There is a saying in the international community that data is like oil – an immensely valuable asset, once you learn how to extract and use it to support yourself.

In the first week of my Security Implications of Artificial Intelligence class, my professor stated that he disagreed with that metaphor. His opinion was that data today is more like seawater – it practically surrounds us, but unless you take it through extensive purification processes, it is not potable and, as a result, not useful for consumption.

The healthcare sector has long been hard hit by data breaches. In the wake of the coronavirus pandemic, healthcare organizations are more at risk than ever before of malicious actors utilizing the crisis to their advantage and conducting increasing cybercrime or ransomware attacks. As hospitals have filled up with coronavirus patients, they have collected Protected Health Information, or PHI, from these patients. According to the HIPAA Journal, PHI is health data that is created, received, and/or transmitted by HIPAA-covered entities in order to provide healthcare services, including operations and payment. This information includes all identifiable health information, demographic information, medical histories, insurance information, and other private information that can be used to identify patients or provide healthcare services and coverage. Cybercriminals utilize this data and make it usable to them (i.e. “purifying” it, to put it in terms of the metaphor) through pulling out the most relevant parts of a person’s PHI and selling it on the black market for a high price. PHI is often sold at a significantly higher price compared to Personally Identifiable Information (PII) because medical records and data cannot be changed, even after they have been compromised.

Truth be told, I have done some of this research before. This past semester, I participated in writing a group paper on the impact of data breaches across various sectors of the U.S. economy for my Data Analytics class, and the sector I focused on was the healthcare sector. When I first started researching this essay back in January of this year, I had no idea how pertinent this issue would become.

According to a study by Spence, Bhardwaj, Paul, and Coustasse, hospitals and medical facilities are a frequent target of hackers and ransomware groups for two reasons:

1. Hospitals and medical facilities store sensitive patient information (i.e. PHI), and depend on electronic systems to store this information.
2. Hospitals and medical facilities frequently use outdated technology and often lack a solid IT support team, which is linked back to healthcare organizations having shockingly low IT budgets that haven’t changed for years. As a result, sensitive patient information is poorly protected.

Let’s break this down. Imagine a scenario where a person has tested positive for the coronavirus and is eventually hospitalized for the disease. The hospital collects the patient’s PHI and stores it in their online medical records system. Below is a scenario of what the hospital could face:

A hospital employee clicks on what he thinks is a legitimate email, and downloads a Word document file that was attached to the email. Unbeknownst to the employee, this email is a ransomware attack created by a cybercrime group. The Word document the employee downloaded contained macros that had malware attached to them, which is downloaded into the system and infects the computer within minutes. Eventually, it rapidly spreads to the rest of the hospital’s network. The malware encrypts the computer’s hard drive, files, and cloud. An electronic key is created and is subsequently saved by the hackers, who then issue a threat to the hospital demanding a ransom be paid before the files will be unencrypted. The impact of this ransomware attack is devastating on the hospital. The hospital’s network goes offline, which means employees cannot do necessary lab work and documentation. Additionally, staffers lose access to patient data, meaning they cannot treat their patients. As a result, the hospital staff resort to using paper records, and are forced to move some of their patients, including the patient who has just been admitted with a serious case of coronavirus, to nearby hospitals. In the time of the coronavirus pandemic, these moves are risky and costly. In a situation where nearby hospitals are at overcapacity, moving these patients might even be impossible. On top of the structural damage the hospital is facing, they also now face public backlash for not keeping these records safe, resulting in loss of business and consumer trust, as well as an increased risk of litigation.

It is not just the hospital that could be significantly harmed – the patient could as well, through the theft of their medical information from the hospital database. Imagine this scenario:

A hacker is able to gain access to a series of emails that contain PHI and other confidential information, including the PHI of the recently hospitalized coronavirus patient, and forwards it to an external email account outside of the hospital’s network. The hacker now has access to the patient’s Social Security Number, insurance information, medical records, and other confidential information. The hacker could take several actions with this information:

1. The hacker could sell the patient’s PHI on the black market for a high price. As mentioned above, stolen PHI is worth much more than PII, which is why it is more lucrative to cybercriminals.
2. The hacker could use the stolen health information to make false insurance claims, at the cost of the patient.

These scenarios are certainly possible and, in fact, have already occurred before. The first scenario was adapted from the infamous Hollywood Presbyterian Medical Center hack from 2016, which you can read about here. The second scenario is adapted from the Aspire Health phishing attack case from 2018, which you can read about here.

Data breaches have affected the healthcare sector more than any other sector for the past nine years running. A Ponemon Institute report sponsored by IBM from last year stated the average cost of a single data breach in a healthcare organization in 2018 was almost $6.5 million – over 60% more than any other industry in the study. Furthermore, a survey from Black Book Market Research stated that healthcare data breaches would cost the healthcare industry $4 billion by the end of 2019, and further predicted that 2020 would be even worse.

With the current health crisis, I would not be surprised if that prediction proved true. Cybercriminals are already taking advantage of the fact that the healthcare sector is taking a beating from this pandemic. A GCN article from April of this year outlined a situation from March 2020 where the Champaign-Urbana Public Health District in Illinois was hit by a cybercriminal attack that took their computer network hostage for several days. Treating patients and discovering a vaccine for this horrible disease is important, but hospitals and healthcare providers cannot let this issue fall to the wayside in the midst of this pandemic.

There are serious questions that I believe are critical for the healthcare sector to address:

1. What needs to be done to protected the healthcare sector from cyber crimes – in both the short term and the long term?
2. Which actors will be critical to implementing necessary reforms for the healthcare sector?
3. Who will take the lead on this issue – the federal government, private technology/cybersecurity companies, or the healthcare industry itself?