When a patient in Germany died in 2020 after ransomware hackers effectively shut down the hospital where doctors wanted to treat her, alarm bells went off throughout the global healthcare community.
The attack was the first documented case that cybercriminals had directly caused someone’s death. But the tragedy was by no means a fluke. Cyberattacks on healthcare providers surged in 2020, driven in part by the astonishing growth in telemedicine in the age of COVID-19, which also led to the growth in the number of hackers looking to exploit that trend for their own gain. For example, global ransomware attacks on the healthcare sector doubled over the course of 2020, according to software provider Check Point.
Hackers have long viewed healthcare organizations as a soft target because of their reliance on legacy systems — and as a rich one because of the informational gold they hold in their vaults. That’s why last year’s huge spike in attacks led healthcare CIOs and CISOs to rethink how they approach IT hygiene and security. One place these leaders are focusing their attention is the danger in work-a-day areas like healthcare automation.
The push to automate healthcare IT
Healthcare organizations have been investing heavily in automation and artificial intelligence (AI) to increase efficiency and reduce costs. These tools can help with surgery, radiology, nursing, administrative workflow, electronic health records, fraud detection and dosage error reduction, with spending expected to reach $6.6 billion in 2021, according to Accenture.
AI is particularly useful in aiding humans in making care smarter and more efficient. For example, healthcare organizations are adopting AI and automation to help providers and staff dispense medication, run ventilators, manage staff levels and deal with insurance company prior authorizations and claim decisions, which can delay and even hinder patients from receiving adequate care.
“By automating and cutting out the pain [of routine prior authorization tasks] for physicians, staff and patients, AI can be much faster to respond to changing payer rules,” says Jody Ranck, a senior analyst and author of a report from Chilmark Research. AI and automation can speed up insurance processes, such as claims adjudication: “It used to take 20 days,” says Ranck. “Now it’s down to milliseconds.”
Automation can save billions of dollars. Accenture estimates that the top three applications providing near-term value are robot-assisted surgery ($40 billion in savings), virtual nursing assistants ($20 billion) and administrative workflow assistance ($18 billion).
It’s little wonder that more than half the healthcare provider CIOs that Gartner surveyed said they expected to invest in AI-powered robotic process automation (RPA) over the next three years, up from 5% in 2020.
The dark side of automation
Healthcare automation, however, comes with security challenges. In a Ponemon Institute survey, 90% of respondents said their healthcare organization had experienced at least one security breach in the previous year. An analysis by SecurityScorecard and DarkOwl of terabytes of data from more than 30,000 healthcare organizations from 2019 to 2020 found increasing vulnerabilities and attacks sharply related to IP address reputation (including malware from phishing attempts), endpoints and security patches.
The dramatic SolarWinds supply chain attacks on major government agencies and organizations have thrown these vulnerabilities into sharp relief. And they have highlighted the value of stolen health data. Each hacked health record can earn up to $1,000 on the dark web, according to the consumer credit reporting company Experian, owing to the highly sensitive data that patient records contain.
Endpoints are a particularly weak link in the security chain. For the Sutter Health network of hospitals and clinics, serving more than 3 million Californians, a key issue was a lack of visibility into the thousands of endpoints on its network. To secure endpoints, IT teams had to manually access devices via loaner computers, disrupting workflow and increasing costs.
AI itself can be insecure because it relies on algorithms trained with huge datasets. Hackers have been known to retrain algorithms to disrupt systems, redirect data their way, or even “poison” data by tricking algorithms into thinking bad code is safe. AI bots are themselves often not secure because their programming combines open-source and custom code that isn’t written by security specialists.
Additional vulnerabilities stem from the systems that algorithms use: Automation tools can be found on any device spread across a connected network that has permissions to access the system, presenting potential entry points for malicious actors. Once they’re inside, the bad guys can make mischief. In one stark example, Ranck of Chilmark Research recalls hackers who used fraudulent radiological images to pay themselves false insurance reimbursements.
Security experts are concerned, including Carlos Perez, who runs the research arm of cybersecurity firm TrustedSec. “The trend that worries me is that healthcare has been cost-cutting and outsourcing their security more and more,” says Perez. “I have not seen healthcare take any actions to address information security in the use of AI.”
The institutional weak points in healthcare’s armor
Highly regulated industries such as healthcare often face a tension between business needs and regulatory compliance. Hospitals regularly run older software versions that may have bugs and vulnerabilities. Upgrading systems can cause companies to run afoul of compliance issues.
“Hospitals have stricter guidelines associated with patching and updating computers and servers because of the systems they support,” says Marc Moring, director of strategic accounts at Tanium. “If they update an operating system, they could potentially bring down a ventilator, an IV or a drug administering system, which could be life-threatening. Hospitals have been guarded about updating and patching, making them extremely vulnerable to attacks.” That is why patch management and configuration management are critical elements of endpoint IT and security strategies.
Organizational structures are also to blame for the weak security profile of healthcare IT. Researchers at Skybox Security found that a critical weakness resulted from siloed cybersecurity teams and operations teams that monitor the infrastructure. “Dismantling these silos needs to happen through iterative change,” the authors noted in their 2020 report. “The teams charged with operating devices need to develop foundational knowledge that can be used to protect these notoriously difficult-to-patch network areas.”
Tanium’s “IT Resilience Gap Study” found several capabilities that help mitigate these risks. Resilient organizations do these things:
- Ensure that their IT security, operations and risk teams work together to simplify and secure the IT environment.
- Source reliable data to make confident decisions and maintain a forward-looking and agile posture in response to constant threats and change.
- Take steps to declutter infrastructure and eliminate the fragmented landscape of endpoint management systems and processes.
- Unify around a common set of actionable data for true visibility and control over all devices on a network.
Ultimately, automation and AI are here to stay. Recent advances are expanding the potential for what healthcare technology can achieve. And they are simultaneously creating added pressures to harden security.
“Three years ago, there was a lot of physician skepticism about AI,” says Ranck. “Now you see so much AI embedded in systems.” He says organizations are at varying stages in their response to emerging threats, “but, increasingly, leaders recognize the need to prepare.”