Healthcare is under attack. Healthcare organizations are prime targets for hackers due to the valuable protected health information (PHI) they store and the vital role they play in our nation’s critical infrastructure. Indeed, 89 percent of healthcare organizations have experienced a data breach in the past two years and the sector was the leading industry for cyberattacks and data breaches in 2018. In 2019, the trend looks to continue with six hospitals and healthcare systems reporting large scale attacks in the month of July alone. However, what’s even scarier, than losing the data, is the human impact of these breaches. A breach triggers remediation expenses, regulatory inquiries, litigations, which could disrupt and delay hospital services and lead to worse patient outcomes
In this episode, Marc Light (VP of Data & Research, BitSight) and Eric Johnson (Dean at Vanderbilt Owen Graduate School of Management) will be discussing research conducted on the impact data breaches have on patient care and just how vulnerable the healthcare industry still is to cyber threats today.
Kim: Welcome to the BitSight Risk Review. During each episode, we'll be discussing current events and technology in the security and risk space. Thanks for tuning in, and let's get started. Hi everyone, and welcome to the BitSight Risk Review. I'm your host for today, Kim Johnson. Today I'm talking with Marc Light, VP of data and research here at BitSight. And our special guest, Eric Johnson, dean at Vanderbilt Owen Graduate School of Management, about research conducted on the impact data breaches have on patient care, and just how vulnerable the healthcare industry still is to cyber threats today. One quick disclaimer that I have is that the research today that's presented is independent and completed by Vanderbilt University and BitSight technologies respectively. Vanderbilt University is not endorsing or was funded the research by BitSight technologies. Eric and Marc, thanks for joining me.
Eric: My pleasure.
Kim: So Eric, let's first take a look at the fabulous research that you and your colleagues conducted on do hospital data breaches reduce patient care quality. This is definitely something that I somewhat geeked about, right, healthcare, and getting to actually the human impact this has. So let's start with why did you do this research? What actually sparked your interest in the subject?
Eric: Well I've been doing more work around the economics of information security for over a decade, and primarily focused recently on breaches. Breaches not just in healthcare, but in all areas of the economy. And while most of the time when we think about breaches, and the economics of breaches, we often talk about financial harm, you know, the harm that may come to a consumer if they have their credit cards stolen, or their financial identity stolen. But in this work, we started thinking about other impacts for patients. Patients of course, you know, go to the hospital to get care, and we questioned whether breaches might actually somehow impact care. It was kind of a fascinating subject, and one that a lot of people had not really even considered prior to our work.
Kim: Yeah, that's actually interesting. So being in cybersecurity for almost 10 years now, I worked for a healthcare cybersecurity company, and it was the first time I realized where the technology that we have can eventually impact humans at the other end, right? It actually can have that human implication.
Eric: And that's exactly what we were trying to understand is was there some other impact beyond the privacy loss or possible financial impact to patients.
Kim: Exactly. And so looking at the research, what was your process? So you know, I read through it and there's definitely some complex calculations involved, but what was the high level methodology that you used to understand this?
Eric: Well, we started looking at two primary data sets. One is information on hospital breaches. Since the High Tech Act was enacted in 2009, hospitals have been compelled to report breaches that impact more than 500 individuals. So if a hospital has a patient breach and it impacts more than 500 people, they have to report that to the media. They also have to report that to US Health and Human Service, HHS.
Kim: The wall of shame as they fondly call it, I believe.
Eric: Yeah, the wall of shame, exactly. That's all, of course, publicly available up on a website. And then we also looked at lots of data related to the hospitals themselves, the types of quality care they were providing, all kinds of characteristics of those hospitals. And what we were seeking to do was to understand when a hospital experienced a breach, did we notice any dips in other quality indicators for that hospital.
Kim: And was this something that you actually went on site and observed, and I believe it went over a few years that you were looking into this. Is that correct?
Eric: That is correct. And it's part of a longer piece of work we've been doing around healthcare. And when in fact we did go on site in a number of hospitals, and looking at usability issues around healthcare information security. But the study that is reported here is primarily an econometric analysis of a large, large set of data, looking at 5,000 hospitals across the US, and looking at both these breaches, and the quality issues in those hospitals.
Kim: Okay, and one thing I was curious about, so you know, in the world of breaches, there's actually a lot of types of breaches. It could be a data breach, right? But there are other instances. So what type of breaches did you look at? And I believe in the report, there was some indications that the type of breach actually made a difference in the outcome that you saw.
Eric: So yes. We did look at all breaches. Some of those breaches involved what we might just call inadvertent disclosure. That is maybe a loss laptop, or some other hard disk with patient information on it. Some were hacks. Some were insiders. So we did look at all types of breaches. And the reason we really looked at all types of breaches here is that in the end, in terms of remediation, that is post-breach, hospitals then that experienced one of the breaches of 500 or more individuals typically go through a remediation process. Sometimes that's overseen by HHS in terms of ensuring that they have addressed security issues at the hospital. And what is kind of interesting is that what we'll see in our work is that we really focused on that remediation piece. Not so much the breach itself, but what happened after the breach. And we're talking months and years, really, after the breach because, you know, by the time a breach is discovered, and then reported, and then acted upon in terms of remediation, many times it can be two, three or more years until all the kind of ramifications of a breach might be felt. And the types of remediation certainly does vary with the breach. But all breaches require a review of the overall security program. And many of the pieces of the remediation may be similar for a hacking, or for some other insider, or a loss.
Kim: And anything, you know, that's something tell-old, you know, kind of story we tell in security is balancing security and usability. And so looking at that aftermath that you're mentioning, there were definitive correlations to AMI mortality rate. And you had mentioned that research, which I found fascinating was comparable to undoing a year's worth of improvement. But what other takeaways did you highlight in the research that, you know, I think it's important to highlight here?
Eric: So yeah. So when we were looking at the different quality measures, we began to realize that the things that security might impact in a hospital are things related to speed. That is, in the remediation process, many times new security controls are applied. It may be enforcing a strong password. Hospitals are notorious for maybe having really good access to information because they want it quickly. But not so focused on security. And after a breach, many times they start enacting policies that look like financial institutions. That is having two factor authentication, timeouts on machines that are logged in, those kinds of things. And every one of them, in some sense, involves some little bit of time. And so we focused on quality metrics related to time and conditions that were related to time. And it's hard to imagine anything more time sensitive than arriving to emergency room with chest pain. So we focused on that. Hospitals have a protocol which says that they seek to have the patient onto an EKG within 10 minutes of arrival. And they measure that. That's a quality metric that they measure. And likewise, they also measure things like the 30 day mortality rates of patients presenting with those kinds of symptoms. And so looking at those, indeed we found that hospitals that had been breached, post-breach, over the next two, three years, saw increases in the 30 day mortality rate for their patients. And also that the time that it required to get an EKG increased in some cases by more than two minutes. And two minutes is a big deal when you're suffering a heart attack.
So we think those things are related. We can't prove every piece of this. You know, we can observe it. We can see that they had a breach. We can see that these times were increasing after the breach. We can see that the 30 day mortality rate was increasing. And so we're hypothesizing that much of that is related to remediation activity that occurred post-breach.
Kim: Yeah, I think, you know, you had very clearly written out that the security initiatives to reduce that impact, they need to make sure that you understand how you could affect processes, procedures, treatments. One of my favorite stories with doctors going around security practices was, you know, over the weekend, a hospital had their walls painted in their hallways. And the next day, they got password reset requests left and right because doctors had been writing the passwords on the wall next to the computer. Now why do they do those things, right? They're doing that because, like you said, that's time spent trying to authenticate, and trying to log in, because right, everything's digital. Everything's an electronic medical record. They need to know, is somebody allergic to this penicillin I'm about to give this? It's life or death. And so do you deal with strong passwords, and trying to be authenticating the right way, or do you write it on the wall? And they write it on the wall. So I think it's a fascinating study in terms of the impact. You also had a recommendation, a call out right to the healthcare community. And what was that in terms of, you know, what do you think they need to do to improve this?
Eric: Well one of the things that we've been studying, not just in hospital, but in all organizations, is what we call usable security. And what we find is that when security's not so usable, you get these funny workarounds, like the one you just described. I'm gonna write my password on the wall. That's kind of a workaround because maybe the passwords are too difficult for people to memorize, or there's too many different passwords, or they're changing the passwords too frequently, and the doctors will find a workaround, or the nurses will find a workaround.
What we really advising in our own work is that all security needs to be balanced against usability issues, and particularly in environments like healthcare where the primary goal, of course, is providing great healthcare. And information security is really a secondary concern.
Kim: Absolutely yeah. The patient outcome is first. I think that's also why in healthcare we see that the doctors rule the roost, right? They definitely hold the most clout in terms of priorities and usability. So Eric, just kind of wrapping up on the research topic, what are those next steps that you see for this research? You know, I believe it's coming out, or being published even further than it is already, and are you planning to continue and expand or update it?
Eric: Yeah, so this particular study is being published in October, in a journal called Health Services Research. And it is one of several papers that we're working on in this area. We've been looking to try to understand the impact of breaches on many different factors, not just on like I said, the financial impact to patients, but health impacts. And then how does that impact the hospitals themselves? Do patients decide to choose a different hospital based on the quality of the information protection? Would they choose a hospital that wasn't breached if they had a good alternative hospital nearby? So we're doing lots of different work all in that same area.
Kim: That's fabulous. Yeah, and we all know, right, it's become a consumer driven style to healthcare, just like Yelp ratings and everything else. Each healthcare organization is extremely competitive with the next. And now you have imaging centers. Now you have minute clinics, things that are being stood up that, you know, we're gonna start shopping around for healthcare like you said. And if there's a reputational consideration to that, you know, I think that will absolutely be standing out one hospital versus another. Fascinating, fascinating.
So now to switch gears a little bit, as mentioned, separate research efforts, Vanderbilt and BitSight independently did this, but BitSight we do monitor the cyber risk of healthcare organizations around the world. And we can actually see the healthcare sector is still vulnerable to cyberthreats. So on this other side, right, we're talking about these impacts of these breaches, but where we're looking on the BitSight angle before they happen, and even where these security postures are for these organizations, we can see that they're still open to threat. So our data science team, led by Marc Light, who's with us today, as of June 2019, examined the overall security ratings of healthcare companies, as well as we looked at potential vulnerabilities, such as legacy systems, software, insecure ports, and instances of RA compromised systems. So Marc, turning it over to you. What was the high level takeaway that you and the BitSight data science team really saw?
Marc: Yeah, so I mean, I think the high level takeaway is that there are a lot of hospitals that have challenges with respect to their security and their cybersecurity. And only 50% have an advanced rating. And the other 50% are either in intermediate or low. And these low ones have, when we look across our data, have a five times more likelihood of breach than the ones that are advanced. So you know, if they're holding your data, it would be great if they more than were towards the top. Of course, it has to be balanced, as Eric was saying, against the impact it would have on health. And really what we're pushing, or hoping for, is that they take some of the steps that don't have any impact on patient care. And so in comparison with other major industries, they're similar to retail. They're similar to utilities. And they're quite a bit lower than business services, and finance, and credit unions, and things that are dealing with money. And I think, at least for the data, that you might want them to be more like the finance and banks than the retailers.
Kim: Right, right. And actually, that's one piece. If you think about, if they're equal to retail, however, when we talk about personal health information, PHI, one of the key factors there is that it's not something you can replace, right? So a credit card gets stolen or compromised, a financial institution would issue you a new one. But when you start talking about PHI, the idea that they're more equivalent to a retail, you know, vendor or organization, is troublesome, right? We're looking at data that's actually even more sensitive potentially than a financial institution.
And so then when looking, digging into kind of what we mean by advanced rating, or intermediate basic, digging into specifically vulnerabilities and infections, what findings did you see there?
Marc: So what we found was that around 39% of the...40% of the healthcare companies have some kind of port, or sort of service that they're providing to the outside. So this is...so on the internet that's a type of service that computers access. And they have an insecure and a vulnerable type of service open to the internet. And one that could be made secure if it was updated or patched properly, or perhaps it shouldn't be open at all. And they have at least, and it actually only takes one. That's the other thing about cybersecurity is that there only needs to be one chink in the armor. And the other side will try to find that piece and get it. So it's a weakest link kind of set up.
So that's a pretty high number. We also saw that 7% of the healthcare companies have one or more botnet infections in the last three months. And these botnets are pieces of software that are what we call malware, that a hospital wouldn't want installed on their network. And it gets there because somebody downloaded an application, or a game, that they wanted to use, or someone clicked on something in a phishing attack, and it installed this piece of software. And this type of malware, we find to be highly correlated with breach. And if you have a couple of these things, we find that there's a correlation between that and almost doubling your likelihood of being breached. And there's some causative link. It points out a control problem that people are able to install software inside your network that you don't want. And in fact, these things also can do some pretty nasty things directly. And that's why they're there in the first place, so that they exfiltrate data or they install other pieces of software. And so 7% again, pretty high for an industry, and certainly some issues there.
Kim: Yeah, and you know, going back to, Eric, your research, right? If we're seeing 40% of healthcare organizations, roughly 40%, have these insecure, vulnerable to cyberattack, 7% have botnet infections, like you said, that's highly correlated to breach, well those breaches are having patient impact. And so it's leading to malicious behavior, and potential patients being impacted. And like we said, even the usability of the technology. And then so looking at that, that's good, right? It's the news that you're at risk of being breached, but any good news for the healthcare industry? Anything they're doing really well that we can see from the BitSight side?
Marc: Well I think they've taken the phishing attacks really seriously. 70% of them have utilized some different ways of authenticating emails from within the system. So therefore, if you get an email inside an organization that has one of those authentication technologies in place, like DK or SPF, it's much harder to spoof and say, oh you know, this is an email from the CEO, and I need you to send me some data, or send me some of your credentials so I can log in, because I forgot my password. That kind of email is much harder to send. You know, it won't have this kind of stamp that says, hey, this is authenticated. It'll say it comes from the outside, and therefore you should be very careful about clicking on it or responding to it. And so that's really good news for the healthcare industry in general.
Kim: Yeah, that's excellent news. I mean, you're talking about a sector, right, that still to this day uses fax machines. But for a long time, only operated on fax machines. And now they had to go digital. Again, they had to become electronic. So at least the way they're communicating, they seem to be buttoning up in terms of security. So overall, what could you say could be done? What actions do you think healthcare organizations can take to start working on preventing these breaches from even happening?
Marc: Well, I think continuous monitoring, really taking it as not the type of thing where you do a questionnaire once a year, or you have some kind of...where you're going through a once a year checking in and doing an onsite visit. Or you want a continuous monitoring of your security posture, and trying to get a measurement on it. If you can't measure it, you can't improve it, is obviously one thing that could be done.
And another reason for needing to do that is that again, you have an intelligent sentient adversary that is going to be changing their behavior, and how they're attacking. And so you have to keep up to date, and you have to keep changing things. And I think for efficiencies and for a lot of the speed that Eric was talking about, there's going to be more and more internet of things, more of these devices that you find in a hospital that are extremely useful for patient care, are going to be connected to the internet so they can be remotely accessed, so they can be monitored, all these things, that has to be done in a secure way, and a way that still allows the speed. So it's a challenge. I mean, it's definitely a challenge, and I think there's probably gonna have to be more funding spent on that side of things, which is tough. It's definitely a difficult position to be in, but it's really a reality and something that has to be done.
Kim: Yeah, I remember thinking, you know, if you think Telehealth and this idea of security, and needing to be authenticated and everything, and you know, my grandma's about to be 100 next year, which is amazing. Trust me, she's an amazing lady. And if I went to her and said, "Grandma, you need to do a multi-factor authentication," I think she'd probably fall out of her chair. You know, she's somebody that was, that's seen the telephone invented. So part of the challenge too is that the people consuming this security, and having to use the security, are not necessarily the most tech savvy. So it is the day to day. It is the, yes, the Millennials might be able to do it, but can Grammy, right?
Well, that looks like all the time we've got today. Eric, Marc, this is very fascinating conversation, and one that most definitely showed, you know, that's there's absolutely a human impact to breaches, especially in the healthcare space. Thank you both for taking the time to talk with me.
Thanks for tuning into the BitSight Risk Review. Head over to BitSight.com for more episodes and other great security ratings content. That's B-I-T-S-I-G-H-T.com.
Thanks for tuning in to the BitSight Risk Review. Head over to bitsight.com for more episodes and other great security ratings content. Feel free to connect with us on Twitter, @BitSight, or on Facebook and LinkedIn.