1 00:00:00,000 --> 00:00:02,880 Marianne McGee: Hi, I'm Marianne Kolbasuk McGee with Information 2 00:00:02,880 --> 00:00:06,840 Security Media Group. Since 2009, hacking incidents and 3 00:00:06,840 --> 00:00:09,510 other health data breaches have compromised the protected health 4 00:00:09,510 --> 00:00:14,610 information of 370 million individuals. That's more than 5 00:00:14,610 --> 00:00:19,860 the total U.S. population. Many security experts say that 2022 6 00:00:20,040 --> 00:00:22,740 is yet another banner year for cybercriminals. 7 00:00:22,000 --> 00:00:23,650 Taylor Lehman: The intersection of human safety in the provider 8 00:00:23,650 --> 00:00:25,600 role makes healthcare providers essentially have a bigger 9 00:00:25,600 --> 00:00:25,750 target. 10 00:00:30,820 --> 00:00:33,640 Marianne McGee: In fact, the volume and frequency of breaches 11 00:00:33,640 --> 00:00:38,590 have nearly doubled over the last three years, from 368 in 12 00:00:38,590 --> 00:00:45,370 2018 to 715 in 2021. And we're on track for at least another 13 00:00:45,400 --> 00:00:47,500 700 incidents this year. 14 00:00:47,000 --> 00:00:50,305 Dave Summitt: Right now is being driven more about world events 15 00:00:50,372 --> 00:00:54,487 and in the economic times that we're in. You know, obviously, 16 00:00:54,555 --> 00:00:58,737 it's lucrative for threat actors to be making money off of the 17 00:00:58,804 --> 00:01:03,189 lowest-hanging fruit. And there, for a while, healthcare was kind 18 00:01:03,256 --> 00:01:06,899 of getting out of that lowest-hanging fruit arena, but 19 00:01:06,967 --> 00:01:10,070 I'm afraid we're kind of sliding back into it. 20 00:01:10,270 --> 00:01:13,000 Marianne McGee: Hacking, ransomware and extortion attacks 21 00:01:13,000 --> 00:01:17,140 continue to disrupt healthcare operations. In October, a 22 00:01:17,140 --> 00:01:20,020 ransomware attack against the fourth-largest hospital system 23 00:01:20,020 --> 00:01:23,350 in the U.S., CommonSpirit Health, knocked out patient 24 00:01:23,350 --> 00:01:28,420 portals and other IT systems for some of its 142 hospitals. In 25 00:01:28,420 --> 00:01:31,420 the midst of that attack, three year old Jay Parsi of Des 26 00:01:31,420 --> 00:01:34,780 Moines, Iowa, visited the emergency room of CommonSpirit's 27 00:01:34,810 --> 00:01:38,470 MercyOne Medical Center for complications from a recent 28 00:01:38,470 --> 00:01:42,640 tonsillectomy. According to his mother, hospital workers told 29 00:01:42,640 --> 00:01:46,450 her that in the confusion with systems being down, they 30 00:01:46,450 --> 00:01:50,260 accidentally prescribed little Jay "mega dose" of painkillers, 31 00:01:50,500 --> 00:01:53,350 five times the recommended dosage of codeine. 32 00:01:53,530 --> 00:01:56,170 Kelley Parsi: My heart stopped when they first came in to talk 33 00:01:56,170 --> 00:01:59,830 to me, and then I'm just sitting there staring at him, like 34 00:02:00,040 --> 00:02:04,810 looking for a reaction, waiting for him to act differently. And 35 00:02:04,810 --> 00:02:08,920 I didn't dare leave. I could, I didn't want to leave. I didn't 36 00:02:08,950 --> 00:02:14,470 want them to give him anything. I just wanted to make sure that 37 00:02:14,470 --> 00:02:19,960 he was still responding. It was caused because it was written 38 00:02:20,020 --> 00:02:24,460 incorrectly or deciphered incorrectly from what was 39 00:02:24,460 --> 00:02:29,020 written. Somebody had wrote it to the internal pharmacy and the 40 00:02:29,020 --> 00:02:35,230 pharmacy had somehow - either the pharmacy messed up, is what 41 00:02:35,470 --> 00:02:39,790 I'm thinking. But it was caused because the computer system was 42 00:02:39,790 --> 00:02:40,330 down. 43 00:02:40,600 --> 00:02:44,140 Marianne McGee: Doctors flushed Jay with IV fluids and kept him 44 00:02:44,140 --> 00:02:48,610 under observation, releasing him that night. Parsi says her son 45 00:02:48,610 --> 00:02:52,300 fully recovered, but her ER experience provides a glimpse 46 00:02:52,330 --> 00:02:55,810 into the havoc that ransomware wreaks on the delivery of care. 47 00:02:56,110 --> 00:02:58,690 Kelley Parsi: Upstairs, we had met with a different 48 00:02:58,690 --> 00:03:03,400 pediatrician and he sat down with us. And he just pulled out 49 00:03:03,430 --> 00:03:07,930 a couple pieces of paper and was writing down all of the same 50 00:03:07,930 --> 00:03:10,990 information that we had given because they didn't have any 51 00:03:10,990 --> 00:03:15,070 records. They didn't have records of Jay's pediatrician. 52 00:03:15,070 --> 00:03:19,510 They didn't have records of his surgeon. They didn't have 53 00:03:19,510 --> 00:03:22,270 anything. The other thing that they kept trying to do was give 54 00:03:22,270 --> 00:03:29,440 him Ibuprofen, which our surgeon had told us, he couldn't have 55 00:03:29,470 --> 00:03:33,730 Ibuprofen because he had had a tonsil surgery and that thins 56 00:03:33,730 --> 00:03:38,080 your blood and would make the bleeding more severe. And so I 57 00:03:38,080 --> 00:03:43,360 kept explaining to them "no ibuprofen, no ibuprofen," but 58 00:03:43,360 --> 00:03:46,060 they kept trying to give it to him. They asked me like three 59 00:03:46,060 --> 00:03:50,830 times. The other thing they did was asked me his weight, they 60 00:03:50,830 --> 00:03:54,970 kept asking me his weight, which they had weighed him. And then 61 00:03:55,300 --> 00:04:01,030 they were trying to convert it from kilograms to pounds or 62 00:04:01,030 --> 00:04:04,240 pounds to kilograms. They were having a real hard time with 63 00:04:04,240 --> 00:04:08,800 that conversion, which I didn't quite understand, why they were 64 00:04:08,800 --> 00:04:11,770 having a hard time with that. Like I told my husband, "we have 65 00:04:11,770 --> 00:04:13,090 to get out of here. They're going to kill him." 66 00:04:13,270 --> 00:04:15,370 Marianne McGee: Some of the hospital's IT systems were 67 00:04:15,370 --> 00:04:19,240 affected for more than a month. MercyOne declined interview 68 00:04:19,240 --> 00:04:23,320 requests from ISMG but released a video that appear to minimize 69 00:04:23,320 --> 00:04:24,970 the impact on services. 70 00:04:25,180 --> 00:04:26,590 Dr. Jessica Zuzga-Reed: I would say that it's not impacted 71 00:04:26,590 --> 00:04:30,880 patient care. I think it's just in the way we go about it. 72 00:04:30,970 --> 00:04:35,200 Everybody's being taken care of exactly the same way in which 73 00:04:35,200 --> 00:04:39,070 their medical care is concerned. But I think the way in which we 74 00:04:39,070 --> 00:04:44,320 work as a team in conveying whether it's medications or lab 75 00:04:44,320 --> 00:04:46,900 tests or other things, it's just the way in which we've 76 00:04:46,900 --> 00:04:50,380 communicated amongst ourselves that has changed. 77 00:04:50,510 --> 00:04:53,090 Marianne McGee: CommonSpirit has plenty of company with its 78 00:04:53,090 --> 00:04:57,170 ransomware incident. More than 5000 breaches have been reported 79 00:04:57,170 --> 00:04:59,960 since the Department of Health and Human Services Office for 80 00:04:59,960 --> 00:05:04,520 Civil Rights began tracking major HIPAA incidents in 2009. 81 00:05:05,090 --> 00:05:08,360 Each breach, on average, affects the personal information of 82 00:05:08,360 --> 00:05:13,010 about 77,000 people. But big breaches happen every day. So 83 00:05:13,010 --> 00:05:16,790 far, in 2022, four breaches account for the exposure of 84 00:05:16,790 --> 00:05:20,210 nearly 9 million patient records. That includes the 85 00:05:20,210 --> 00:05:23,420 largest breach so far this year reported by a printing and 86 00:05:23,420 --> 00:05:27,260 mailing services vendor OneTouchPoint. Others include 87 00:05:27,260 --> 00:05:31,250 breaches reported by Baptist Medical Center in Texas, North 88 00:05:31,250 --> 00:05:34,730 Broward Hospital District in Florida and a third-party 89 00:05:34,730 --> 00:05:38,330 medical debt collector Professional Finance Company. 90 00:05:38,630 --> 00:05:42,680 That breach affected 1.9 million patients and had a ripple effect 91 00:05:42,680 --> 00:05:47,660 on 657 healthcare providers across the country. More than 92 00:05:47,690 --> 00:05:51,050 two-thirds of breaches occur at medical providers, such as 93 00:05:51,050 --> 00:05:54,590 hospitals and physician practices. But the fastest 94 00:05:54,590 --> 00:05:57,800 growing source of breaches come through business associates, 95 00:05:57,950 --> 00:06:01,940 such as debt collectors, medical records vendors and even law 96 00:06:01,940 --> 00:06:02,480 firms. 97 00:06:02,540 --> 00:06:06,500 Mike Hamilton: The criminal elements seem to be going down 98 00:06:06,500 --> 00:06:10,820 market to smaller organizations, which makes sense because they 99 00:06:10,820 --> 00:06:14,000 don't have the kind of resources that can help them meet 100 00:06:14,000 --> 00:06:16,460 regulatory requirements and have the appropriate controls in 101 00:06:16,460 --> 00:06:22,220 place. But they're also really starting to focus on third 102 00:06:22,220 --> 00:06:25,790 parties, so not necessarily covered entities in the health 103 00:06:25,790 --> 00:06:28,970 sector writ large like hospitals, but other 104 00:06:28,970 --> 00:06:33,770 organizations that maybe handle payments and collections for the 105 00:06:33,770 --> 00:06:38,360 health sector. And because they have records from 30 plus 106 00:06:38,360 --> 00:06:40,880 hospitals, and so it's a one-stop shop. 107 00:06:40,930 --> 00:06:43,030 Marianne McGee: Ransomware and hacking incidents can cause 108 00:06:43,030 --> 00:06:47,290 victims huge sums of money through fines, loss of revenue, 109 00:06:47,290 --> 00:06:50,950 recovery costs and litigation. The federal agency charged with 110 00:06:50,950 --> 00:06:52,360 enforcing HIPAA compliance, the Department of Health and Human 111 00:06:52,360 --> 00:06:53,470 Services Office for Civil Rights, has levied more than $66 112 00:06:53,470 --> 00:06:54,580 million in fines since 2017, for an average of 2.7 million per 113 00:06:54,580 --> 00:06:54,820 violation. 114 00:06:54,820 --> 00:06:55,660 Nicholas Heesters: Quite a bit can be laid at the feet of poor 115 00:06:55,660 --> 00:06:57,070 security controls, cyber hygiene and particularly, things like 116 00:06:57,070 --> 00:06:58,240 having accurate and thorough risk analysis, which really goes 117 00:06:58,240 --> 00:06:59,380 to the heart of - I think everything that OCR has said - 118 00:06:59,470 --> 00:07:00,730 it continues to say - talks about the risk analysis, risk 119 00:07:00,730 --> 00:07:01,870 management process being foundational, not only for 120 00:07:01,870 --> 00:07:03,010 compliance but also to protecting ePHI. And it really 121 00:07:03,010 --> 00:07:03,940 goes toward, you know, understanding where your epHI 122 00:07:03,940 --> 00:07:04,000 is. 123 00:07:04,000 --> 00:07:09,375 Marianne McGee: The fines only make up only part of the cost of 124 00:07:09,489 --> 00:07:16,351 a health data breach. Last year for example, San Diego-based 125 00:07:16,465 --> 00:07:23,556 Scripps Health incurred a $112 billion cost in the first month 126 00:07:23,670 --> 00:07:30,303 after a ransomware attack, including nearly $92 million in 127 00:07:30,417 --> 00:07:37,622 lost revenue. The hospital paid another $21 million in incident 128 00:07:37,737 --> 00:07:44,941 and response and recovery costs. On top of that, Scripps Health 129 00:07:45,056 --> 00:07:52,489 was hit with at least four class action lawsuits within the first 130 00:07:52,604 --> 00:07:58,551 few weeks after the attack, related to the breach of 131 00:07:58,665 --> 00:08:05,984 personal information for nearly 150,000 patients. These lawsuits 132 00:08:06,098 --> 00:08:12,617 can result in millions of dollars in settlement costs and 133 00:08:12,732 --> 00:08:13,990 legal fees. 134 00:08:14,050 --> 00:08:18,610 Jeff Westerman: You have Social Security, driver's license, 135 00:08:19,900 --> 00:08:26,110 medical data and the like. And those are the most serious. And, 136 00:08:26,110 --> 00:08:30,490 in fact, California has a statute that allows for $1,000 137 00:08:30,700 --> 00:08:36,160 minimum payment to a victim if their medical information is 138 00:08:36,160 --> 00:08:39,700 implicated. So the state of California takes it seriously. 139 00:08:39,690 --> 00:08:42,843 Marianne McGee: In one high profile case, a 2015 breach at 140 00:08:42,918 --> 00:08:47,574 UCLA Health that impacted 4.5 million patients, the university 141 00:08:47,649 --> 00:08:52,229 had to pay up to $7.5 million in a class action settlement in 142 00:08:52,304 --> 00:08:56,960 2019. The university agreed to set up a $2 million fund to pay 143 00:08:57,035 --> 00:09:01,766 patients for damages related to the release of information plus 144 00:09:01,841 --> 00:09:06,271 pay for credit monitoring for two years. Nearly half of the 145 00:09:06,346 --> 00:09:11,077 settlement, 3.4 million, went to pay attorneys fees for several 146 00:09:11,152 --> 00:09:15,957 class action law firms. The UCLA settlement was one of the first 147 00:09:16,032 --> 00:09:19,562 to require that an organization's IT department 148 00:09:19,637 --> 00:09:22,040 invest in new security controls. 149 00:09:22,000 --> 00:09:25,062 Jeff Westerman: We wanted to make sure that they were doing 150 00:09:25,133 --> 00:09:29,548 some things over and above what they were already doing. Based 151 00:09:29,619 --> 00:09:33,678 on the internal reporting, we saw about what was going on 152 00:09:33,750 --> 00:09:38,236 there. I think the other thing is, the second factor is, that I 153 00:09:38,307 --> 00:09:42,722 think the entities resist being told what to do. I think their 154 00:09:42,794 --> 00:09:47,066 IT departments think they want to operate without oversight. 155 00:09:47,138 --> 00:09:50,770 And that's just the natural state of human affairs. 156 00:09:50,760 --> 00:09:53,665 Marianne McGee: Because of the high cost of cybercrime, many 157 00:09:53,731 --> 00:09:57,694 healthcare entities are turning to cyber insurance. However, 158 00:09:57,760 --> 00:10:01,855 insurance only goes so far. For example, in the Scripps Health 159 00:10:01,921 --> 00:10:05,685 breach, cyber insurance paid only $21 million of the $112 160 00:10:05,751 --> 00:10:10,044 million in losses. Many policies only pay for the actual costs of 161 00:10:10,110 --> 00:10:14,139 response and recovery, leaving organizations to foot the bill 162 00:10:14,205 --> 00:10:17,837 for loss, revenue, fines and litigation. Looking ahead, 163 00:10:17,903 --> 00:10:21,932 experts say large breaches of patient information will become 164 00:10:21,998 --> 00:10:25,432 more rare. But the number of attacks against smaller 165 00:10:25,498 --> 00:10:27,150 organizations will climb. 166 00:10:27,480 --> 00:10:30,030 Mike Hamilton: So I think those numbers are all going to tick 167 00:10:30,030 --> 00:10:33,150 up. I think there's going to be a continued emphasis on third 168 00:10:33,150 --> 00:10:37,620 parties just because, you know, for the efficiency of the 169 00:10:38,760 --> 00:10:42,750 criminal corporation, it just makes too much sense. So it's 170 00:10:42,780 --> 00:10:45,240 all about third parties. It's all about smaller clinics, it's 171 00:10:45,240 --> 00:10:46,920 all about rural jurisdictions. 172 00:10:47,280 --> 00:10:48,990 Marianne McGee: And as traditional threat vectors are 173 00:10:48,990 --> 00:10:53,220 closed, attackers are likely to find new ways to scam healthcare 174 00:10:53,000 --> 00:10:55,886 Dave Summitt: Okay, so it's more in the area of AI and deep 175 00:10:53,220 --> 00:10:53,880 entities. 176 00:10:55,950 --> 00:10:59,798 fakes. I think it's that, as technology increases even more, 177 00:10:59,862 --> 00:11:03,902 we're going to see a much more of that increase. The ability to 178 00:11:03,966 --> 00:11:07,814 take someone's voice and make a phone call and get something 179 00:11:07,879 --> 00:11:11,727 done is a scary thing that can happen. Everything that is in 180 00:11:11,791 --> 00:11:15,895 security should always be around that potential. What can happen 181 00:11:15,959 --> 00:11:19,102 to the patient, when you're doing the security of 182 00:11:19,166 --> 00:11:22,950 healthcare? You have to think that way. You know, we're not 183 00:11:23,014 --> 00:11:26,734 sitting here protecting the server, because now it's going 184 00:11:26,798 --> 00:11:30,774 to cause a lot of people a lot of problems to go and repair it 185 00:11:30,839 --> 00:11:34,109 or it's going to cost the organization downtime and 186 00:11:34,174 --> 00:11:38,022 funding to fix what's going to happen to the patient care if 187 00:11:38,086 --> 00:11:42,126 that server goes down. And that has to be first and foremost in 188 00:11:42,190 --> 00:11:43,730 any security teams mind. 189 00:11:44,570 --> 00:11:48,140 Marianne McGee: And the impact on patients like Jay Parsi and 190 00:11:48,140 --> 00:11:50,420 his mother can be terrifying. 191 00:11:51,060 --> 00:11:55,560 Kelley Parsi: I'm confused on why people are targeting 192 00:11:55,560 --> 00:12:00,180 hospitals, and, you know, potentially trying to, 193 00:12:01,470 --> 00:12:06,120 accidentally or maybe even intentionally, kill people, 194 00:12:06,480 --> 00:12:14,100 because of these medication errors or just any error. It's a 195 00:12:14,100 --> 00:12:19,950 very scary thing. And I know for them, they were probably scared 196 00:12:20,010 --> 00:12:24,780 and trying to figure out how to navigate and trying to 197 00:12:24,780 --> 00:12:29,850 communicate, but maybe just working together. I'm sure it 198 00:12:29,850 --> 00:12:35,820 was really hard. It was really busy in there in the dark. 199 00:12:36,620 --> 00:12:39,467 Marianne McGee: One thing's for sure. Healthcare will continue 200 00:12:39,529 --> 00:12:43,058 to face attacks. But how the industry responds can be the 201 00:12:43,120 --> 00:12:47,020 difference between millions of dollars in losses and the safety 202 00:12:47,082 --> 00:12:50,673 and health of millions of patients. For ISMG, I'm Marianne 203 00:12:50,735 --> 00:12:53,150 Kolbasuk McGee. Thank you for watching.