Monthly Archives: October 2021

The Impact of Ransomware on Healthcare During COVID-19 and Beyond

Larry Ponemon

The purpose of this research is to understand how COVID-19 has impacted how healthcare delivery organizations protect patient care and patient information from increasing virulent cyberattacks, especially ransomware. Prior to COVID-19, 55 percent of respondents say they were not confident they could mitigate the risks of ransomware. In the age of COVID-19, 61 percent of respondents are not confident or have no confidence.

Sponsored by Censinet, Ponemon Institute surveyed 597 IT and IT security professionals in HDOs. In the context of this research, HDOs are entities that deliver clinical care and rely upon the security of third parties with whom they contract services and products. These include integrated delivery networks, regional health systems, community hospitals, physician groups, and payers.  Click here to visit Censinet and download the full report.

Our findings correlated increasing cyberattacks, especially ransomware, with negative effects on patient care, exacerbated by the impact of COVID on healthcare providers. We also analyzed steps that HDOs are taking to protect patient safety, data, and care operations to determine what is working since so many respondents have been victims of more than one ransomware attack.

Ransomware attacks on healthcare organizations can be a life-or-death situation.

The onset of COVID-19 introduced new risk factors to HDOs, including remote work, new systems to support it, staffing challenges, and elevated patient care requirements. There’s been a great deal of media coverage on the rise of cyberattacks such as ransomware both within the healthcare industry and beyond. This research focuses on the healthcare industry to understand the extent to which HDOs are being targeted and ascertain the impact of those attacks. Both are covered in-depth in the key findings section of the report.

Over the last two years, 43 percent of respondents say their HDOs experienced a ransomware attack. Of these respondents, 67 percent of respondents say their HDO had one and 33 percent of respondents say they experienced two or more.

These attacks risk patient safety, data, and overall care availability. Respondents report that ransomware attacks had a significant impact on patient care, reporting longer length of stay (71 percent of respondents), delays in procedures and tests (70 percent of respondents), increase in patient transfers or facility diversions (65 percent of respondents) and an increase in complications from medical procedures (36%) and mortality rates (22%).

HDOs forecast that the number of contracted third parties will increase by 30 percent over the next 12 months

Driven by cost containment, regulatory directives and the demand for accessible, higher-quality patient care, HDOs have shifted to the digitization and distribution of health information. Moreover, medical devices, whether in patient rooms or labs, rely on network connectivity for operations and maintenance.

Nearly all of the technology components described are not developed by the HDO. These include software, services, and hardware development from organizations known as third parties. This study revealed that the average number of third parties that organizations contract with is 1,950, and this will increase to an average of 2,541 in the next 12 months.

Third-party products and services are a necessary and critical part of the HDO IT blueprint, but each brings another set of risk factors to the table. Some risks are inherent to the third party such as secure operating systems and other software in medical devices. Other risks involve how the HDOs deploy and use third parties, including storing protected health information (PHI) on cloud-based systems that weren’t meant to support it. In either case, the risk created by the third party or the HDO use of the third party needs to be managed. The burden is on the HDO to perform assessments throughout their relationship with the third party (e.g., procurement, implementation, usage, updates, termination, etc.).

Third-Party Risk Management is Hard, and COVID-19 Made it Worse

This research also looks at the capabilities and maturity of HDOs to manage third-party risk, both before and during COVID-19. According to only 44 percent of respondents, controls critical to assessing third-party risks are only partially accomplished in HDOs. Only 40 percent of respondents say their organization always completes a risk assessment of its third parties prior to contracting with them. However, 38 percent of respondents state the assessment findings are ignored by leaders.

Re-assessments are another critical part of third-party risk management and are not conducted as often as required. More than half (53 percent) of respondents say re-assessments are conducted only on-demand or on no regular schedule.

Recommendations for Mitigating Ransomware and Third-Party Risks

According to the findings, healthcare organizations are less prepared to deal with third-party risks. Following are recommended steps for HDOs to take to protect patient safety, data, and care operations.

  • Invest in workflow automation, resources, and processes to establish a digital inventory of all third parties and PHI records. An HDO must know the number and location of PHI records that are accessed, transmitted or stored by third-party products or services.
  • Increase overall risk coverage of third parties by leveraging automation to conduct more assessments. The average number of third parties that organizations contract with is expected to increase from 1,950 to 2,541 over the next 12 months. However, only 40 percent of respondents say their organizations always complete a risk assessment prior to engaging with a third party. If their organizations conduct an assessment, only 38 percent of respondents say their leaders always accept their recommendation not to contract with them.
  • Allocate resources and funding to re-assess high-risk third parties. Currently, only an average of 32 percent of critical and high-risk third parties are assessed annually, and only an average of 27 percent of these third parties are re-assessed annually.
  • Increase efforts to secure medical devices. Only 36 percent of respondents say their organizations know where all medical devices are. Only 35 percent of respondents say they know when a medical device vendor’s operating device is end-of-life or out-of-date. Only 29 percent of respondents say they know the non-planned expense of medical device operating system patches.
  • Ensure critical steps for identifying and mitigating third-party risks are in place. Sixty percent of organizations represented in this research had a data breach in the past two years, resulting in an average of 28,505 records containing sensitive and confidential information compromised. According to the research, organizations can only partially evaluate the various threats targeting their assets and IT vulnerabilities. They also lack the capability to continuously monitor vendor risks.
  • Assign risk accountability and ownership to one role. The ability to execute an enterprise-wide risk management strategy is affected by not assigning accountability and ownership to one role.

Click here to visit Censinet and download the full report.

Fix Facebook now: Let users opt-out of its addictive algorithm

Bob Sullivan

It’s the news feed, stupid. The algorithm.

You’re probably going to read 1,000 things about the recent Facebook whistleblower hearing, so I won’t belabor the discussion. I have just one point I’d like to drive home. But first– I will say I’m sad that, after all this time, journalists from all over give prominent placement to the disinformation published by Facebook about Facebook — The New York Times felt the need to put the firm’s misdirection statement about the hearings in the fourth paragraph of its story about the hearings, showing journalists have learned little about the way both-sides-ism is abused in the information age.   I won’t repeat it here, but suffice to say the company just attacked the message without disputing any of the messages.

I’d like people to focus on something simple and often overlooked when it comes to the harm Facebook’s apps cause in the world: Control of the news feed.   Witness Fraunces Haugen talked quite a bit about Instagram and Facebook’s use of “engagement-based ranking” for items that appear before users.  You can’t pick what appears on these apps, not really. Facebook picks. And it picks the most extreme, most manipulative, most addictive content it can place in front of you. All the time.

Facebook has spent billions of dollars hacking you. Researching you. Picking you apart. Finding your weakness. And then feeding it. Like candy bars with too much sugar, or better yet, opioids that ease the pain just enough. Well, nearly enough, but not quite. So, you must come back for more, and more, and more.   To one man, it’s angry Trump content. To a young woman, it’s workout videos. Still another gets climate change outrage, or posts about the Latin Mass.  Facebook doesn’t care.  Like an evil creature from a science-fiction movie, it finds your weakness and exploits it. To feed the ever-hungrier beast inside.

This is “engagement-based ranking,” as Haugen called it.  And when we like or share these addictive things, we “give little hits of dopamine” to our friends.  Like a nightmare digital drug gang — *shiver*

Users have forever asked for a simpler way.  They want control of the news feed, or the way Instram picks images to display.  Consumers have forever wanted a simple page full of close friends’ posts.  Babies, weddings, the occasional professional announcement.  This request has been denied over and over by Facebook.  In fact, the company has stopped outside firms from creating plugins that would enable just that simple feature.  Why?    Haugen explained: Engagement would fall. Clicks would drop. Revenue would fall.

Facebook claims the reason is something else: User-directed feeds would be full of spam and other annoying content. That reasoning — Facebook-i-an NewsSpeak — is so bogus I hesitate to repeat it.  We all deal with spam, every day. We could handle it on Facebook and Instagram in exchange for ending the tool’s ever-increasing, artificial intelligence-fueled addictive algorithm.

So as Congress and other law enforcement ponder what should happen now, here’s my wish list of one: Require Facebook to let users opt out of the algorithm.  Or, as  Haugen suggested, end Section 230 protections for algorithm-programmed content farms.  If they pick the things we see, they should be responsible for them. I’m not saying this would fix every problem. But it sure would fix a lot. And it could happen….immediately.

It’s not that hard to fix. We’ve just failed…so far.  Tim Sparapani, another former Facebook employee, told me that last year in my “Original Sin of the Internet” podcast. It’s more true than ever now.