Health care is, perhaps more than most any other sector, a treasure trove of valuable data. In the past, it was personal identifiable information that enables identity theft. But that's evolved.
"All sectors have a long history of dealing with the privacy and financial consequences of cyberattacks," said Steve Curren, acting director of the Division of Resilience in the Department of Health and Human Services Office of Emergency Management. "The emerging challenge for the health care and public health sector is the potential for cyberattacks that end up impacting patient care. As our dependence on technology increases and systems become more interconnected, we need to remain aware of the importance of good cybersecurity practices in keeping patients safe.
Actual health consequences of past attacks have often been either indirect or difficult to prove. Even Hollywood Presbyterian Medical Center, which earlier this year paid a hacker $17,000 in bitcoin to restore crippled systems, saw no impact on patient care.
But the potential is there: systems could be brought down in a similar ransomware attack, interfering with drug delivery and other vital systems. A hacker getting into drug development research could carry out competitive sabotage. Laboratory research in the wrong hands could squash a medical breakthrough or even arm terrorist for a biological attack.
"As a general matter, I don't like to start from worst case scenarios. I try to work from bad scenarios that have a reasonable likelihood," said Darren Lacey, chief information security officer and director of IT compliance for the Johns Hopkins University and Johns Hopkins Medicine. "I think you have to keep in the back of your head that something much worse could happen, but if you build your entire security program around that, it distorts the security program from the stuff that actually does happen quite a bit."
The problem is one of complexity, as Curren describes it: The threats are as diverse as the number of organizations and systems they impact. And what Lacey has seen emerging in the last couple of years are directed attacks – where hackers come after an asset and then, after being blocked, come back again and again. It's evidence that the health care industry, Hopkins specifically, has become a target.
"Attackers are sophisticated enough to know with some degree of persuasion what exactly they're going after and that seems to be characteristic of state actors," he said. "They've done their homework much more than in the past. It doesn't change that that much how you defend it, interestingly enough, because you've still got to do the same things. But you keep it in the back of your mind, 'if I was a foreign state actor or a sophisticated cyber criminal, what would I be interested in?' And you hope you guess right."
Jill Aitoro is editor of Defense News. She is also executive editor of Sightline Media's Business-to-Government group, including Defense News, C4ISRNET, Federal Times and Fifth Domain. She brings over 15 years’ experience in editing and reporting on defense and federal programs, policy, procurement, and technology.