Why Hospitals Are a Growing Target for Cybercrime

THROUGHOUT THE CURRENT CYCLE, the healthcare sector has been a major source of growth for both the economy and investors. Over the past five years, healthcare expenditure has outpaced U.S. gross domestic product (GDP) and consumption growth, and the industry has been one of the largest net contributors to payroll employment and the top-performing equity sector globally. But in 2015, the healthcare sector achieved a different type of distinction, becoming the subject of more attempted cyber attacks than any other industry group worldwide.¹ Five of the eight largest healthcare breaches since 2010 took place in 2015 alone, involving over 100 million patient health records, while 80% of industry executives surveyed by KPMG in the same year said their information technology had been compromised. Leading security research organization Ponemon Institute estimates that criminal attacks on healthcare information systems rose by 125% between 2010 and 2015 and puts the average cost of a U.S. healthcare organization breach at over $2.2 million. On an industry-wide basis, the cost each year is thought to be as much as $6.2 billion.

As we have discussed previously, the increasing digitization of the healthcare system represents a key productivity support for providers, drug developers and medical researchers. Since 2009, the proportion of U.S. physicians using a basic electronic health record (EHR) system has more than doubled, allowing more providers to quickly access, update and share patient medical histories, prescription orders, clinical notes and laboratory results (see Exhibit 1).

Digitization has outpaced security
But the increasing number of EHRs has been a double-edged sword. Digital healthcare data growth has outpaced spending on the IT security infrastructure required to protect it, making the sector a sitting target for would-be attackers. And as more electronic patient data has been shared internally or with third-party providers such as patient specialists, vulnerability to sabotage and theft has only increased.

Whether in terms of staffing levels, budgets or managerial emphasis, healthcare sector participants have been slow to increase their capacity to address cybersecurity threats. The Ponemon Institute's 2016 benchmark study on healthcare data security found 50% of U.S. healthcare organizations to be without adequate human or financial resources to detect or manage data breaches. Only 8% assessed their vulnerability on a quarterly or more frequent basis. Providers have instead tended to focus on annual privacy risk assessments required by law under HIPAA (the Health Insurance Portability and Accountability Act), which by themselves are insufficient to fully secure electronic health information. And the hard dollars devoted to cybersecurity within the healthcare sector also lag behind other heavily-targeted industries. According to a 2016 study by Symantec and the Healthcare Information and Management Systems Society (HIMSS), the federal government devoted 16% of its $86 billion IT budget to cybersecurity in 2016, comparable with the 12% –15% in financial services, but well ahead of the 6% in healthcare.2 And among the healthcare firms included, most were well below the average. More than half spent just 3% or less of their IT budgets on security, further illustrating the gulf between the scale of the threat and the industry response to it so far (see Exhibit 2).

The growing number of potential entry points to healthcare system IT networks has also rendered the sector more susceptible to hacking. Among the most insecure and easily accessed are network-connected medical devices such as x-ray scanners, infusion pumps or surgical robots. Many run on virus-prone software that is not automatically patched for new upgrades, and they are often protected only by basic alphanumeric passwords. This makes them weak links in the system, and potential backdoors into the wider network. In 2015, the Food and Drug Administration (FDA) issued its first warning to healthcare facilities on a specific device, strongly encouraging hospitals to stop using an EHR-integrated pain mediation infusion pump thought to be particularly vulnerable to intrusion. The device was subsequently recalled, and the Illinois-based manufacturer has since beefed up its security features.

A highly lucrative target
But chronic underspending by providers and ease of access to their networks only partially accounts for the rise of healthcare system cyber attacks. The healthcare sector is also a highly lucrative target for would-be intruders. Patient EHRs, for example, contain data that can be sold, used for medical identity theft or submitted in fraudulent claims for valuable prescription drugs and equipment. And unlike credit cards they cannot be canceled and reissued. According to Symantec and HIMSS, stolen patient data can fetch up to 50 times more than a social security or credit card number on dark web peer-to-peer markets. And increasingly, hospital IT networks are becoming the target of so-called ransomware attacks, in which malware is used to encrypt critical databases and shared files on facility computers or servers, blocking user access. Attackers then demand payment in exchange for unlocking the data. Given that their need to access important information such as patient drug histories is often highly time-sensitive, healthcare providers are more likely to be the deliberate objects of this tactic. In March 2016, for example, the Hollywood Presbyterian Medical Center paid a ransom of 40 bitcoins ($17,000) to regain access to its electronic health record system.

Indeed, the total organizational cost of a cybersecurity breach is typically much higher in the healthcare sector than in other industries. Along with reputational risk and denial of service, which in some instances can put patient health in jeopardy, providers can face litigation costs from HIPAA violations, not to mention industry-wide costs from the inhibition of data sharing between caregivers for fear that their counterparts may not be secure. Across a range of industries examined by the Ponemon Institute in its 2016 Cost of Data Breach study, healthcare ranked the highest on its per capita data breach cost (defined as cost per compromised personal record). At $355, the sector was well above second-place education at $246 and third-place financial services at $221, and more than double the $158 industry average (see Exhibit 3).

The level of spending needs to rise
From the point of view of vulnerability, potential payoff for intruders and potential cost to the industry, it is clear that the level of spending on cyber defense by the healthcare sector will need to rise. In the U.S., healthcare spending already accounts for over 17% of GDP, and as the data vulnerability challenge persists, we should expect the sector to become a major driver of IT security spending. Indeed there are early indications that industry participants may already be starting to place more emphasis here in response to the growing number of attacks. Not only has the FDA warned about security for a specific device, but it issued broader guidance on stronger network and endpoint security for the industry as a whole. And a February 2016 International Data Corporation Health Insights study examining the results of an earlier survey revealed that 40% of providers now report their IT budgets to be growing, with security strategies such as network monitoring among the top drivers.

Over the coming years, we expect the healthcare sector to emerge as a key driver of cybersecurity spending within our Innovation investment theme. We believe this will add to the growth in global IT security spending, to the advantage of advanced threat protection software vendors. Healthcare facilities that move first on upgrading network security are likely to see more patient volume as public awareness of the risk posed by vulnerable systems increases. And we would also expect medical hardware manufacturers that develop stronger security features (such as voice activation or biometric scanning) to benefit. With the growing push by the FDA to improve industry standards, and the high cost of potential breaches from compromised devices, providers are likely to make security an increasing priority in their equipment purchase decisions.