Rising AI Driven Cyber Attacks Debilitating Hospitals and ERs
On the morning of November 23, Ardent Health Services affiliated hospitals experienced what so many ERs and healthcare facilities are losing millions of dollars, trust, and credibility to: a Ransomware Attack. Perhaps it started as an employee trying to access a patient file or a new patient unable to input their insurance information into a client portal, but when an unexpected little screen pops up on screens across Texas and Oklahoma healthcare facilities, demanding money in order to access the locked files, panic sets in. Could it have been prevented? Could it happen to you?
Ardent Health Services, Tennessee-based hospital and health systems provider, confirmed that affiliate hospitals in East Texas, New Mexico, and New Jersey fell victim to a ransomware attack on the morning of November 23. This breach barred facilities from being able to accept patients or ambulances, resulting in cancelled major surgeries, diverted ambulances, and the cous de gras, their most sensitive patient stored information leaked to their attackers.
A nurse in one of the New Jersey hacked hospitals said they were instructed "to print out as much patient information as we could" and forced to conduct all their necessary processes on paper. Not only were facilities reduced to the stone age, but the aftermath of a ransomware attack like this causes patient trust issues, reduced confidence and credibility in the organization, and severe financial hits from both the ransomware payout and loss of incoming services (by the way, for the 13th year in a row, the healthcare industry reported the most expensive data breaches, at an average cost of $10.93 million). Oh, and don't forget getting slapped with HIPAA violations.
Ardent Health Services owns 30 hospitals and more than 1,300 aligned providers/sites of care six states, but their primary locations are in Texas, Oklahoma, and New Mexico. These hackers are getting closer and closer to home.
why is healthcare a target for ransomware?
According to Astra Security, "90% of healthcare institutions have experienced at least one security breach in the previous few years. 30% of most data breaches occur in large hospitals with a record of exposing patients’ private health information." That means the vast majority of medical organizations that are experiencing a security breach are small to medium sized. Couple that with the resulting HIPAA violations and these statistics will debilitate hospitals and ERs. But why? What's happening to put healthcare on top of the worst list in the world?
AI is Becoming a Mainstage Culprit in Medical Ransomware Breaches
34% of companies say they use AI regularly to ease their workflow and 27% of U.S. adults say they use AI more than three times a day. Medical facilities and personnel are no different. Furthermore, 49% of U.S. adults say they use AI to search for information, and 44% use AI to learn new things (HootSuite). Hackers are no different.
Our Chief Information Security Officer (CISO), Anthony Leatherwood, gives insights on the rise, growth, and problems inherent for medical communities: "Artificial Intelligence (AI) is a great tool, and the healthcare industry must tread very carefully when leveraging AI and ensure the data lake holding PHI always remains protected. AI does not absolve a healthcare business entity of the responsibility to meet HIPAA regulations. However, with that said, AI being applied to enhance health informatics is tremendous and already being adopted for years in medical research communities. The key is ensuring that compliance remains at the forefront and rely on AI to provide enrichment data and provide computational research insights as a catalyst to better healthcare globally."
AI impacts all industries. Platforms like ChatGPT and Bing Chat are great tools but are also something be wary of (here are some tips and tricks on how to use AI appropriately).
ERs and Hospitals Store More Personal Information Than Any Other Industry
You know this. Every day patients hand over information like social security number, birthday, insurance information, and even their blood type to your data storage. And if you use an online payment system (which most do), if a hacker accesses all of your data, that means they have the information for your financial platform and therefore, potential financial information of your payments. Your healthcare facility literally contains the keys to every identity thief's dream life. One hack and they not only get money from you, but they can the run the gambit of patient identities until they're squared away on some island in the Bahamas. Either that or they can just sell it for whatever and to whoever they want. Either way, Bahamas.
The medical industry saw 707 data breaches in 2022, which, according to one report, accounts for 20% of all publicly-reported data breaches (that's a staggering 480, 014, 323 total breached records). So far in 2023, healthcare cyberattacks have increased 60% year-over-year in the first 6 months. So yeah, hackers clearly want your data. Consider the following entry points hackers can gain access to:
- Medical devices like MRI machines, defibrillators, or an Automatic Medicine Dispenser (ADM) - especially if the technology hasn't gotten an update in a while!
- Remote devices - not all the information you need is at your desk or computer. You might have to access data from a larger office or company headquarters.
- Employee logins or employee portals. This includes their cell phones. If they can log on from a device, it's an entry point. All a hacker needs to do is login using the stolen employee credentials.
- Online patient history. Gone are the days of paper stuffed into manilla folders in a drawer somewhere. Doctors and nurses carry tablets and computers to take notes on a patient's symptoms.
As far as Ardent's current situation, as of publication, "Ardent cannot confirm the extent of any patient health or financial data that has been compromised. Ardent is still determining the full impact of this event and it is too soon to know how long this will take or what data may be involved in this incident."
We're more than a week past the incident and there are still no updates on patient health or financial information. That's a long time to not have any answers, patient or practice.
Frequent Phishing , Ransomware, and DDoS Attacks
Not only are healthcare organizations responsible for data but they're also running a vast network of connected medical devices. This simple fact means it's sometimes difficult to stay on top of security. Personnel are busy, not just for security practices but security education as well. As we all know, someone can't defend what they don't know about. So when you can't spot the signs of a phishing email or a suspicious link in the file notes, you can't remove the threat because you don't recognize it as a threat.
- Phishing is the most prevalent healthcare cybersecurity threat. It's as easy as an email or a text (called "smishing") and the hackers are in. According to Abnormal Security, "the healthcare industry is experiencing a 167% increase in advanced email attacks in 2023, which includes [Business Email Compromise] BEC, credential phishing, malware, and extortion." Protect and educate yourself.
- Ransomware is usually inserted through a phishing attack and ransomware attacks occur in more than 1 in 3 healthcare organizations. Hackers know that it's important for the healthcare sector to minimize disturbances in their operations and processes, which they exploit during an attack. Victims panic, begin to fear the consequences, and react rashly. This was the confirmed mode of malware that debilitated Ardent Health Services.
- Distributed Denial of Service (DDoS) attacks is a mass wave of false connection requests to a specific server, forcing it to go offline. When this happens, multiple endpoints get infected with malware (ransomware). This is an especially effective attack as not only force an organization offline completely (not even to print things off), but they can keep it shut off for as long as they want...including if you pay the ransom.
Given the increasing number of physical and virtual assets being brought online to healthcare networks, and as bad actors develop more sophisticated attack plans to reap bigger payouts, healthcare organizations cannot afford to put off strengthening cybersecurity. Mohammad Waqas told the HIPAA Journal that "on an average day, more than 55,000 physical and virtual assets are connected to organizational networks; yet an astounding 40% of these assets are left unmonitored – leaving critical, exploitable gaps." Healthcare organizations must prioritize cyber exposure management to mitigate all cyber asset risks, remediate vulnerabilities, block threats, and protect the entire attack surface. The entire healthcare ecosystem must be taken into account – from building management systems to patient experience devices and medical devices to vendor risk management.
how to prevent cyberattacks in hospitals and ers
Now we're not ridiculing Ardent Health Services. It's not easy to manage such sensitive data on a large scale (because regardless of whether you have 10 patients or 10,000 patients, there's a lot of incredibly sensitive data to protect). In fact, Ardent Health Services responded to the threat quite well. Not only did they purport to have "electronic protection procedures in place" but "Ardent has also implemented additional information technology security protocols and is working with specialist cybersecurity partners to restore its information technology operations and capabilities as quickly as possible. "
But what we are saying is you have to stop saying "it won't happen to me." It might not, but 90% of ransomware attacks is a big number for healthcare. It might not, but the odds are not on your side. The time to heighten your security posture is now.
- Be Diligent in How You Use Artificial Intelligence (AI)
AI is a part of our daily lives now. You can't go anywhere or do anything without encountering the newest and greatest AI trend. But what is meant for good, can always be used for evil. That includes healthcare. Our Chief Information Security Officer, Anthony Leatherwood, gives this advice: "AI is already here and has been leveraged in healthcare medical research for at least the past 10 years in several forms, there is no going back. The key will be making sure that AI continues to operate within regulatory boundaries with transparency and accountability. When healthcare agencies leverage your PHI data, ask the right questions around data privacy as they are accountable for doing so."
- Evaluate and Increase Your Layers of Security
Like I said, the attacks are getting closer and closer to home. Plus healthcare is a prime target. You need to increase your security. There is never too much security in place, be diligent. Conduct regular vulnerability scans to check for easy entry points and invest in true Managed Detection Response (MDR) which will monitor your endpoints, networks, and cloud environments and respond to cyberthreats 24/7. That way you stay ahead of the attacks. Lastly, conduct regular Risk Assessments either annually or when there is a substantial change in your environment (like adding a new piece of technology, product, or anything that leverages AI at its core).
PRO TIP: That can feel like a lot in the craze of hospital and ER chaos. If you need help, we can be an extension of your IT department or be your IT department. Whatever you need to remain confident in your protection.
- Create an Incident Response Plan (IRP) and a Disaster Recovery Plan (DRP)
If you can't get ahead of it, plan how you'll respond to it. IRPs and DRPs are a regularly practiced and well thought out plan for how you'll respond in the case of an emergency. This includes more common things like power outages or natural disasters but also includes cyberattacks like ransomware and breaches. If you're not sure where to begin: check out this blog to assess your current IRP (and make it better) and this blog to help you get started creating a DRP.
- Educate Your Staff
The best defense against phishing and ransomware is to understand the warning signs. While it can feel like "something else on your plate," you can save yourself more trouble in the future by adding a few KnowBe4 modules to your quarterly plans. Identify the signs and stay out of the statistics, it's that simple.
- Choose a Quality Managed Service Provider (MSP) to Manage Your Systems
Like Ardent, who decided to work with a cybersecurity partner after the breach, this one simple proactive step can both prevent and quickly remediate and cybersecurity threats. What's more, we've already mentioned how busy the healthcare industry is, so a comprehensive and trusted MSP partner is paramount. According to Leatherwood, medical organizations should specifically "work with a Managed Services Provider that offers a Managed Data Protection Agreement (MDPA) and Business Associate Agreement (BAA) that ensure PHI is protected as it travels through the full data lifecycle." Not only will this help keep your systems safe, but it will keep your patients' Protected Health Information (PHI) secure.
secure sensitive data today
It's not always easy but working to prevent disaster from striking will not only ensures sensitive information is protected but also keeps trust, credibility, and financial stability in your hands. Ardent Health Systems is making the necessary changes and they will see the resulting improvements. Regardless, healthcare providers should continue to follow solid cyber hygiene and guidance required under HIPAA regulations. A great summary is provided by the Centre for Medicaid and Medicare Services.
If it seems daunting, let us help you make the transition as seamless as possible. That way you can focus on the things that matter: treating and helping your patients.
Be a thought leader and share: