Guest post by Santosh Varughese, president of Cognetyx
Cybersecurity is a serious concern for every industry in America, but healthcare has been particularly hard hit. It is the most likely industry in the U.S. to suffer a data breach. According to the Ponemon Institute, nearly nine out of 10 healthcare organizations have been breached at least once, and nearly half have been breaced three times or more. Cyber-criminals are clearly winning this war, despite more funding, more firewalls, and more scrutiny. Here are five reasons why healthcare organizations are losing the cybersecurity war.
C-level healthcare executives still aren’t taking data security seriously.
Although the epidemic of healthcare cyber-attacks has C-suite executives claiming they finally realize the gravity of the situation, their actions tell a different story. A recent survey by HIMSS found that while most facilities have given information security a higher priority, healthcare IT personnel still complain of insufficient funding and staffing for cybersecurity. The same concerns were expressed by IT personnel surveyed in the Ponemon study and an earlier study conducted by IBM.
Frontline employees aren’t taking it seriously, either.
A group of security researchers from the University of Pennsylvania, Dartmouth and USC recently conducted an ethnographic study of cybersecurity practices among nurses, doctors, and other frontline medical personnel. The results showed a flagrant, widespread, shocking disregard for even the most basic data security practices; among other things, workers were observed:
Writing passwords on sticky notes and tacking them on machines in full view of anyone who wandered by.
Allowing other staff members to use their login credentials out of “professional courtesy.”
Purposefully defeating automated system timeouts by placing foam cups over sensors or by having another employee tap a spacebar at intervals.
Criminal hackers are fully aware of these types of practices and do not hesitate to take advantage of them; 95 percent of breaches occur when hackers get their hands on legitimate login credentials, either by obtaining them from a malicious insider or by taking advantage of an employee’s negligence or carelessness.
Too many facilities think that HIPAA compliance is sufficient to secure their data.
Most healthcare organizations focus primarily or exclusively on HIPAA compliance, erroneously thinking that complying with HIPAA is all they need to do to secure their systems. However, HIPAA was never meant to be a blueprint for a comprehensive data security plan. The law primarily addresses documentation and procedures, such as specifying when a patient’s medical records can legally be released, not technical safeguards. Information security experts surveyed by the Brookings Institution stated that HIPAA does very little to address the types of security challenges faced by large healthcare organizations with hundreds of employees and highly complex, interconnected data environments. The proof is in the numbers; if HIPAA compliance were enough to protect patient data, 90 percent of healthcare organizations would not have experienced breaches.
Guest post by Craig Musgrave, senior vice president, information technology, The Doctors Company.
Healthcare entities remain the top target for cyber criminals. Not only do over 50 percent of all cyberattacks occur in the healthcare industry, but there have been 4,000 daily ransomware attacks—focused mostly on healthcare entities—since early 2016, a 300 percent increase over the 1,000 daily attacks in 2015.[i]
All types of organizations must take steps to ensure they are protected. The following are six questions you should ask your IT department to evaluate your cybersecurity readiness, and some answers to these perplexing problems most industries face today.
Does our organization use a security framework?
The National Institute of Standards and Technology Cybersecurity Framework is voluntary guidance, based on existing standards, guidelines, and practices, for critical infrastructure organizations to better manage and reduce cybersecurity risk.
The Framework will help an organization to better understand, manage, and reduce its cybersecurity risks. It will assist in determining which activities are most important to ensure critical operations and service delivery. In turn, that will help to prioritize investments and maximize the impact of each dollar spent on cybersecurity.
What are the top risks I should worry about?
Human interaction: Over 80 percent of attacks are made possible by human error or human involvement, such as downloading malicious files, clicking on malicious links, or running unknown USB on computer systems. You need to provide security training for all employees and maintain constant employee awareness of the risks. There should also be a significant investment in security solutions that can help prevent damage if an employee action leads to an attack.
Technology vulnerabilities: Vulnerabilities in your defenses may be known—or newly discovered when an attack happens. Invest in tools that scan for hardware and software vulnerabilities and invest in IT staff to constantly update and patch software.
External intruders: Addressing non-stop attempts to access your network through unsecured or vulnerable access points involves investing in technologies and strategies like multi-factor authentication, advanced firewalls, web application firewalls, external monitoring, and penetration tests.
Data loss: Protected health information (PHI) could be lost through an unapproved employee data transfer. Invest in tools that encrypt data-in-transit and educate employees on proper data transfer procedures.
Delayed detection: This is the inability to detect an intrusion due to an unknown vulnerability, misconfigured technology, or employee error. Invest in constant IT training on event management, security threat detection, incident response, and technology configuration. Execute threat simulations (penetration tests) and do a continual review of system configurations.
Attacks through privileged accounts: Hackers try to gain access to privileged accounts—such as domain admin, database admin, or external vendors—to reach secure areas within computer networks. For example, the major Target hack occurred when an employee of Target’s third-party HVAC vendor responded to a spear phishing e-mail. The utilization of Privileged Account Management systems enables one-use passwords for evaluated accounts.
Guest post by Justin Sotomayor, pharmacy informatics director, CompleteRx.
The field of health informatics has grown exponentially over the past 50 years. From Robert Ledley’s work paving the way for the use of electronic digital computers in biology and medicine in the 1950s, to the founding of the American Medical Informatics Association in the 1990s, to the launch of the Medicare/Medicaid Electronic Health Record Incentive Program in the 2000s, it continues to mark new milestones at an astounding pace, presenting both challenges and opportunities for the healthcare industry.
Three trends – in particular – will have a marked impact on patients and practitioners, and are certain to define health informatics in the near future, if not for years to come.
The end of Meaningful Use
In 2009, with the passing of the Health Information Technology for Economic and Clinical Health (HITECH) Act, came the launch of the Meaningful Use program – and the related requirement that healthcare providers show “meaningful use” of a certified EHR to qualify for incentive payments. With both Stage 1 (adoption) and Stage 2 (coordination of care and exchange of information) behind them, hospitals are fully responsible for Stage 3 (improved outcomes) by 2018. While, undoubtedly, the program has improved EHR adoption – in many cases, streamlining and enhancing patient care – it has been widely criticized. In a 2015 news release, the American Medical Association regarded Stage 2 as a “widespread failure,” suggesting it monopolized staff attention without commensurate benefit to patients, and hampered innovation.
Most recently, following highly-publicized remarks in January by CMS Acting Administrator Andy Slavitt that Meaningful Use would be replaced, the U.S. Department of Health and Human Services has proposed transitioning Meaningful Use for Medicare physicians to the “Advancing Care Information (ACI)” program under the Medicare Access and CHIP Reauthorization Act (MACRA). According to Mr. Slavitt, this program is designed to be “far simpler, less burdensome, and more flexible,” primarily by loosening the requirements to qualify for extra payments, and incentivizing providers based on treatment merit, known as Merit-based Incentive Payment System (MIPS). While this update doesn’t yet affect hospitals or Medicaid providers, and these groups should continue to prepare for full Meaningful Use implementation, it’s an indication that industry concerns over meaningful use are being heard and responded to, and that additional changes may be forthcoming.
Guest post by Mike Baker, founder and principal, Mosaic451.
Over the past couple of months, hospitals and other healthcare facilities have come under siege by cyber-criminals. However, the hackers aren’t after patient data; they never even access it. Instead, they are infecting computers with ransomware, a type of malware that locks down a system and prevents the owner from accessing their data until they pay a ransom, usually in Bitcoin. Among the high-profile attacks that have made headlines:
In February, Hollywood Presbyterian Medical Center in Los Angeles fell victim to the Locky virus, which disabled the organization’s computers and kept employees from accessing patients’ electronic health records (EHRs). Access was restored a week later, after the hospital paid a $17,000.00 Bitcoin ransom to the hackers.
Shortly afterward, Methodist Hospital in Henderson, Kentucky, also fell victim to Locky and was forced to declare an internal “state of emergency.” However, instead of paying the ransom, the hospital reported that it was able to restore its data from backups.
In late March, Maryland/DC-based MedStar Health, which operates 10 hospitals and more than 250 outpatient clinics, was hit by an undisclosed ransomware virus that forced the organization to revert to paper records. Like Methodist Hospital, MedStar did not pay the ransom and restored its system using backups.
Although any organization can fall prey to ransomware, lately healthcare facilities have been the primary targets. Some experts feel the problem has reached crisis levels – and hackers are only getting started.
Why Ransomware Attacks are on the Rise
Ransomware is growing in popularity because it is far more lucrative than more traditional cyberattacks where hackers access and steal data. Once the data is stolen, the hacker must find a buyer. Then, the hacker has to negotiate a price. Conversely, in a ransomware attack, the hacker has a built-in “buyer” — the owner of the data, who is not in a position to negotiate on price.
Ransomware is also a simpler and quicker mode of attack than a data breach. Once a hacker has breached a system, downloading a large data set can take some time, during which the attack could be identified and halted. Because ransomware never actually accesses a system’s data – it just locks it down – it works far more quickly and covertly. Victims have no idea they have been compromised until they find they cannot access their system.
Guest post by Eduard Goodman, chief privacy officer, IDT911.
Earlier this year, Centene Corporation lost six hard drives containing personal and health information of almost one million of its clients, including names, addresses, dates of birth, Social Security numbers, member identification numbers and health information. Unfortunately, Centene is only one of many healthcare organizations that recently had their sensitive patient information exposed. More than 113 million health records were breached in 2015 – which translates to one out of every three Americans being affected by a healthcare record breach last year. Medical identity theft is a disastrous trend that needs to be addressed. The good news is there are many steps healthcare organizations can take to reduce the risk of data breaches.
Electronic Health Records
As more and more healthcare organizations transition away from paper medical records and move to electronic health records, it is critical that security features are put in place to protect the vast amount of data being collected. Just as the digitally stored health information is more easily accessible for employees, it is also easier for cyber criminals to access. According to the Ponemon Institute’s The State of Cybersecurity in Healthcare Organizations in 2016 report, nearly half of those surveyed said their organizations have experienced an incident involving the loss or exposure of patient information during the last year. Strong encryption, routine vulnerability patches and multi-factor authentication are key to protect health data.
Mobile and BYOD
Greater connectivity means more convenience, but this also opens more doors for hackers to access healthcare networks. Healthcare organizations should set clear BYOD policies so employees understand what can and cannot be accessed from mobile devices, what operating systems are approved for use on the network, what security features and settings are required and what type of data can be stored on devices. While using mobile devices can significantly improve productivity, it is important to minimize security risks in order to protect sensitive data.
Internet of Things
The Internet of Things is a growing trend in the tech world that has also become popular in the healthcare industry. Now, medical devices can collect, track and share enormous amounts of data instantly through internet connectivity. As these medical devices were most likely added to pre-existing networks, they may not have the necessary security protections. Security vulnerabilities are not just limited to EHR and health networks anymore – medical devices must be thoroughly inspected as well. Just as computers and servers are patched for vulnerabilities, medical devices that connect to healthcare networks must also be regularly patched. If these IoT enabled devices do not have the necessary layers of security, they will become an easy target for hackers to access the healthcare network.
Guest post by Mohan Balachandran, co-founder and president, Catalyze.
As we look back upon 2015, we can reflect, review and based on that and other factors, make some predictions about what next year will bring us. John Halamka had an interesting post that reflect on the bigger challenges, such as ICD-10, the Accountable Care Act and its implications on data analytics, the HIPAA omnibus rule and its impact on cybersecurity and audits and the emergence of the Cloud as a viable option in healthcare. We can expect to see some of these trends continue and grow in 2016. So based on these key learnings from 2015, here are a few predictions for 2016.
Cybersecurity will become even more important
In 2015, insurers and medical device manufacturers got a serious wake up call about the importance and cost of cybersecurity lapses. Healthcare data will increasingly be looked at as strategic data because we can always get a new credit card but since diagnoses cannot change, the possibilities of misuse are significant. Just as the financial industry has settled on PCI as the standard, expect the healthcare industry to get together to define and promote a standard and an associated certification. HITRUST appears to be the leader and recent announcements are likely to further cement it as the healthcare security standard. Given all that, one can safely expect spending on cybersecurity to increase.
IoT will get a dose of reality
The so-called Internet of Things has been undergoing a boom of late. However, the value from it, especially as applied to quantifiable improvement in patient outcomes or improved care has been lacking. Detractors point out that the quantified-self movement while valuable, self selects the healthiest population and doesn’t do much to address the needs of older populations suffering from multiple chronic diseases. Expect to see more targeted IoT solutions such as that offered by those like Propeller Health that focus on specific conditions, have clear value propositions, savings, and offer more than just a device. Expect some moves from Fitbit and others who have raised lots of recent cash in terms of new product announcements and possible acquisitions.
Guest post by Renata Magurdumov, director of marketing, ColoGuard.
If you think about it, your doctor probably knows more about you than many of your friends. Healthcare providers store a ton of sensitive data about their patients; everything from their name to their address and place of employment to their Social Security number. In other words, everything a cyber-criminal would need to steal someone’s identity.
Given how valuable that information could be in the wrong hands, you’d think that healthcare providers would use the most high-tech, modernized infrastructure and the most up-to-date security practices to keep it safe. Unfortunately, you’d be mostly mistaken.
Recently, Premera Blue Cross was the victim of a ‘sophisticated cyberattack’ that compromised the healthcare records of 11 million patients. Before that, the victim was Anthem. Before that, Aventura Hospital and Medical Center.
As a matter of fact, according to a recent Kroll study, healthcare accounted for nearly half of the client breaches that took place in 2014, followed closely by business services and higher education. This was the second year in a row that these three industries accounted for nearly two-thirds of all “client events.” What’s more, only 30 percent of the breaches in healthcare were the direct result of hacking.
That means that the other 70 percent were the result of human error – of negligence, poor security practices or ignorance. For an organization whose collection of data can quite literally ruin lives by falling into the wrong hands, this is unacceptable. And it’s going to get worse before it gets better.
“I believe that healthcare IT systems are fragile and highly vulnerable today,”writes CIO Paddy Padmanabhan. “This, combined with the sophistication of hackers and the rising attractiveness of healthcare data in the black market, makes healthcare a huge target for disruption in 2015.”
The Rocky Relationship Between Healthcare and IT
Part of the problem is that many decision makers in healthcare have a serious attitude problem where technology is concerned. They simply don’t realize how important it is. Healthcare IT is often marginalized and undersold, with CIOs struggling simply to keep their departments afloat – if it’s not simply contracted out to third parties.
“While healthcare costs in the US as a percentage of GDP are the highest in the world, healthcare IT spend as a percentage of revenues is among the lowest across various industry sectors,” continues Padmanabhan. “Healthcare CIOs are constantly challenged to do more with less, and face budget cuts year after year.”
The end result of this is that many hospitals view technology as a hindrance. It’s obtuse, frustrating and poorly implemented – because their IT departments lack the resources to make it anything but. Writing for the New York Times, leading healthcare analyst Robert M. Wachter recounts how a job ad last year listed the fact that it didn’t have digital databases as a plus.
“In today’s digital era,” writes Wachter, “a modern hospital deemed the absence of an electronic medical record system to be a premier selling point. That hospital is not alone.”
“A 2013 RAND survey of physicians found mixed reactions to electronic health record systems, including widespread dissatisfaction,” he continues. “Many respondents cited poor usability, time-consuming data entry, needless alerts and poor workflows.”
Worse still, even those hospitals that have successfully implemented modern IT are fighting an uphill battle to figure out how it all works. They grew so accustomed to the way things were, says Wachter, that they found themselves utterly unprepared for a shift which was, for all intents and purposes, years in the making. They were complacent – and now they’re paying for it.
“Whopping errors and maddening changes in workflow have even led some physicians to argue that we should exhume our three-ring binders and return to a world of pen and paper,” he says. “That argument is utterly unpersuasive. Healthcare, our most information-intensive industry, is plagued by demonstrably spotty quality, millions of errors and backbreaking costs. We will never make fundamental improvements in our system without the thoughtful use of technology.”
Since 2009, the personal health information of almost 30 million Americans has been compromised. From Partners Healthcare and Anthem to the UCLA Health System and Children’s National Health System, it’s clear that healthcare organizations are a hot target, especially as medical records include exactly the kind of valuable data cyber criminals want to get their hands on. And, since information like social security numbers and birthdates can’t be “turned off” in the ways that stolen credit card numbers can, once cyber criminals get ahold of such records, they can do significant damage with them like counterfeiting patients’ identities.
It is crucial that the healthcare industry be vigilant when it comes to cyber security. From hospitals and insurers, to medical groups and individual practices, health-related organizations must ensure they are taking all possible measures to keep the personal information of their patients – not to mention their own brand reputation and business – safe. That begs some questions: Why are healthcare organizations such a hot target? How are they (and their patients) being targeted, and, and what can the industry do to stay one step ahead of cybercriminals and mitigate the ensuing risks?
What Makes Healthcare a Prime Target?
Healthcare organizations are a large target for many reasons. First and foremost, they possess extremely valuable assets, including the personal, family and billing information of their patients. It isn’t the blood type or cholesterol reports that make electronic health records the most valuable records on the cybercrime black market; it is the virtually complete personal identity information, including social security numbers, parents, maiden names, addresses, emails, children names and, in some cases, complete information of close friends. They are the holy grail of the identity theft world.
Second, the available attack surface in the healthcare industry is very complex. The healthcare industry contains many different organizations that have, over the past few years, moved to electronic systems, but not to a truly centralized electronic system. The reality of today’s healthcare records infrastructure is that there are many networks, data formats, communications protocols, passwords and access points all patched together. Not only is this amalgamated network challenging to maintain, it creates massive opportunities for compromise. Cybercriminals know this.
Healthcare is in the Cybercrime Crosshairs
Doctors are at the center of the healthcare universe. They interact and interface with patients, insurers, services providers and hospitals. Their office networks and smart devices connect with practically every network that affects their business. But doctors are not information technology or security experts. Less than 40 percent of doctors based in the U.S. feel that their cybersecurity processes are above average. Their lack of technical savvy and security knowledge makes them easy pickings for sophisticated cybercriminals. They need education and protection.
Patients are also prime targets. The Affordable Care Act (ACA) has accelerated the dramatic shift of health insurance and medical services to a digital transaction model. With the emergence of affordable individual policies, not tied to employer offerings, and online markets for health insurance, many more individuals are using online recourses to evaluate insurance options, enroll and manage their healthcare. Patients also go online to update their records, view and manage results and appointments, and make payments. Insurers and hospitals use email to communicate and confirm transactions, or to flag issues with accounts or with payments. This is where cybercriminals see their opportunity. Additionally, the ACA has introduced healthcare options – requiring online healthcare management — to many families who are not as familiar with online risks, so they are easy prey for phishing and other cyberattacks.
Reducing the Risk of a Successful Attack
Almost all cyber events start out the same way, with a successful attack on a single individual (an employee, doctor or patient) or device. This initial incursion, whether through malware, social engineering or another means, can lead to illegal network access and records theft over the course of weeks or months. But if a healthcare organization can successfully reduce the risk of a successful first attack, they make it harder for cyber criminals to gain this access.
Guest post by Moshe Ben-Simon, co-founder and vice president of services and research, TrapX Security.
Healthcare is a major market in the United States with annual expenditures that consume almost 17.4 percent of the gross domestic product. Healthcare in the U.S. includes 893,851 physicians, 2,724,570 registered nurses, including physician’s assistants and administrative staff that support them. Additionally, there are approximately 5,686 hospitals that support these professionals directly. The great majority of physician practices now have electronic medical records (EMR/EHR) systems that are all interconnected with the rest of the ecosystem.
The typical hospital is replete with Internet connected systems and medical devices. These devices are also connected to EMR systems that are being deployed at a fast pace across practices and hospitals because of government incentives, such as meaningful use. This creates a highly connected community that brings the most vulnerable devices together with some of the highest value data.
Medical records = big money for organized crime
Healthcare data presents a compelling opportunity for organized crime. Cybersecurity firm Dell Secure Works notes that cyber criminals were getting paid $20 to $40 for health insurance credentials, compared with $1 to $2 for U.S. credit card numbers prior to the Target Breach. The Federal Bureau of Investigation (FBI) issued a private industry notification (PIN) report in April 2014 that noted cyber-attacks will increase against healthcare systems and medical devices because of lax cybersecurity standards and a higher financial payout for medical records in the black market.
As of Mar. 30, 2015, the Identify Theft Resource Center (ITRC) has healthcare breach incidents at 32.7 percent of all listed incidents nationwide. Per ITRC, for the first quarter of 2015, more than 99,335,375 medical records have been exposed and compromised in the United States alone.
As in other industries, the attackers in healthcare may be standalone operators or part of larger organized crime syndicates. The great majority are clearly after valuable healthcare data and economic gain. Health insurance credentials can have a value 20 times that of a credit card on the hacker black market. These attackers know that healthcare networks are more vulnerable and provide greater potential rewards. They have already determined that these vulnerabilities are so extreme as to make healthcare the easiest choice for their attack.
Despite the latest/greatest perimeter network security technology, hackers continue to get in
The risk for ongoing data exfiltration, theft and subsequent HIPAA (Health Insurance Portability and Accountability Act) violations has never been higher. Basic defense-in-depth cyber security products seem to be failing at an increasing rate. The concept of defending a perimeter around hospital networks no longer works against a variety of cyber-attack vectors. Recent studies suggest that most hospitals are unaware of active attackers likely hiding within their medical devices inside their networks already.
These medical devices have become the key pivot points for attackers within healthcare networks. They are visible points of vulnerability in the healthcare enterprise and the hardest area to remediate even when attacker compromise is identified. These persistent cyber-attacks threaten overall hospital operations and the security of patient data.
Most hospital information technology teams are managing a very heavy workload. They must deal with a multitude of vendors and supporting a diverse set of networks across the hospital. Further, they must work to be compliant with HIPAA security rules and other compliance requirements. Cyber security products issue a multitude of alerts and can overwhelm these hospital teams while real cyber security event alerts are perhaps hidden or missed.
Guest post by Sergio Galindo, general manager, GFI Software.
With stolen medical data selling on the black market at a rate anywhere between 10 to 50 times that of stolen credit card numbers, hackers have a new favorite target – the healthcare industry.
The industry is a sitting duck, and hackers have declared open season. Indeed, we have seen several extremely high-profile penetrations of healthcare companies in the past months, and more are likely in the coming months. Anyone with medical insurance should pay attention to the increasing number of data security breaches.
Consider the three most high-profile security incidents that have recently struck the healthcare industry. Community Health Systems claims that no medical information was exposed when the insurer was hacked, but the breach affected some 4.5 million records within their systems. In February of this year, Anthem reported that a breach resulted in 80 million records stolen, and recently data attackers broke into Premera Blue Cross and obtained medical and financial data of 11 million of their customers, stealing both electronic health records (EHR) and protected health information (PHI).
While stolen credit card data may fetch between $1 and $2 per record, EHRs are far more lucrative for hackers, often going for $20 to $50 per entry. This value stems from several reasons:
EHRs can contain data that enables identity theft;
Stolen EHRs can be used to commit insurance fraud;
Users can use EHRs to obtain medical services and prescription medications; and
EHRs can also be used for extortion.
It’s worth noting that the value of stolen data increases relative to its longevity as a source of revenue. Credit card numbers are often replaced in 30 to 90 days (a new number issued); business information remains valid for up to three years (price lists, customer database), for example, while medical information can remain valid for more than 10 years. Social Security numbers have the longest ROI for cybercriminals because they last until the individual passes away (and even then they are still used).