Healthcare is one of the largest economic drivers in Scottsdale, employing approximately 34,000 people at companies in the city that range from industry behemoths like HonorHealth to bioscience startups incubated at ASU’s SkySong Center.
And the industry is growing in the city.
Three of Scottsdale’s top five largest employers – Mayo Clinic, HonorHealth and CVS Health – are in healthcare, and healthcare jobs are growing here at twice the rate of the national average, according to numbers cited by the city at its sixth annual Cure Corridor celebration earlier this month.
“The Cure Corridor is much more than a geographic location,” Scottsdale Mayor Jim Lane said. “It’s a place for clinical trials, patient care deliveries, cutting-edge research and manufacturing of life-saving pharmaceuticals, all leading to improving patient care and future cures.”
The event celebrated the industry’s impact on Scottsdale – but also carried an ominous warning about the threat posed to healthcare companies and their patients if cybersecurity issues go unchecked.
Keynote speaker Stephanie Domas spoke about the real threat hackers pose to patients and the security of their personal information.
Domas is vice president of research and development at MedSec, a cybersecurity research company that works exclusively within the healthcare industry.
Domas said hospitals are a frequent target for hackers looking to access and steal valuable medical data.
She cited a report by London-based insurer Beazley showing that the healthcare industry accounted for 37 percent of all ransomware data breaches in the third quarter of 2018, making it the most targeted industry referenced in the report.
Ransomware refers to malicious software that locks and encrypts files, such as medical records, unless a computer or network’s owner, such as a hospital, pays a ransom.
Domas said it is no surprise that hackers are going after medical records.
While stolen credit cards are easily cancelled and worth approximately $2 apiece on the black market, stolen medical records can net a criminal between $10 and $20 each on the dark web due to the treasure trove of valuable information they contain, including social security numbers and insurance information, Domas said.
Domas said that much of the information in medical records could be used to fraudulently fill out a mortgage application online.
She said actual medical documents, such as x-rays, are also valuable to individuals who require a clean bill of health to qualify to immigrate or travel to other countries.
The threat is real for Scottsdale companies, which range from major hospital chains like HonorHealth and Mayo Clinic to device manufacturers.
Domas said ransomware and email phishing are common attacks used to infiltrate healthcare systems.
Email phishing attacks involve criminals sending fraudulent emails that appear to come from a legitimate source in order to trick victims into opening malicious software or providing sensitive data like passwords.
While the threat of ransomware and email phishing attacks is very real, Domas said they are not her primary concern because the larger cybersecurity community has developed best practices to help users avoid falling victim to them.
One threat unique to the healthcare industry, she said, is that posed by medical devices.
Domas cited a study of 60 hospitals in 2017 in which high-profile devices like imaging machines and x-rays were outfitted with monitoring tools. The study showed that those devices were targeted by hackers in every single hospital that took part in the study.
Synopsys, a California-based cybersecurity company, conducted a study in 2017 that found that “56 percent of healthcare delivery organizations (HDOs) believe an attack on a medical device built or in use by their organizations is likely to occur over the next 12 months.”
Domas said that medical devices make up 15 to 20 percent of internet-connected things in a hospital.
“So that means if you looked at all of the Internet-connected things in that healthcare system – all of their billing systems, their patient intake systems or HR systems or electronic health record servers – 15 to 20 percent of the things on a hospital network are actually medical devices,” Domas said.
She added that the number is only going to grow. Past projections predicted that 25 percent of new devices purchased by hospitals would be connected to the internet, but she said many hospitals are revising that figure up to closer to 40 percent.
While newer devices are coming online that were built with these threats in mind, vulnerabilities remain.
These devices are vulnerable for a variety of reasons, including the age of the device and the way traditional cybersecurity tools interact, or don’t, with the device’s medical use.
Domas said that many medical devices in hospitals have been in use for a decade or more and while they still function properly, they were not designed to stand up to modern cybersecurity risks.
“(Legacy devices) were designed to last a really long time and serve their clinical purpose,” Domas said. “The problem is that when they were designed cybersecurity was not front of mind.”
She also said modern security tools are too aggressive and could interfere with their medical use. Older medical devices were not designed to work with the tests or scans used by modern tools.
“It’s been proven several times that if those scans happen on med devices, particularly older ones, they can shut down, they’ll reboot, they’ll start behaving and radically in a clinical setting, and that’s simply not okay,” Domas said.
So, how do healthcare companies protect patients against this very real cyber threat?
Domas said she encourages greater collaboration between the IT and cybersecurity staff at a healthcare company and the engineers and technicians who operate devices.
She said that too often the people setting up the device for its medical use do not know how to set up the cybersecurity features.
“If you don’t have people who understand clinical workflows and cybersecurity at the same time, you’re still not going to get devices that are set up with security settings turned on … you buy fancy tools that are meant for cybersecurity, but you still have to have somebody who can look at the data coming out of that and understand how you react to that,” Domas said.
She also said companies must diligently work to make new devices more secure.
The Synopsys study found that “Only 51 percent of device makers and 44 percent of (healthcare delivery organizations) follow current FDA guidance to mitigate or reduce inherent security risks in medical devices.”