Episode summary: In this episode, we talk to Daniel Nigrin, MD, Senior Vice President and CIO at Boston Children’s Hospital. Daniel and I discuss why hackers have come to prey on the healthcare industry, how these hackers benefit from their illicit activities, and what healthcare IT security precautions can be taken to prevent such attacks.
Dr. Nigrin and I will both be speaking at the Healthcare AI Applications Summit in Boston – on December 11th and 12th, 2017. I appreciate the folks at the summit connecting me directly with Dr. Nigrin, and I hope you’ll enjoy this episode:
Guest: Daniel Nigrin, MD, Senior VP & CIO at Boston Children’s Hospital
Expertise: Healthcare information technology, electronic health record, healthcare management, clinical research, informatics
Brief recognition: Daniel Nigrin, MD is currently the Senior Vice President and Chief Information Officer at Boston Children’s Hospital (BCH). He is also an Assistant Professor at Harvard Medical School and a Pediatric Endocrinologist at BCH. He holds degrees in biophysics and medicine from The Johns Hopkins University and a graduate degree in medical informatics from MIT.
Big Idea:
Hospitals are general targets for cybercriminals because they house “immutable” data (that is, data that doesn’t change regularly, like an email address does), which is particularly useful for identity theft and healthcare reimbursement fraud
Healthcare organizations are vulnerable against cybercriminals. Incidents of attacks in the form of ransacking digital information were recorded in hospitals in Melbourne, Los Angeles and London in just a span of three years. These illegally downloaded data are used by cybercriminals in well-organized black markets for a number of reasons such as identity fraud or for blackmailing schemes.
In 2014, the collective hacktivist group Anonymous attempted to breach patient records at Boston Children’s Center and a number of healthcare and treatment centers in the area. The high-profile case led to the arrest of a man who admitted to the cyberattack as a protest against a suspected disputed medical diagnosis of a teenage patient.
(For readers with an interest in the vendor companies applying AI in healthcare IT security, check out our AI healthcare vendor list.)
Interview Highlights on AI in Healthcare IT Security, with Daniel Nigrin, MD
The following is a condensed version of the full audio interview, which is available in the above links on Emerj’s SoundCloud and iTunes stations.
(1.43) Dan Faggella: What are unique considerations – good or bad, for the healthcare sector for cybersecurity that other sectors might not know about?
Daniel Nigrin: There’s no question that healthcare certainly evolved over the course of the last several years as a super tantalizing target for hackers who are after data and that’s largely because healthcare and patient-related data is just more valuable on the black market unlike common credit cards. The healthcare data that we protect within our systems can be used for all kinds of illicit activities online and because they represent things that are unchanging for people, unlike in credit cards where the number can change periodically, patient’s date of birth, social security number, etc. are immutable. Because of that, it represents much more compelling data for cyberattackers to go after.
The other really important thing to consider about cybersecurity within healthcare is with respect to operational disruption. One of the things that we experienced when we underwent the hacktivist group Anonymous attack several years ago was we were very focused on protecting the data that we’ve been entrusted with, but we’re also very concerned about operational disruptions. Unlike other businesses and sectors where an interruption in daily operations might mean financial loss or other operational challenges, for us, an operational challenge potentially can put people’s lives on the line. It sort of ups the ante a bit, if you will, and certainly makes the preservation of our infrastructure much more important and makes us that more focused on ensuring that these cyberattacks don’t disrupt things for us.
(4.9) Is it mostly just the information that won’t change about a person? I’m wondering about two things: first, what are the other things that won’t change about a person that are really valuable? Second, is the other information about health in general of value at all? If someone comes in for lung cancer treatment, does anybody in the black market care?
Daniel Nigrin: Knowing an individual’s personal health information really is probably only valuable on an individual case-by-case basis. There’s an individual out there who, for whatever reason, maybe a celebrity is in a hospital, and there’s value to getting that data. Then you could envision why protecting it is of utmost importance. But when you’re talking about large troves of data and not just an individual person, the immutable data is important because that represents information that is commonly used for obtaining things like Medicare coverage or other kinds of healthcare benefits. So there are all kinds of Medicare fraud that occur on a regular basis by using illicitly obtained credentials about people. It’s that information that is probably the primary reason the information is valuable in the black market.
(6.31) So one of the primary use cases here is getting medical benefits through fraudulent means and pretending to be someone else if you will?
Daniel Nigrin: Exactly. There are people who’ve gotten benefits from deceased individuals.
(6.50) Are the people who need Medicare benefits the same tech savvy people that know how to go on to the secret websites where you purchase this kind of information? I’m finding a rough disconnect culturally between those two potential markets.
Daniel Nigrin: I’m not going to pretend I understand the why, clearly there’s a market out there. And I would imagine that the folks who are behind the illicit activities have identified that market and are happy to fulfill the needs and provide the data. Sometimes it leaves you scratching your head but it’s certainly in demand – that’s for sure.
(8.44) It sounds like a little bit befuddling to both of us but the primary use case per your understanding here is folks who are going to fraudulently use these information to get medical benefits whether medications or treatments are going pretend to be somebody and get these stuff for free.
Daniel Nigrin: Well, it’s the medical benefits themselves or reimbursement for medical care.
(9:15) So that could be a way to reimburse funds from the system. I imagine someone going in for a foot surgery and thanking that he’s on the black market that could make this surgery work.
Daniel Nigrin: It’s the financial benefit that comes with it, fraudsters can receive monetary compensation for treatments, and I imagine that this is what fraudsters are looking for.
(10.08) That makes a lot of sense. You can fraudulently have the benefits and the treatment and claim the check. Anything else that you learned from being a target of this hacktivist group? Was there any other big takeaways from that that stuck in your mind and seemed an important lesson for healthcare security in general?
Daniel Nigrin: I think, prior to several years ago, many in the healthcare industry found ourselves thinking that we were immune to these kinds of attack. Why would anyone launch a denial of service attack on a hospital – a pediatric hospital, no less? We thought we were above all that and obviously that’s not the case at all. With respect to our particular example, it was related to a patient case, a child custody that was in the news, and subject to a lot of media attention. The folks behind this attack just decided they didn’t like what they were hearing and chose to attack us as a resolve. So there are all kinds of reasons that you can envision as to why we might actually end up being the target.
The result for us was a bit of a wake up call that we certainly are not immune to these things. And now with the prevalence of the attacks looking for medical data that we started to see things like the ransomware attacks, I think that fire has been lit under for every healthcare organization around the world that we absolutely have to pay more attention to and invest more in cybersecurity for our sector.
(12:00) So this hacktivist group was not looking for reimbursement checks but on digging into something that would be a big deal to the media.
Daniel Nigrin: Exactly.
(12.10) There seems to be two major categories of why one would be targeted: there’s the general immutable information that helps people reimburse checks from the government by pretending to be someone else, and there’s the individual blackmail-slash-big-media cases that could be used for bribes to bring down the name of a facility. It sounds to me based on what you said that those major possible reasons for being targeted as a healthcare facility.
Daniel Nigrin: That’s a fascinating insight. I’m sure the people who work in healthcare would like to know why they would be hacked. What are the major considerations, threats and benefits to these malicious parties? That’s the insight that they would be happy to hear. Next, cybersecurity may be among the most well adopted applications in artificial intelligence in enterprise. Artificial intelligence seems to be way into the future of cybersecurity and can serve without a doubt. And my estimation is it’s the same in healthcare.
(13:43) We’ve covered a lot of AI security applications here at Emerj – but your experience in healthcare is unique. What are some unique considerations of artificial intelligence and cybersecurity for the healthcare sector?
Daniel Nigrin: First of all, you’re completely right that artificial intelligence is starting to play a more prominent role with respect to cybersecurity, and the tools that we use to protect ourselves. In the past, simple things like e-mail filters and desktop anti-virus were sufficient. But that’s certainly not the case anymore. And so, what you’re finding now is that a variety of tools on the market are available to protect oneself. [We can] use our official intelligence to model patterns and to look at connectivity patterns and so on to be able to detect anomalous patterns. So when that connection comes from across the country unexpectedly looking for data or trying to access our electronic health record, that’s a warning flag. By using artificial intelligence, you can detect that.
Or even in a more localized example, why are 500 different doctors and nurses all of a sudden accessing a single patient’s record that is available in our electronic health records system? You can envision again having a celebrity or a well-known figure in your hospital might prompt a behavior like that, which is obviously not allowed at. So AI-based guidelines are considered to detect those kinds of anomalous behaviors and alert us to them. We’re definitely starting to see the tools evolve and improve using these sorts of technologies.
(16.48) Are there some changes that you see as inevitable to keep things locked down and to ensure that hospitals keep as much of their information from malicious hands as possible?
Daniel Nigrin: Well I think it’s simply a continuation of the many things that we talked about already. It’s clear that healthcare has become and will likely continue to be one of the prime targets for these attacks. Either for obtaining medical data on people or to disrupt operational activities for whatever reason such as personal attack to a hospital or to illicit money, regardless we have to be weary on these attacks on our operations as well as those that are after the data. So because of that, we need to continue to do our utmost to stay on top of them and to protect ourselves from them. And as I mentioned, I think the AI-based element to the tools is going become increasingly important to be able to provide us with those tools that we need in order to stay ahead of them.
Because the attacks change constantly and if we continue to use our approach as venues in the past of being reactive and only addressing attacks once we have seen them, then we’re always going to be one step behind the bad guys so I think [by] using AI, we can do a better job at being more prospective and staying one step ahead and starting to be able to detect that anomalous behavior or activity as it’s happening and to be able to clamp down and shut down those attacks before they become a problem. I think that’s the general evolution that I’m seeing and we’ll hopefully continue to see, over the course on the next few years, as the tools get better and better.
(18.50) For most hospitals, this might involve expertise that’s outside their present domain. There are ways to get ripped off by vendors, and there are probably ways to work the right way. Any thoughts on that?
Daniel Nigrin: I will say again, as I mentioned before within healthcare, we were a little bit behind the rest of the world for a variety of reasons. But the bottom line is that we just had not paid as close attention to cybersecurity as we needed to. We’re definitely in a bit of a catch-up mode, and we are looking at other industries to see what they’ve done to protect themselves and lessons learned there. So for sure, personally, I’m eager to go outside my healthcare world [and learn from] third parties and other verticals to see how they have addressed the problem.
Header image credit: Peak 10