Cyber criminals are increasingly launching malicious software attacks against health care organizations, including those in Boston, disrupting medical treatment and threatening the vast amounts of private patient information housed at doctors’ offices and hospitals.
And even as health care providers are a growing target for hackers, the health care industry as a whole is lagging in security measures to prevent and respond to attacks, according to cybersecurity experts.
The risk has only increased amid the coronavirus pandemic, with hackers attempting to hamstring hospitals that are already stressed and scrambling to treat surging numbers of patients sick with the virus. In early April, Interpol alerted police forces in 194 countries to the heightened threat of cyber attacks targeting hospitals.
February’s malware attack on Boston Children’s Hospital’s physician network serves as a reminder of the risks for providers and their patients. Computers at the network of 500 health care providers, serving 350,000 patients statewide, were down for days as physicians were forced to do their work on paper.
The rising threat follows a years-long shift in health care from paper charts to software programs. Health care providers rely on electronic health records for everything from billing patients and scheduling appointments to tracking medical histories, allergies, and prescriptions.
Health records also contain dates of birth, addresses, Social Security numbers, and credit card numbers — all valuable information for hackers trying to steal identities.
“Health care is the perfect storm for the bad guys,” said David Finn, executive vice president of strategic innovation at the Austin, Texas, security company CynergisTek. “You have the most valuable data of any sector, and we put it all together.”
Last year, 83 percent of health care organizations reported an increase in cyber attacks — and 66 percent said the attacks were getting more sophisticated, according to a survey by the Waltham cybersecurity firm VMware Carbon Black.
Cybersecurity firms counted 764 health care providers that were hit in 2019 with ransomware — an increasingly common type of malware with which hackers block access to a computer system and demand ransom payments. Because their computer systems are so critical, health care organizations often pay the ransom — once they figure out how to use a digital currency, such as bitcoin — security experts said.
Other malicious attacks include Trojans, which also can disrupt or harm computer networks and critical data.
“Health care, given its issues with data security, is just a big target,” said Rick McElroy, cyber security strategist at VMware Carbon Black.
Cyber attacks often result in the breach of confidential data. Breaches also can occur because of other factors, such as employee error and theft of laptops.
Health care data breaches have been on the rise since 2016, with 572 reported breaches last year — affecting more than 41 million patient records, according to Protenus, an analytics firm in Baltimore.
Officials at the US Department of Health and Human Services are investigating five data breaches at Massachusetts health care providers that occurred in the past year. These include a breach involving about 10,000 people at Massachusetts General Hospital, and another incident that exposed information about nearly 12,000 people at Baystate Health.
Massachusetts hospitals, insurers, and other health care organizations have reported dozens of data breaches to federal officials over the past decade. These include incidents at Blue Cross Blue Shield of Massachusetts, Tufts Health Plan, Beth Israel Deaconess Medical Center, Steward Health Care, UMass Memorial Health Care, and Partners HealthCare, the parent of Mass. General and several other hospitals.
Officials at Boston Children’s Hospital didn’t specify the kind of attack that hit their doctors network, known as the Pediatric Physicians’ Organization at Children’s. They said they hired a security firm to conduct an investigation, which found that the hospital detected and mitigated the attack before attackers could access patient information or act on any other "malicious intentions.”
Attackers often infect a network by tricking employees into clicking on links and attachments in emails that look authentic but are sent for nefarious purposes.
When they access private information, hackers can sell it, use it to blackmail individuals, and commit identity fraud.
Though banks are a favorite target of cyber criminals — “because bad guys go where the money is” — health care organizations are quickly closing the gap, McElroy said.
Meanwhile, health care organizations tend to devote just 3 percent to 4 percent of their IT budgets to security, a fraction of the security spending in such industries as financial services, said Finn, a former chief information officer at Texas Children’s Hospital.
A severe cyber attack can bring health care providers to a standstill, forcing them to turn away patients, and in the case of hospitals, delay surgeries and other urgently needed medical care.
Most of Children’s Hospital’s affiliated physicians did not cancel appointments during the malware attack, which was detected Feb. 10, according to hospital officials. They continued to see patients for sick and well visits, but families were given the option to reschedule. (Since the coronavirus outbreak began in Massachusetts, all health care providers have significantly scaled back routine and non-urgent medical appointments).
Though Children’s Hospital itself was not affected by the attack, hospital officials oversee the electronic health record system used by their affiliated practices. It took them several days to restore the system.
“The practices were on shutdown mode during the outage — so everything was done on paper,” hospital spokeswoman Kristen Dattoli said by email. Employees typed the paper notes into the computer system once it was back online.
Officials at Epic Systems, the Wisconsin company that makes the health records used by Children’s Hospital and its physician network, said they help their customers with security.
"Our customers also learn best practices from one another through events like our annual security forum,” Epic spokeswoman Ashley Gibson said in an email. These include regular patching, anti-virus and anti-malware software, multi-factor authentication, and bringing in outside experts in the event of an attack.
Tod Beardsley, research director at the Boston cybersecurity firm Rapid7, said health care organizations should think about malware attacks as a type of disaster, such as a fire or flood, and develop plans to prevent and recover from such events. This includes keeping as little information as possible on local desktops, and regularly backing up servers.
Beardsley said Children’s Hospital officials appeared to handle at least one aspect of security well: They contained the attack to physician offices and kept it from infecting the hospital network, which could have disrupted critical care for some of the region’s sickest children.
“It’s like when you have a leak on a submarine, you want to be able to close off one part of it,” he said.
Children’s Hospital is no stranger to cyber attacks. Last year, a man was sentenced to prison for orchestrating attacks on the hospital in 2014 to protest the treatment of patient Justina Pelletier.
Pelletier, then a teenager, was removed from her parents’ custody after doctors suspected her parents of medical child abuse. Her family sued Children’s Hospital but lost their case in February, when a jury sided with the hospital.