Close Server: KOPWWW05 | Not logged in


3 Lessons US Hospitals Can Learn from UK Hospital Malware Attacks

Hospitals need to look beyond HIPAA and PHI, understanding that advances in online interaction mustn't jeopardize the availability and quality of patient care.

Ordinarily, when people write about comparisons between the U.K. National Health Service (NHS) and healthcare providers in the U.S., the subjects are cost, accessibility and quality of care. Looking at the news, there is also plenty to discuss in the area of cybersecurity. The sheer size and patient demands of the NHS (roughly 1,600 hospitals and 150,000 beds) have led to the implementation of significant internetworking technologies and to earlier exposure to a variety of growing pains around security. Recent events in both the U.K. and the U.S. make this a good time to see if there aren't some important lessons that can be learned and maybe some issues that can be avoided.

Lesson #1: Security Means More Than Just PHI.
The U.K. NHS system has seen the targeting of their systems to steal credentials and financial information, while historically, U.S. attacks have looked to steal patient Protected Health Information (PHI). That isn't surprising, since U.S. patients carry their own insurance, making their information valuable, whereas in the U.K., NHS provides the coverage, removing the profit motive. In addition, U.S. security spend is driven by HIPAA requirements, focused on protecting the privacy of PHI, leading to investments that are unbalanced to the benefit of data privacy over healthcare service reliability.Malware

In the U.K. and the U.S., a lack of emphasis on general protection has resulted in disabling attacks against multiple institutions. In those situations, attackers were able to use malicious software to paralyze critical medical services and put patients at risk. While the specific malware in U.K. attacks has yet to be identified, experience and limited information point to ransomware, the type of malware that has been used to hamstring U.S. providers like Hollywood Presbyterian Medical Center. These attacks demand money to reconstitute scrambled data and systems and are not much impeded by investments in access control and data privacy solutions implemented to protect PHI. In the U.K., 47% of all hospitals were victims of these attacks, as were the same percentage of healthcare providers in the U.S.

The lesson for U.S. hospitals is to look beyond PHI and even beyond HIPAA. Ransomware attacks disrupt the vital services that hospitals exist to deliver. Organizations need to revisit their security investments and increase the priority of preventing these incidents while maintaining sufficient controls on the privacy of patient data. When I am seriously ill, the availability and quality of my care is my priority, and the privacy of my information, while important, is a distant second.

Lesson #2: Hospitals Provide Hosted Services, Ecommerce and Active Content.
Development on online services by the NHS has been rapid and broad. Starting in 1999 with NHS Direct, the U.K. has enabled simpler online patient interaction. From scheduling appointments to paying bills to offering wellness advice, the NHS took early advantage of the capabilities of a highly internetworked public, but they have had several setbacks as they advanced these capabilities. In 2010, the NHS was victim to a malware attack that infected over 1,100 machines and resulted in the loss of user credentials, credit card information and over 4GB of information in a single week. In 2014, a coding error resulted in over 800 NHS links sending visitors to an untrusted site where they were served up unwanted advertising and malware. That same year, security writer Graham Cluley exposed hundreds of NHS websites using vulnerable and outdated versions of the popular WordPress package.

SEE ALSO: How Hospitals Can Prevent Cyber-Attacks

What is the lesson for U.S. hospitals? The U.S. healthcare industry is adopting a similarly complex set of enabling technologies to deliver more online patient interaction. Through proprietary services, healthcare portals and online bill payment providers, patients are regularly entering personal health and financial information. U.S. healthcare providers need to ensure that these new services are architected and delivered with the same kind of security and reliability that characterize established online retail and financial services. They need to be designing for security; testing at the component and service level, integrating security checks into site operations and engaging with third parties to ensure sufficient protection.

Lesson #3: Increase Transparency, Education and Notifications.
There is an entire section of the NHS providing the technology that supports the healthcare system, called NHS Digital. They also hold responsibility for cybersecurity, and following the public breaches and security events, they created a new set of services to all NHS hospitals, raising awareness and emphasis on security issues and events. They followed the model of Computer Emergency Response Teams (CERT), standing up the CareCERT in November of 2015, which has three stated purposes:

• CareCERT Knowledge: providing awareness training on cybersecurity issues for staff.

• CareCERT Assure: providing cybersecurity assessment and recommendations.

• CareCERT React: providing advice on minimizing impacts and costs of incidents.

The lesson for U.S. hospitals, and the healthcare industry in general, is to look for more formal and regular means to create and convey this same kind of information. A limited number of healthcare providers, payers and vendors participate in the NH-ISAC, an Information Sharing and Analysis Center. The NH-ISAC provides a forum for members and sponsors to discuss events and develop best-practices, but it is a sponsor-funded industry organization, not a public-sector healthcare advisory service. The U.S. Department of Health and Human Services has recently created a Health Care Industry Cybersecurity Task Force, but there has been little output to impel changes in behavior to improve security.

Lessons to be Learned
Our hospitals are providing the most personal kind of care to patients who are often experiencing high levels of anxiety and need. The systems that we have created to ease that journey have made the relationship between provider and patient more transparent and more personal. Unfortunately, those same systems endanger the foundational product -- quality healthcare -- when we don't adequately protect those systems. This exposure is common across the industry, and the integrated nature of healthcare calls for more conscious and regular communication and sharing of concerns and best practices. Hospitals need to look beyond HIPAA and PHI, understanding that advances in online interaction mustn't jeopardize the availability and quality of patient care.

Jack Danahy is co-founder and CTO at Barkly.

You Might Also Like...

The Ransomware Threat

By pursuing software development teams, hackers may have found a soft target with the potential for high payoff

How Hospitals Can Prevent Cyber-Attacks

Employee training and other safeguards essential for avoiding cyber attacks and breaches

How Cyber Attacks Complicate HIPAA Compliance

The financial incentives for hackers who steal health information are growing dramatically

Becoming Breach Prepared

There are several best practices to consider when responding to a breach of healthcare information

Articles Archives


Email: *

Email, first name, comment and security code are required fields; all other fields are optional. With the exception of email, any information you provide will be displayed with your comment.

First * Last
Title Field Facility
City State

Comments: *
To prevent comment spam, please type the code you see below into the code field before submitting your comment. If you cannot read the numbers in the below image, reload the page to generate a new one.

Enter the security code below: *

Fields marked with an * are required.

View New Jobs, Events and More


Back to Top

© 2017 ADVANCE Healthcare, an Elite CE company