LAS VEGAS – As hackers increase in sophistication and the threat surface expands, cybersecurity needs to be a priority for all healthcare organizations.

That’s especially true since many of the global cyberattacks in the last year -- like WannaCry and NotPetya, weren’t even targeting the healthcare sector, according to Albany Medical CISO, Kris Kusche during a HIMSS18 Allscripts’ meeting on data security best practices.

“That’s the scary proposition,” said Kusche. “The largest threat is essentially the thing that is coming at us that we don’t know about.”

Plus, technology is changing so quickly that it’s difficult to keep up, he added.

For the National Institutes of Health, said Jon Walter McKeeby, the CIO for its Department of Clinical Research Informatics, “there’s the fear of everything… everybody can be attacked. And it only takes one device, one system.”

But maintaining all vulnerabilities “at one time is a difficult proposition,” McKeeby said. “We have to be more vigilant.”

The trouble is that budget constraints make security tough for many providers, while for healthcare providers in the private sector, patching systems and taking vulnerable equipment like MRI equipment offline -- isn’t always an option.

“It needs to get to the point where we don’t need to fight for the budget,” said Dara Barrera, Michigan State Medical Society’s manager of Practice Management and health IT.

“I want to be routine. I don’t want IT to be specially funded,” said Kusche. “I don’t want to have to say I need this special budget because then I will know [security] is part of the culture, part of the DNA of the organization.” And having a culture of security within an organization is crucial, given that people are one of the greatest weaknesses.

So how do healthcare providers manage all of these threats? NetSmart CISO, Tony Maupin said it’s really about working closely with peers, the business unit, vendors, and getting “to know who is dealing with the same kinds of challenges you’re facing.”

“But also… challenge your vendors,” he added, to share best practices, think outside the standard practices and “get involved in those grassroots of security… Let’s just come together and work as a team.”

“To me it’s less about security, and more and more about risk management,” Maupin said. “We’re always going to have resource strains. It’s different for every one of you... but we’re all faced with more work than we can get done with our team.”

So organizations need to have a very clear understanding of risks, and clearly communicate the impact with the executives to make sure everyone grasps the gravity of the situation, Maupin explained. “Like anything else, you prioritize and do the best you can.”

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com

With reports that Health and Human Services Chief Information security officer Christopher Wlaschin stepping down at the end of this month, the department’s role in leading and facilitating security efforts in healthcare and other industries is more uncertain than ever. 

The HHS Healthcare Cybersecurity Communications and Integration Center, in fact, has already been at the center of ongoing questions since Sept. 6, 2017, when HHS Deputy CISO Leo Scanlon and HCCIC Director Maggie Amato were abruptly reassigned for what they said was an investigation into allegations for “ethics violations.”

[UPDATE: CMS Deputy CIO Janet Vogel to replace outgoing HHS CISO Wlaschin]

The House Energy and Commerce Committee is currently investigating HHS to determine whether it penalized Scanlon and Amato for whistleblowing. While the investigation is pending, the committee is operating under the assumption these allegations appear credible.

The committee has two major concerns: interference with the constitutional duty to conduct oversight and cybersecurity.

150 days and counting

Scanlon and Amato were first temporarily assigned to unclassified duties in separate locations, while Scanlon was placed on full-time telework status. After a total of four new assigned positions over the course of a month, Scanlon was put on administrative leave and Amato resigned.

As of Wednesday, Scanlon has been on paid administrative leave for just over 150 days -- despite the 120-day limit on government leaves. Scanlon told Healthcare IT News that his treatment has “no precedent” and the OIG investigator, his attorney and other tech leaders have not seen anything like this.

[UPDATE: Outgoing HHS CISO Chris Wlaschin opens up about his departure]

To make matters worse, Scanlon said he was recently informed by HHS that neither he nor Amato are now or have ever been under investigation. The news came as quite a shock, given that Scanlon was told his leave and assignment shuffling was based on that fact.

"As a matter of policy, the U.S. Department of Health and Human Services does not comment on matters related to pending litigation," an HHS spokesperson said. "In regards to HCCIC – we are always working with our partners across the government and the private sector to continue to improve our Nation’s cybersecurity."

And since no one from HHS has contacted Scanlon about these details since Sept. 6. Scanlon said he has essentially been left in the dark. While others in the industry have told him that HHS procedures are notorious for being difficult, his situation is certainly unique.

An HHS spokesperson told Healthcare IT News said they were looking into Scanlon’s situation, but did not share further details. This story will be updated if more information becomes available.

The uncertain fate of HCCIC

HHS’ HCCIC had overwhelming support from Congress and industry leaders when it launched as part of a partnership with the National Health Information Sharing and Analysis Center (NH-ISAC). 

It was designed to take a leadership role facilitating threat intelligence and other cybersecurity related information sharing and, in fact, played a pivotal role in fighting the global WannaCry attack in June of 2017. 

[Also: House investigating HHS over sidelined cybersecurity leaders]

“The threat has changed, the problem has changed,” Scanlon told the House Energy and Commerce Committee following the attack. “There are matters that need to be brought to light … Organizations are now being attacked on a level they aren’t capable of handling on their own.”

At that same meeting, Scanlon touted the efforts of the HCCIC and the progress it was making to coordinate on cybersecurity threats within the healthcare community.

[Also: HHS targeting outdated regs in wake of damning cybersecurity report, WannaCry]

But with the removal of HCCIC leadership and HHS Chief Information Security Officer Chris Wlaschin reportedly stepping down from his role on March 31, the future of HCCIC and, in turn, HHS taking a leadership role in healthcare cybersecurity, is uncertain, to say the least. 

“At the moment, there is no HCICC. It’s been completely decimated,” said Scanlon. “There’s no active committee for response … The short-term trajectory was to be physically and organically aligned with the NH-ISAC.”

“The agency has abandoned the committee that was made with HCCIC and that’s a big loss for NH-ISAC, which now has no partnership,” he added. “The agency is trying to avoid a real answer to that question.” 

Digging in his heels

When asked why he didn’t resign with Amato, he cracked a few jokes, but most notably Scanlon said: “You pick a fight with me -- you finish it.”

He added that he chose to fight because he’s at the apogee of his career. 

“I felt it was important to have a dead body, lying on the floor, so no one could walk away from it. Because it was clear they were going to push this under the rug,” Scanlon said. “We just don’t understand what happened. That’s a shock that forces someone to say: What are you doing? What is going on here? To force the issue.”

There are a lot of administrative tools available to address the situation, and they can be put into place and set into motion, he explained. 

Scanlon insisted that his situation is not dire, both financially and with his reputation. HHS recently approved his request to consult while on leave, and he also feels supported by his colleagues, friends and others in the industry.

“This is dirty politics,” said Scanlon. “Everyone needs delegation -- that’s the end game.”

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com

Russian hackers are actively targeting devices that control the flow of internet traffic to gain access and spy on Western governments and businesses, according to a rare joint alert from the U.S. and U.K. released Monday.

Delivered by the Department of Homeland Security, FBI and U.K. National Cybersecurity Centre, the warning outlines Russian state-sponsored cyberattacks penetrating software programs and devices, including firewalls and internet routers, on a global scale.

The goal, according to officials, is to steal company secrets and spy on these countries. The hackers also are attempting to lay the foundation for future cyberattacks, the agencies said.

[Also: NIH, experts warn healthcare pros to stay vigilant to thwart hackers]

"The current state of U.S. network devices – coupled with a Russian government campaign to exploit these devices – threatens the safety, security and economic well-being of the United States," agency officials wrote.

Both the U.S. and U.K found Russia was responsible for the global NotPetya attack in May 2017. Hackers targeted and crippled Ukraine’s infrastructure, but a long list of other businesses were caught up in the destructive attack, including the U.K. National Health Service and several U.S. healthcare providers.

[Also: Sidelined HHS Deputy CISO blasts agency, claims security center 'decimated']

Healthcare organizations need to be aware of the increase of these Russian attacks. While the healthcare sector may not be an initial target, malware can proliferate quickly outside of its intended victim – as seen with NotPetya and also the global WannaCry attack this past June.

The alert comes at a critical time, with the recent departures of two top government cybersecurity officials. The White House announced on Tuesday that its Cybersecurity Coordinator Rob Joyce will leave his post to return to work at the National Security Agency.

[Also: CMS Deputy CIO Janet Vogel to replace outgoing HHS CISO Wlaschin]

The move comes just one week after Joyce’s boss, former White House Homeland Security Adviser Thomas Bossert, was reportedly forced out by new National Security Advisor John Bolton. Joyce had been filling Bossert's role in an active capacity since that announcement. 

Their departures leave major holes in the Trump administration’s cybersecurity leadership.

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com

The global WannaCry attack that crippled business operations across the globe happened almost a year ago. But since falling victim, the U.K. National Health Service has yet to fully implement the necessary cybersecurity requirements that would prevent a similar fate if an attack struck again.

A new report from the U.K. Commons Public Accounts Committee outlines how unprepared the health system was before the attack in May. Its hospitals and clinics were shutdown and 20,000 appointments were canceled. For some of its trusts, systems didn’t return to normal service for a number of weeks.

[UPDATE: Citing WannaCry, lawmakers ask how to tackle medical device cybersecurity flaws]

The crux of the issue was governance and silos, according to the report. Officials didn’t know whether organizations were prepared for a cyberattack and relied too heavily on the local trusts’ assessments of their governance.

But even a year out from the attack, both the government and NHS have a long way to go to ensure its systems are prepared for the next virus. In fact, none of the 200 trusts passed the cybersecurity assessment by NHS Digital.

[Also: NIH, experts warn healthcare pros to stay vigilant to thwart hackers]

The investigation into the health service by members of parliament found some of the trusts failed the assessment “not because they had not done anything on cybersecurity, but rather that the Cyber Essentials Plus standard against which they are assessed is a high bar.”

The Cyber Essentials Plus is comparable to the U.S. NIST Cybersecurity Framework.

“However, some trusts had failed the assessment solely because they had not patched their systems – the main reason the NHS had been vulnerable to WannaCry,” the report read. “It’s also concerned that trusts that were not infected by WannaCry could become complacent over cybersecurity and not keep on top of their cybersecurity risks.”

[Also: US, UK accuse Russia of actively targeting internet routers, devices]

The lack of patching is concerning, as that was how WannaCry was able to inflict so much damage.

The malware was powered by the leaked NSA hacking tool EternalBlue, which targeted a vulnerability in outdated Windows software. While Microsoft released a patch for the flaw in March, it wasn’t applied by many organizations. As a result, WannaCry proliferated across the globe.

NHS England and NHS Digital officials told investigators they were still struggling to apply patches due to the size and scope of the trusts.

“Patching can disrupt the use of medical equipment and present a clinical risk to patients, and applying a patch in one part of an IT system can cause disruption elsewhere in that system,” NHS officials told the MPs.

But the MPs stressed that with proper segmentation and firewalls, those systems could still be protected.

Another issue hindering progress on its cybersecurity front is that the Department of Health “still does not know what financial impact the WannaCry cyberattack had on the NHS.” The MPs gave NHS until June to update the cost plans for its crucial cybersecurity investment.

And more concerning is that while NHS Digital told investigators understanding cybersecurity needs at a local level was a priority, officials lack some key information “to manage any future national attack on NHS such as on the use of anti-virus software and IP addresses.”

NHS is also struggling with the global security talent shortage and told the MPs “it has only 18 to 20 ‘deeply technically skilled people.’ Without the right staff in place, it will be difficult to apply the necessary changes.”

However, the investigation said WannaCry was “a wake-up call for NHS.” And since the attack, NHS and the government have “improved their understanding of local organizations’ readiness for another cyberattack.”

NHS Digital has assessed the cybersecurity readiness at 200 trusts, compared to just 88 assessed before that attack. And those assessments, despite all failing the readiness test, revealed to NHS Digital the most vulnerable trusts.

“WannaCry was a financially motivated ransomware attack, and as such relatively unsophisticated (it locked devices but did not seek to alter or steal data),” the report read. “However, future attacks could be more sophisticated and malicious in intent, resulting in the theft or compromise of patient data.”

“The department and its arms-length bodies accept that cyberattacks are now a fact of life and that the NHS will never be completely safe from them,” it added.

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com

Legacy health IT poses both a significant threat and challenge to the sector, and the House Energy and Commerce Committee is calling on industry leaders to share insights about ways to begin overcoming infosec issues.

The committee outlined its concern in an RFI posted Friday over outdated medical devices, especially after WannaCry. The May 2017 attack impacted hundreds of thousands of devices by leveraging a flaw in legacy technology and crippled a wide range of organizations, including the U.K National Health Service.

Outdated software and equipment are still creating serious cybersecurity vulnerabilities that, if leveraged, put patients at risk. Just last week, the U.K. governing body found that the NHS is still unprepared for another attack. Patching the same flaws used in WannaCry was just one of its challenges.

“The healthcare sector and medical technologies face the same challenge that has vexed the IT industry for decades: Digital technologies age faster and less gracefully than their physical counterparts,” the committee members wrote. “In the aftermath of the outbreak, healthcare stakeholders were faced with a troubling question: how many other potential ‘WannaCrys’ lurk within their environments?”

As a result, the committee is asking industry leaders to provide suggested methods that could improve these serious flaws to better understand what policies could prevent future attacks like WannaCry.

The committee said it understands that identifying and managing these flaws poses a serious challenge, such as specialized equipment that may only be available in certain models to fill an organization’s need. But they’re hoping industry stakeholders might have an answer to begin tackling that issue.

Currently, the Food and Drug Administration is making a push to include a mandatory built-in update, which would help when flaws crop up in new devices. However, that won’t help legacy technology, such as the firmware patch release this month by Abbott to fix cybersecurity flaws in 350,000 devices.

“For some of these products, replacements or alternatives may not be available, or they may be affected by similar vulnerabilities, leaving organizations with few, if any, good options,” the committee wrote.

However, the committee suggested that this method of requiring vendors to support legacy technology throughout its lifecycle is inefficient and impractical, “as doing so may mean entirely rearchitecting or rewriting the chipsets, operating systems, or applications on which a technology relies.”

“This is an expensive undertaking not just in terms of funding, but in terms of time and expertise,” the committee wrote. As a result, manufacturers would have to spend significant resources on legacy technology instead of providing innovative technology.

And cost is another major challenge to providers when it comes to fixing these flaws, as many hospitals operate under incredibly tight budgets that don’t allow for extra funding to replace legacy devices.

“As a result, organizations may reason that replacing technologies to address intangible and often esoteric cybersecurity vulnerabilities, especially in machines that may still exhibit acceptable physical operation, does not provide enough benefits to offset the costs,” they wrote.

“Why, if a device can still meet its intended use, should it be replaced at the expense of other organizational needs?” the committee asked.

The committee is asking industry stakeholders to address not only these issues but others for which committee may not be aware. The deadline to provide input is May 31.

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com

The U.K. National Health Service signed an agreement with Microsoft to upgrade its legacy computer systems to Windows 10 to improve its cyber resilience after the global WannaCry cyberattack shut down one-third of its health trusts last June.

The hope in updating all NHS devices to Windows 10, according to officials, is to improve its cybersecurity posture and improve the health system’s ability to respond to attack.

After falling victim to WannaCry, NHS staff was locked out of their systems and 20,000 appointments were canceled. Some trusts were offline for a number of weeks. What’s notable was the severity of the impact, as NHS wasn’t the initial target of the hackers.

WannaCry was able to proliferate due to the health system’s failure to patch its legacy systems. While Windows 7 users were hardest hit by WannaCry, users of XP, the system used by NHS, also were vulnerable to attack. The U.K. government ended support of the outdated software in 2015.

“We’ve been building the capability of NHS systems over a number of years, but there is always more to do to future-proof our NHS as far as reasonably possible against this threat,” Jeremy Hunt, secretary of health and social care, said in a statement.

“This new technology will ensure the NHS can use the latest and most resilient software available – something the public rightly expect,” he added.

The migration announcement comes just two weeks after a U.K. Commons Public Accounts committee revealed all 200 NHS trusts failed its cybersecurity assessments. Officials took that report as a wake-up call, as it’s helped to improve its understanding of the health system’s readiness for another cyberattack.

Among a list of recommendations, the group gave NHS until June 2018 to determine its plans to improve its cybersecurity posture in the event of another cyberattack.

The centralized agreement with Microsoft will give NHS a consistent security approach and modernize its operating system. It’s the second agreement signed between Microsoft and the health system this year. The two signed a support agreement just three months after WannaCry.

The vulnerabilities of NHS computer systems are similar to those faced by U.S. health systems: outdated systems, limited budgets and patching difficulties. An issue highlighted in January by the Office of the National Coordinator for Health IT.

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com

Kaspersky Lab is temporarily suspending its work with Europol and the No More Ransom project following a majority vote from the European Parliament that the Russian-based cybersecurity firm’s software is ‘malicious.’

The motion is an advisory-level document that gives EU nations a general guideline for its cyberdefense plan. Among the clauses, the motion mandates EU states review software and equipment of its IT infrastructure and advises EU states to exclude programs or equipment deemed malicious.

The reaction from Kaspersky stems from the clause specifically naming the vendor as an example of a malicious product.

Clause 76 states that all products used by EU institutions “exclude potential programs and devices and to ban the ones that have been confirmed as malicious, such as Kaspersky Lab.”

Company CEO Eugene Kaspersky took to Twitter to announce his frustration: “European Parliament decision welcomes cybercrime in Europe.”

“We have protected the EU for 20 years, working with law enforcement leading to multiple arrests of cybercriminals,” Kaspersky wrote. “The way we conducted public-private partnership[s] is unfortunately ceased until the withdrawal of the European Parliament decision.”

Kaspersky worked closely with EU law enforcement on its No More Ransom campaign, which provides ransomware decryptors and assistance. Kaspersky research also helped during the global WannaCry attack of May 2017, providing information on the attack vector and hackers.

But the company has been embroiled in controversy with claims that Kaspersky has ties to the Russian government. Its CEO has repeatedly denied those claims.

As a result, Kaspersky opened its source code for review, but the U.S. government still officially banneduse of its software on federal systems in September 2017. The Netherlands banned Kaspersky software in May.

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com

It's been about a year since the WannaCry and Petya cyberattacks ravaged IT systems around the world, crippling hospitals and technology vendors alike. The healthcare industry is still unprepared for the next big attack.

In May 2017, the WannaCry ransomware attack hit more than 300,000 computers and knocked hundreds of businesses offline, including the U.K. National Health Service. Just one month later, hackers struck again with Petya wiper malware, which permanently damaged the IT systems of its victims, including two U.S. health systems and FedEx.

What's most concerning is that these attacks are seen by many in the security field as poorly executed test attacks – but still their victims were unprepared for the major damage they caused.

Healthcare wasn't ready then, and a year later it's not in any better condition to face another, more sophisticated global attack of equal or greater scope.

"WannaCry was poorly executed," said Lee Kim, director of privacy and security for HIMSS North America. "It was just flexing the muscle in terms of what's possible. And unfortunately, we saw stateside the various effects across the healthcare sector.”

"We were hurt by it, even though it wasn't totally sophisticated code, even though it wasn't as coordinated as it could be," she added. "If that's the test case you have to wonder: Once these threat actors get their game together and see how vulnerable we really are, they're obviously going to evolve and get more sophisticated."

That's not to say that there weren't some valuable lessons learned from these cyberattacks. But for whatever good has come from them so far, there's plenty more to still be concerned about.

The good

While threats are increasing in sophistication and hackers show no signs of letting up, the good news is that healthcare is increasing its cybersecurity investments and making some strides to shore up some of its vulnerabilities.

"There are a lot of good things happening, in planning, and there's some activity in Washington, D.C. that will drive things forward," said David Finn, executive vice president of strategic innovation for CynergisTek.

In fact, a recent Cybersecurity Ventures report predicted that global healthcare cybersecurity spending will exceed $65 billion by 2021, as ransomware attacks on the sector will quadruple by 2020.

The added investments are a step in the right direction, as majority of security leaders agree that boardroom support and funding are crucial in the fight against cybersecurity threats.

What's also helping is that more organizations are collaborating and some are participating in partnerships with security organizations such as the National Information Sharing and Analysis Center (NH-ISAC) and MITRE. While traditional security tools are beneficial, it's not enough in this era of sophisticated threat actors: free sharing of threat info and best practices is essential.

"Healthcare is one of the first examples of a sector or group doing this crowdsourcing approach to developing analytics," said Julie Connolly, principal cybersecurity engineer for MITRE. "We have different ways to engage the community and we put the framework out there. It takes time, but it's been very successful."

To Lee Kim, collaboration and security conferences are critical in this current landscape, as the "collective wisdom" will help to change the current culture and "empower (organizations) to share the latest and greatest information on threats and how to make us stronger."

"If we aren't as organized as these actors (and we are) diluted in terms of our power and numbers, how can we match up? And the answer is: We can't," said Kim.

The bad

Since WannaCry and Petya, ransomware has only gotten worse and there's been "an incredible uptick since then," said Finn. "The bad guys saw how well it worked and then started attacks" at a greater pace.

What makes health IT unique is the vast demands on both its infrastructure and operational structure, Finn explained, necessitating that some things get more prioritized than others. "The things that can wait, they get stuck to the bottom of the list," he said. "But then they don't get done."

On a micro level, consider the U.K. National Health Service, one of WannaCry's largest victims. All of its 200 trusts failed a government assessment, just one year after the attack.

While some failed due to the high standard of the test, many failed because they didn't appropriately patch their systems. And here's the rub: NHS failed to patch a known vulnerability just four months before WannaCry, and that flaw was what allowed the virus to proliferate.

Patching is one of the simplest ways to shore up flaws, in theory, but many organizations don't patch as it can affect the function of the device and even interrupt service.

Training and patch management are "really the basic stuff," said Finn. "It can be time consuming, but if you're not doing that – everything else you do will be wasted effort."

The FBI even released an alert in late 2017, warning that "deficient security capabilities, difficulties in patching vulnerabilities, and a lack of consumer security awareness provide cyber actors with opportunities to exploit these devices."

And with the number of IoT and medical devices continuing to rapidly increase – 20 to 50 billion connected devices by 2020– the healthcare sector is continually adding to its attack surface.

Another big problem is that many healthcare organizations still fail to encrypt devices.

For example, MD Anderson Cancer Center just lost its fight with the U.S. Department of Health and Human Services after failing to encrypt its devices containing patient data used for research. The three stolen devices, left unencrypted, cost the center $4.3 million in fines.

The question is, if healthcare can't even fix known flaws, what else is it failing to address?

Part of the trouble is that the sector is failing to hone in on incident response, explained Finn. While organizations prepare for natural disasters, airplane crashes and the like, they're not doing exercises to prepare for downtime during a data breach or cyberattack.

"We're not ready for the next attack because of incident response," said Finn. "It's interesting that an industry built around triage and taking care of the sickest patients first, isn't prioritizing breach response."

Organizations need to focus on recovery for now, and for what happens after getting hit with ransomware or another cyberattack, he explained. "Plan those exercises and coordinated action plan that's ready to execute when you have that incident."

If not, a provider can face not only an interruption to care, but a huge financial burden. Finn said he knew of one provider that aced its detection and discovered a ransomware attack incredibly quickly. The incident was isolated within 14 minutes.

"But because they hadn't planned the recovery, it took them several months to recover and it consumed 60 percent of their annual IT budget just to get back to normal," Finn said. "Despite the progress of some individual organizations, there's still a lot of room to improve as an industry."

Jorge Rey, CISO and director of information security and compliance for Kaufman Rossin, says the healthcare sector still hasn't figured out how to manage cyber risk from a business perspective. Often, organizations tend to under-invest and still haven't figure out whether the right responses are in place.

"The healthcare industry has matured, with HIPAA and HITECH: There are more resources, and technically we have more secure platforms and a more secure environment and framework," said Rey. "We need continue doing what we're doing and get better at it."

"But even if you're one of the organizations being very aggressive about cybersecurity – you're still connecting to a lot of healthcare organizations that may not be doing as much," Finn said. "You've created other attack vectors."

The ugly

Ransomware may be continuing to pummel the healthcare sector, but it's no longer the reigning threat actor. Cryptocurrency mining malware and cryptojacking are still on the rise, with hackers now looking to exploit mobile devices as much as computer systems in the near future.

The virus is more subtle than ransomware, running in the background often undetected for an extended period of time. Attackers infect the computer, or IoT device, and use its processing power to mine for cryptocurrency. It's been incredibly lucrative for hackers, according to a recent McAfee report.

But new, invasive viruses are just the tip of the ugly nightmare.

For Kim, her biggest fear is that next time the attack will actually impact patient safety. Both Petya and WannaCry held health systems hostage. NHS had to divert patients to other locations and cancel some surgeries, that in itself could have put patients at risk.

But two recent studies examined how those flaws are leveraged by hackers and the patient safety impact.

Although exposed devices and systems don't necessarily mean they're vulnerable, a Trend Micro report found that these flaws can be used by hackers as a doorway into an organization. Even worse, these exposures let threat actors steal data, launch botnet attacks the like.

And if the hacker does get in, patient lives are impacted, a Medcrypt-funded recent from the University of California Cyber Team found. The surveyed delivery organizations and vendors said that between 100 to 1,000 patients had adverse events from compromised health IT infrastructure.

The threat is only going to get worse. The same study showed what happens when a cybercriminal hacks a medical device: The doctors don't know it's happening, and the patient continues to suffer while they attempt to figure it out.

"Medical devices are really your next train wreck that's going to hit the industry," said Finn. "We've been talking about this for more than a year – but we need to hammer the nails to start fixing the problem. We're all going to have to come together and figure out how to fix medical device security.”

"We've been talking about it – and bad guys are listening," he added. "(Devices) are not protected, easy to get into and then they can use that device to get into the hospital where all the data lives," he continued. "But the bigger risk around the medical devices are the clinical operation and patient safety."

There's been an increase of IoT medical devices and some hospitals are trying to "integrate these devices into operations to improve patient care," said Jorge Rey. "But by doing this they're creating new attack vectors – another area of risk for the hospitals."

Part of the challenge facing the healthcare sector is that these devices are difficult to secure and right now there's no prescribed framework to help manage these big events, he explained.

"And what happens if someone's patient data is modified or tamper with?" asked Lee Kim. "What happens if it's inaccessible? We have paper records, but what if the provider can't read cursive writing in the patient record?”

"What's to happen in an era when the patient is in an emergency state and all you have is a doctors' handwriting?" she added. "We just rely on faith that we'll be OK? Who knows?"

For Kim, healthcare's biggest issue is that "we're so cannibalistic in healthcare."

With everyone competing with each other, she explained, not everyone wants to share threat information. But for the industry to get better, stronger and more resilient against future major cyberattacks, working together is now a necessity.

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com

Just months after all 200 U.K. National Health Service trusts failed government-issued assessments, a recently released report from think tank Parliament Street found the NHS lost nearly 10,000 patient records last year.

The report examined the number of records misplaced by NHS trusts during the last financial year, which found 68 NHS trusts lost or misplaced 9,132 patient records.

The team only worked with the 68 trusts to compile the data, made up of information on patient records reported missing and details of handwritten records. Data from the other 132 NHS trusts were not included in the report.

[Also: The biggest healthcare data breaches of 2018 (so far)]

Researchers found University Hospital Birmingham was the biggest culprit, reporting 3,179 missing or stolen records. Bolton NHS trust followed with 2,163 misplaced records and University Hospital Bristol fell in third with 1,105 records lost.

The researchers also noted that recently NHS faced a loss of 162,000 missing documents and 702,000 pieces of missing paperwork, which “questions the integrity of the software they have in place and the security of paper documents.” Some of the lost documents eventually were located.

Also notable: 94 percent of the trusts included in the study still use handwritten notes.

The report is disturbing, considering the repeat security lapses recorded by U.K. NHS. The health system fell victim to WannaCry in May 2017 after failing to patch a known vulnerability months before the global attack. Nearly a year later, all 200 trusts failed an audit, many of which for failing to patch known flaws.

NHS pledged nearly $2 million to bolster its security after the attack and moved to improve its cybersecurity posture with a Windows 10 migration. NHS also created a new security center to enhance its monitoring capabilities, complete with ethical hacking and vulnerability testing.

But the loss of records points to continued security lapses and failure to meet its own standards. It also highlights the need to address security risks, as it accumulates over time when reporting and proper education are missing from security plans.

Repeat offenders are a serious issue in the U.S., as well. Employees who already breached privacy in the past were responsible for about 30 percent of third-quarter breaches in the U.S. And as breaches cost about $408 per patient record, the need for better breach response and security policies can’t be overstated.

So where is the U.K. NHS going wrong? According to researchers, the NHS needs to improve in several areas. They recommend abolishing handwritten notes in hospitals, “as it’s clear paper-based systems are no longer fit for purpose.”

The NHS should also introduce a patient identity protocol to “protect the identity and integrity of patient documents.” The researchers recommend the use of speech recognition software to help clinicians quickly capture notes from consultations. The use could also ensure data is properly capture and stored, while increasing the security and privacy of patient records.

Twitter: @JF_Davis_
Email the writer: jessica.davis@himssmedia.com