As hospitals become more dependent on technology, the risk of cybersecurity threats grows.
“Because that’s where the money is.”
That’s supposedly what outlaw Willie Sutton said when asked why he robbed banks. If he were alive today, he’d probably be a cyber criminal, and he might be breaching hospitals’ and healthcare systems’ technology.
Because that’s where the data is.
Just ask the National Health Service in England, where a ransomware attack in 2017 resulted in about 33 percent of NHS hospitals being locked out of their IT systems and having to turn away patients. Or DCH Health System in Alabama, which was forced to close its doors to new patients after a ransomware attack in October 2019. In Georgia, 53 breaches have been made public in the last 5 years, affecting more than 2.5 million health records. (All breaches larger than 500 are reported to the U.S. Department of Health and Human Services.)
Cybersecurity is a challenge for healthcare, for several reasons: The industry is complex, with many older computer systems and third-party devices and vendors. Bare finances can mean prioritizing patient care over protecting against cyber threats, and the push to convert patient information to electronic health records (EHRs) has put further strain on budgets.
And then there’s the value of the data – EHRs are worth a lot more than financial data because they contain date and place of birth, social security number (SSN), credit card information and physical and email addresses. On the black market, an SSN might be worth anywhere from a few cents to a dollar, a credit card number could bring up to a hundred dollars, but an EHR could go for up to $1,000.
After all, you can change your credit card or even your bank account and use a credit monitoring service. But you can’t change your medical history, date of birth, place of birth, names of your relatives, historical information about where you’ve lived and worked or every illness you’ve had. It’s the most comprehensive record of your identity, and it stays with you for your lifetime.
“We’re data rich,” says Chris Beasley, chief information officer (CIO) and HIPAA security officer for Houston Healthcare in Warner Robins.
Beasley was one of 18 Georgia hospital CIOs who met over the course of a year to identify the cyber threats facing healthcare systems and what can be done about them. Spurred by State Sen. Bruce Thompson (R-White), the meetings resulted in a report from the nonprofit Institute for Healthcare IT (IHIT), released in August.
Threats Inside and Out
We’ll start with the good news: Thompson and Calvin Rhodes, CIO for the state and executive director of the Georgia Technology Authority, continue to work with the group to find resources to address the challenges. Because it’s a daunting list.
Although the group included both big urban healthcare systems and smaller rural hospitals, the CIOs found they faced many of the same issues. “The scale might be different, but the challenges were pretty much similar,” says Geoffrey Brown, vice president and CIO of Piedmont Healthcare in Atlanta, one of the “most wired hospitals” according to the American Hospital Association. Some that rose to the top of the list include internal and external challenges, from training employees to vetting outside vendors.
Phishing: Every system, for example, must worry about phishing, which is an attempt to trick someone into clicking on a malicious link that will reveal login information or other credentials, usually by impersonating another person or organization. And the phishers have gotten “phenomenally competent,” says Diana McKenzie, a Savannah attorney who is a partner and chair of HunterMaclean’s information technology and outsourcing practice group. “It used to be [that] you could look at a phishing attempt and know right away that’s what it was. But now it’s really not so clear. … I think the biggest concern among CIOs is that some phishing incident is going to bring down their entire electronic medical records system.”
The key is educating every individual employee, which takes time and resources. Like many companies, Brown says Piedmont runs periodic training exercises where the organization sends out fake phishing emails to see whether employees will click on the link or report the email (as they should do). Since Piedmont has increased it’s training, Brown says they’ve seen an increase in the number of suspicious emails reported – a sign employees are taking it seriously.
Aging technology: Old tech is another big challenge. Older systems weren’t built with current threats in mind and can be easy to hack. And while a newer operating system can send out a patch to fix a previously undiscovered vulnerability, there may not be any support for systems that are decades old.
“I’ve talked to a few hospitals that have older systems,” says Steven McWilliams, vice president and CIO at the Georgia Hospital Association. “They’re trying to get them upgraded to the latest and greatest, and sometimes that could be a challenge. That could be very expensive.”
Many hospitals, especially rural ones, operate with the thinnest of margins. Some simply can’t afford the expense or have to make difficult decisions between funding cybersecurity efforts or investing in patient care. McKenzie says she’s talked to CIOs and CEOs who tell her, “We have a clear cybersecurity issue in front of us, or we can buy this machine that we know will save X number of patients a year. We can’t do both.”
After a breach, a hospital may face punitive fines on top of the expenses stemming from the intrusion itself. For a small rural hospital, that could be life-threatening. “Those fines could be the thing that literally shuts the hospital down,” says Beasley, further worsening the rural healthcare crisis as well as leaving employees without jobs.
Biomedical devices: Doctors, hospitals and patients are increasingly using third-party software and hardware, like mobile apps and biomedical devices – everything from pacemakers to insulin pumps to MRI machines – that are connected to the internet. Many require access to protected health information (PHI), meaning they are yet another potential point of entry to healthcare data. Most don’t use a traditional operating system (like Windows), and vendors may or may not have the technical staff to issue patches and security updates. Also, U.S. Food and Drug Administration (FDA) regulations mean any patches are subject to more intense vetting than, say, a Windows 10 patch for your PC.
“You can’t just sell us something that’s going to last 30 years [without updates],” says Beasley. If updates and patches aren’t available, then the hospital may have to consider isolating the device – at the same time they are being urged to integrate data, systems and devices. And sometimes, it’s just not feasible to isolate a device because it would impact patient care.
“You have all kinds of specialty applications where [for example] the cardiologist isn’t thinking about that being a backdoor into a hospital system,” says McKenzie. “They’re thinking about the unique needs of cardiology patients.”
In the past, says Brown, a hospital like Piedmont might assume vendors had security requirements and guidelines that were comparable to what the healthcare industry itself has around PHI. “What we’ve learned … is, many times that’s not the case,” he says. Now Piedmont delves much more deeply into the protections a potential vendor provides.
He acknowledges that some new tech offerings may still lack sophisticated protections, but in that case “we can work with them to make sure they have some fundamental things in place – if there is not a technology solution, that there may be multiple controls in place that could be alerted if something got out of balance.” But he says he sees a time coming quickly where if a vendor doesn’t meet a certain level of technical protection, they won’t be able to do business with Piedmont.
While the greatest risk from hacking biomedical devices is the threat of gaining access to a hospital’s entire system, there’s also a horror-show aspect where hackers could change results of individual medical tests (say, for presidential candidates). Earlier this year, researchers in Israel demonstrated that they could get into a hospital’s network and manipulate CT scans. More than 90 percent of the time, neither radiologists nor artificial intelligence algorithms caught the alterations. “That’s the scariest stuff,” says McKenzie.
Talent: Recruiting and retaining IT talent is especially hard on rural hospitals, where it can take time to find a qualified person and invest in training them, only to see them recruited away to a larger hospital. It’s also not uncommon for there to be one IT person at a small hospital, responsible for everything from setting up new employee accounts to fixing a balky monitor – in addition to constantly monitoring cybersecurity.
While these threats are daunting, the CIOs and others at the roundtable had ideas on how to help health systems better protect data. Chief among them is sharing information. Because breaches can damage hospitals’ reputations, the organizations’ leaders may be reluctant to share any information about the threat – although it could help other hospitals be prepared. Dealing with PHI can make it hard to share information, too. “Because we have to work as independent providers everywhere, we’ve given an advantage to the bad actors,” says Beasley.
Brown says the roundtable was a step in this direction, because it brought people together to talk and share best practices. “That was not a network that existed before this collaboration came up,” he says.
The IHIT report called for “IT Safe Zones,” where healthcare providers could share insights from both threat and incidence responses, all in confidence. McWilliams envisions it as a “neutral place where lessons learned can be shared with other hospitals – it could be a center, it could be a service, maybe run by the state.”
Georgia has significant cybersecurity expertise at the Georgia Cyber Center in Augusta, and the report also called for creating a cybersecurity resource center specifically focused on healthcare, possibly as an extension of the cyber center. The healthcare center could offer:
• Electronic alerts about threats
• Incident response kits
• An online learning center
• A statewide security operations center that provides threat intelligence, monitoring and incident response.
The state is taking these requests seriously. In a statement, Georgia CIO Rhodes said, “We saw a real need to extend the cyber academy training developed for state employees to cities and counties in Georgia, and we want to encourage hospital participation as well.” And Georgia is offering a service that will provide an information security officer who can work with an organization for a one-year commitment.
“At the end of the day, our patients trust us with their care, and we want them to know they can trust us with a surgical or medical procedure or prescriptions and also … with their healthcare data,” says Beasley.
Get Ready for a Breach
Diana McKenzie has some sobering news for hospitals: Be prepared, because “it’s not a question of whether some kind of data breach or hack is going to happen, it’s just when.”
No matter how well a system is protected, the hackers have the advantage – because they spend all their time looking for a way to gain access, and “all you have to do is be wrong once and they’re in,” says the Savannah attorney who specializes in IT law at HunterMaclean.
What does that preparation look like? McKenzie suggests several things that a healthcare system can do to help secure data, react quickly when a breach happens and protect itself legally:
• Map your data. Not all data is in the electronic health records (EHRs), and locations can be especially complex in hospitals.
• Create a data breach response team. Usually that includes a lawyer, the chief information security officer and your insurance provider, along with others such as members of the public relations team. Have the team practice their response in training.
• Establish relationships with law enforcement before a breach happens. McKenzie suggests joining InfraGard, a collaboration between the FBI and the private sector that provides education, information sharing and workshops on emerging technologies and threats.
• Understand the landscape of regulations and what applies to your organization. Data breach laws are based on where the patient lives, not where the hospital is.
• Review your cybersecurity insurance policy. The recent Institute for Healthcare IT report noted that many of the CIOs who participated in the roundtable hadn’t seen their hospital’s policy because it was reviewed by legal and compliance departments without input from IT.
• Include security-related provisions and standards in contracts with external parties. McKenzie says she often sees contracts that lack any kind of commitment to security standards, even for IT that is related to cybersecurity.
• Learn constantly. “Stay up to date, because the law is changing really, really fast as these various incidents come out,” McKenzie says. “If you’re not staying up to date, you’re going to be behind really quickly.”
Georgia Trend 2019 Top Hospitals
Data analysis uncovers state hospital rankings
Over the past several years healthcare reforms, particularly around unsustainable spending, the uninsured population and quality outcomes, have been widely discussed and debated. While this talk is ongoing, hospitals continue to operate in a complex regulatory environment with uncertain policy outcomes, all while making investments to enhance efficiency and deliver quality patient care.
For this list, which includes hospitals that provide a range of services, Georgia Trend evaluated each hospital in the state that participates in the Centers for Medicare and Medicaid Services (CMS) Hospital Value Based Purchasing program. The CMS program does not include VA medical centers, children’s hospitals, critical access hospitals and long-term care facilities.
A total performance score based on information including clinical process, patient experience, outcome and efficiency was used to rank hospitals of similar size and mission. Georgia Trend groups hospitals into Teaching Hospitals, whose primary mission is teaching regardless of size and are certified by the Association of American Medical Colleges Council of Teaching Hospitals and Health Systems; Large Hospitals (250+ patient beds); Medium Hospitals (100 to 249 beds); and Small Hospitals (less than 100 beds). The American Hospital Directory provided the hospital bed size.
The rankings are based on CMS data downloaded Aug. 3, 2019. Analysis of the data was completed for Georgia Trend by independent consultant Mark A. Thompson, professor and associate dean of the Hull College of Business at Augusta University.
While these hospital rankings on performance are useful and provide valuable information, there are many factors that consumers should consider when deciding where to go for their healthcare needs. Always consult your healthcare provider about your and your family’s healthcare needs. – Mark A. Thompson
Top Teaching Hospitals
Hospitals whose primary mission includes teaching and are certified by the Council of Teaching Hospitals (COTH), regardless of size*
1. EMORY UNIVERSITY HOSPITAL, ATLANTA
2. EMORY UNIVERSITY HOSPITAL MIDTOWN, ATLANTA
3. AUGUSTA UNIVERSITY MEDICAL CENTER, AUGUSTA
4. GRADY MEMORIAL HOSPITAL, ATLANTA
5. WELLSTAR ATLANTA MEDICAL CENTER, ATLANTA
6. THE MEDICAL CENTER, NAVICENT HEALTH, MACON
7. MEMORIAL HEALTH UNIVERSITY MEDICAL CENTER, SAVANNAH
Top Large Hospitals
Hospitals with 250 or more patient beds
1. PIEDMONT ATLANTA HOSPITAL, ATLANTA
2. EMORY SAINT JOSEPH’S HOSPITAL, ATLANTA
3. WELLSTAR PAULDING HOSPITAL, HIRAM
4. NORTHEAST GEORGIA MEDICAL CENTER, GAINESVILLE
5. NORTHSIDE HOSPITAL, ATLANTA
6. PIEDMONT ATHENS REGIONAL MEDICAL CENTER, ATHENS
7. WELLSTAR KENNESTONE HOSPITAL, MARIETTA
8. HAMILTON MEDICAL CENTER, DALTON
9. SOUTH GEORGIA MEDICAL CENTER, VALDOSTA
10. NORTHSIDE HOSPITAL FORSYTH, CUMMING
11. SOUTHERN REGIONAL MEDICAL CENTER, RIVERDALE
12. NORTHSIDE HOSPITAL GWINNETT, LAWRENCEVILLE
13. WELLSTAR WEST GEORGIA MEDICAL CENTER, LAGRANGE
14. COLISEUM MEDICAL CENTERS, MACON
15. EASTSIDE MEDICAL CENTER, SNELLVILLE
16. FLOYD MEDICAL CENTER, ROME
17. DOCTORS HOSPITAL, AUGUSTA
18. PHOEBE PUTNEY MEMORIAL HOSPITAL, ALBANY
19. ST. FRANCIS HOSPITAL, COLUMBUS
20. UNIVERSITY HOSPITAL, AUGUSTA
20. PIEDMONT COLUMBUS REGIONAL MIDTOWN, COLUMBUS
Top Medium-sized Hospitals
Hospitals with 100-249 beds
1. WASHINGTON COUNTY REGIONAL MEDICAL CENTER, SANDERSVILLE
2. CARTERSVILLE MEDICAL CENTER, CARTERSVILLE
3. DONALSONVILLE HOSPITAL, DONALSONVILLE
4. NAVICENT HEALTH BALDWIN, MILLEDGEVILLE
5. WELLSTAR DOUGLAS HOSPITAL, DOUGLASVILLE
6. NORTHSIDE HOSPITAL CHEROKEE, CANTON
7. EMANUEL MEDICAL CENTER, SWAINSBORO
8. FAIRVIEW PARK HOSPITAL, DUBLIN
9. EMORY JOHNS CREEK HOSPITAL, JOHNS CREEK
10. UNION GENERAL HOSPITAL, BLAIRSVILLE
11. TANNER MEDICAL CENTER VILLA RICA, VILLA RICA
12. PIEDMONT NEWNAN HOSPITAL, NEWNAN
13. PIEDMONT FAYETTE HOSPITAL, FAYETTEVILLE
14. TANNER MEDICAL CENTER – CARROLLTON, CARROLLTON
15. WELLSTAR NORTH FULTON HOSPITAL, ROSWELL
16. TIFT REGIONAL MEDICAL CENTER, TIFTON
17. REDMOND REGIONAL MEDICAL CENTER, ROME
18. CANDLER HOSPITAL, SAVANNAH
19. NORTHRIDGE MEDICAL CENTER, COMMERCE
20. MEMORIAL SATILLA HEALTH, WAYCROSS
21. EAST GEORGIA REGIONAL MEDICAL CENTER, STATESBORO
22. HOUSTON MEDICAL CENTER, WARNER ROBINS
22. HABERSHAM MEDICAL CENTER, DEMOREST
24. ST. MARY’S HOSPITAL, ATHENS
25. CRISP REGIONAL HOSPITAL, CORDELE
Top Small Hospitals
Hospitals with fewer than 100 beds
1. EVANS MEMORIAL HOSPITAL, CLAXTON
2. ADVENTHEALTH GORDON, CALHOUN
3. PIEDMONT MOUNTAINSIDE HOSPITAL , JASPER
4. NORTHEAST GEORGIA MEDICAL CENTER BARROW, WINDER
5. PERRY HOSPITAL, PERRY
6. PIEDMONT COLUMBUS REGIONAL NORTHSIDE, COLUMBUS
7. STEPHENS COUNTY HOSPITAL, TOCCOA
8. PHOEBE SUMTER MEDICAL CENTER, AMERICUS
9. WAYNE MEMORIAL HOSPITAL, JESUP
10. COLQUITT REGIONAL MEDICAL CENTER, MOULTRIE
11. FANNIN REGIONAL HOSPITAL, BLUE RIDGE
12. SOUTHEAST GEORGIA HEALTH SYSTEM – CAMDEN CAMPUS, ST. MARYS
13. ST. MARY’S SACRED HEART HOSPITAL, LAVONIA
14. COLISEUM NORTHSIDE HOSPITAL, MACON
15. DODGE COUNTY HOSPITAL, EASTMAN
16. MEADOWS REGIONAL MEDICAL CENTER, VIDALIA
17. COFFEE REGIONAL MEDICAL CENTER , DOUGLAS
18. PIEDMONT NEWTON HOSPITAL, COVINGTON
19. UPSON REGIONAL MEDICAL CENTER, THOMASTON
20. GRADY GENERAL HOSPITAL, CAIRO