Services (HHS) Healthcare Industry Cybersecurity Task Force report to Congress in June found that digital security is in “critical condition.” According to the Protenus Breach
Barometer, at least 1 breach occurs in the healthcare sector every day.

Until now, healthcare has “benefited from relative obscurity while no one was paying attention,” said Joshua Corman, a member of the task force and chief security officer at the software company PTC. “WannaCry shattered that obscurity.”

The biggest problems facing healthcare are unique to the field, which also has the highest stakes. “In terms of flesh-and-blood consequences to ransomware and hacking, we are most exposed in hospitals,” Corman said. “It’s almost a miracle that we haven’t had more hospital outages.”

A 2016 Ponemon Institute report noted that data breaches cost the healthcare sector $6.2 billion annually, and attacks remain consistently high in terms of volume, frequency, impact, and price. “New cyber threats, such as ransomware, are exacerbating the problem,” said Larry Ponemon, PhD, the institute’s founder.

Data compiled by the HHS Office for Civil Rights show hundreds of incidents in the past 2 years, affecting tens of millions of individuals. And the problem might be even greater. Lee Kim, JD, director of privacy and security at the Healthcare Information and Management Systems Society, said many security breaches fly under the radar. “There have been a lot of incidents that have created a lot of buzz in the industry, but there’s also a hidden undercurrent of smaller organizations,” Kim said. Low-level security breaches often don’t meet the reporting threshold, and so health systems stay quiet for fear of scaring shareholders, Kim noted.

So what’s keeping healthcare from fortifying its defenses?     Security understaffing, a lack of appropriate resources, unnecessary overconnectivity between devices, few means to securely install updates, long-lasting equipment operating on outdated software, and little staff awareness, experts said. A review of the most prolific and largest security incidents of 2017—from WannaCry and NotPetya to targeted attacks and old-fashioned human error—reveals industry-wide trends.

In a massive, high-profile assault this spring, the WannaCry ransomware virus hit 81 British hospitals, leading to thousands of canceled appointments. The virus crippled the United Kingdom’s National Health Service (NHS), causing 19,500 canceled medical appointments; locking the computers of 600 general practitioners; and forcing 5 hospitals to divert ambulances elsewhere, according to a National Audit Office report. The attack “could have been prevented by the NHS following basic IT [information technology] security best practice,” the report said.

As part of a WannaCry wave that also disrupted organizations outside healthcare, 2 multistate hospitals systems in the United States faced significant challenges to operations, according to an HHS cyber notice. “The behaviors that have been reported are typical for environments where the WannaCry scanning virus persists, even though the encryption stage has been blocked by antivirus, or is not executing,” HHS wrote.

“If you were hit by WannaCry, you were really doing something very wrong,” said Justin Cappos, PhD, associate professor of systems and security at New York University’s Computer Science and Engineering Department.

In October, a new WannaCry strain caused additional network downtime at FirstHealth of the Carolinas, a hospital system that takes patients from 15 counties. FirstHealth’s information system team shut down the network when it identified the threat. As of last month, it remained down because of “an abundance of caution,” according to the group’s website.

A spokesperson for FirstHealth declined to comment on the network disruption. But the health system noted that the virus did not affect databases or patient or operational information.

“If we found out tonight that there was a new WannaCry strain, in most of those organizations, there would be no qualified person who would know what to do about that,” Corman said. The cybersecurity task force discovered a “severe” lack of security specialists, with 85% of medical organizations—particularly small, medium, and rural hospitals—lacking a single security staffer. “They have more janitors at these hospitals than they do security people,” he said.

The goal of Theresa Meadows, MS, cochair of the cybersecurity task force and senior vice president and chief information>> officer at Cook Children’s Health Care System, is to add 6000 to 7000 new cybersecurity professionals to the ranks. “All the software won’t help. You need to have people who can spot it,” Meadows said, noting that they could reeducate victims.

But that would take resources. Meadows said the task force wants a federal “stark exemption” so large providers can provide security services and software at reduced costs to smaller provider partners. 

Although hospitals manage many competing priorities, experts said cybersecurity must top the list.

Become a contributor