In August 2015, my colleague Moshe Ben Simon contributed an Electronic Health Reporter story about how hospitals can protect against data breach using deception technologies. Since then, TrapX Labs, the research and development group within TrapX Security, has seen substantial evidence that cyber attackers have continued their attacks on healthcare targets. The number of attacks, quantity of data stolen and the sophisticated human attackers that TrapX Labs continues to track are increasing quarterly. Out of the top seven data breaches of 2015, three of them (Excellus BlueCross BlueShield, Premera Blue Cross and Anthem) lost more than 100 million records combined.
On Jan. 4, 2016, the Identify Theft Resource Center (ITRC) reported that 66.7 percent of all records breached came from the healthcare industry. Healthcare continues to be targeted because of the high value of the data and the vulnerabilities healthcare institutions are susceptible to, such as the medical device hijack (MEDJACK). More information on MEDJACK can be found here.
The convergence of this healthcare cyberwar with incomplete HIPAA compliance creates a double jeopardy situation for healthcare professionals. Not only must healthcare institutions deal with the damage inflicted by a cyber attacker and then manage the data breach penalties, but they also face investigation and additional penalties from HHS. Hospitals, accountable care organization (ACO) networks, large physician practices, health insurance companies, diagnostic laboratories, radiology/skilled nursing facilities, surgical centers and others are high value targets for attackers and all face these risks.
Training is Essential
New strategies to prevent healthcare data breaches have evolved in many areas. Regular training for both clinicians and non-clinicians can have a positive impact on reducing successful attacks.
Clinicians and non-clinicians need to recognize that their “connected” healthcare environment needs to be tightly controlled. IBM’s “2014 Cyber Security Intelligence Index” noted that 95 percent of all security incidents seem to involve human error. Even a MEDJACK usually starts with an email or website based attack. Assuming a healthcare organization’s network perimeter and internal defenses are properly configured and updated, the next step a healthcare organization should take to substantially reduce its risk is implement a rigorous employee training program.
The first component of training comes during orientation. New employees typically receive passwords and authentication information from information technology (IT), the help desk and supervisors in their area, and it’s imperative they manage them in a safe manner (no yellow sticky notes, please).
Guest post by James Carder, CISO of LogRhythm, VP of LogRhythm Labs.
This year’s biggest health data breach victims include insurers Premera and Anthem, where incidents affected nearly 100 million patients combined. It’s clear that healthcare organizations must strengthen their cyber security programs to protect themselves and their patients, or they’ll be targeted again and again. Strategically, healthcare organizations must change the way they have operated for the past 30+ years with regard to their behaviors and their use of IT. Cyber security is now a key business differentiator as both patient care and safety are paramount to a hospital’s ability to remain a trusted provider. The hospital of the future is one that incorporates these protection measures into its business brand, thereby recruiting, retaining and reinvesting in patients.
As we start out 2016, here’s what I think we’ll see going forward:
Healthcare IT security will continue to fall further and further behind the rest of the industry verticals
Healthcare IT security will continue to fall further behind the rest of the industry verticals. Healthcare organizations are focusing on functionality for patient care (rightfully so), and security is an afterthought. Many organizations are overly dependent on antiquated hardware and software, with inherent vulnerabilities, that could inadvertently put patients in danger. There has never been a real investment in information security, so the cost to catch up to industry standards and shed the label of being the hackers’ “low hanging fruit” is that much more expensive. The industry will continue to be targeted by sophisticated and organized attackers until a serious investment is made in both technological and human capital.
The medical record is a relative goldmine of information and, as such, a highly valuable target for all classes of attackers, ranging from financial crime groups to nation state threat actors. The number of items a hacker has access to and the way in which the information can be used is more extensive. Stolen data can be re-used by a hacker over and over again. So, in addition to this general prediction, I also think that at least one of the U.S. News and World Report top 10 hospitals will go public with a breach through outside channels.
Healthcare IT (security) spend will be the highest it has ever been, doubling the spend of 2015
Despite my first prediction, healthcare organizations will invest a lot of money in IT security technology and human resources, doubling the spend of 2015. Although the executives may fund the security department, a security culture might not trickle down to the rest of the organization. The person in charge of security might be accountable for security, but the buy-in must come from the board of directors down through every level of the organization. Staff and the clinicians must understand what they are doing is making the organization a safer place for them and their patients–their effective security behaviors allow clinicians to do their job in treating patients better.
At least one major medical device manufacturer will have to go public with a vulnerability that could fatally affect patients
Medical device vendors and manufacturers have never taken security seriously. They are primarily looking for functionality for patient care and ease of administration and maintenance. A medical device is a computer system with one end attached to the patient, providing critical patient care, and the other end attached to the corporate network or Internet. Just like most devices on the network, a medical device runs a known operating system; vulnerable to the myriad exploits that effect any computer. Based on the risk profile of a medical device, it should be subject to the highest security standards in the industry but unfortunately they are not. If someone can hack into a Windows XP box that is unpatched with exploitable vulnerabilities, someone can hack into an XP-based medical device. I predict that another medical device manufacturer will disclose an easily exploitable vulnerability that could patients at direct risk. I also predict that an attacker will exploit a medical device and use it as a bridge into a company’s corporate network to facilitate a breach.
Since 2009, the personal health information of almost 30 million Americans has been compromised. From Partners Healthcare and Anthem to the UCLA Health System and Children’s National Health System, it’s clear that healthcare organizations are a hot target, especially as medical records include exactly the kind of valuable data cyber criminals want to get their hands on. And, since information like social security numbers and birthdates can’t be “turned off” in the ways that stolen credit card numbers can, once cyber criminals get ahold of such records, they can do significant damage with them like counterfeiting patients’ identities.
It is crucial that the healthcare industry be vigilant when it comes to cyber security. From hospitals and insurers, to medical groups and individual practices, health-related organizations must ensure they are taking all possible measures to keep the personal information of their patients – not to mention their own brand reputation and business – safe. That begs some questions: Why are healthcare organizations such a hot target? How are they (and their patients) being targeted, and, and what can the industry do to stay one step ahead of cybercriminals and mitigate the ensuing risks?
What Makes Healthcare a Prime Target?
Healthcare organizations are a large target for many reasons. First and foremost, they possess extremely valuable assets, including the personal, family and billing information of their patients. It isn’t the blood type or cholesterol reports that make electronic health records the most valuable records on the cybercrime black market; it is the virtually complete personal identity information, including social security numbers, parents, maiden names, addresses, emails, children names and, in some cases, complete information of close friends. They are the holy grail of the identity theft world.
Second, the available attack surface in the healthcare industry is very complex. The healthcare industry contains many different organizations that have, over the past few years, moved to electronic systems, but not to a truly centralized electronic system. The reality of today’s healthcare records infrastructure is that there are many networks, data formats, communications protocols, passwords and access points all patched together. Not only is this amalgamated network challenging to maintain, it creates massive opportunities for compromise. Cybercriminals know this.
Healthcare is in the Cybercrime Crosshairs
Doctors are at the center of the healthcare universe. They interact and interface with patients, insurers, services providers and hospitals. Their office networks and smart devices connect with practically every network that affects their business. But doctors are not information technology or security experts. Less than 40 percent of doctors based in the U.S. feel that their cybersecurity processes are above average. Their lack of technical savvy and security knowledge makes them easy pickings for sophisticated cybercriminals. They need education and protection.
Patients are also prime targets. The Affordable Care Act (ACA) has accelerated the dramatic shift of health insurance and medical services to a digital transaction model. With the emergence of affordable individual policies, not tied to employer offerings, and online markets for health insurance, many more individuals are using online recourses to evaluate insurance options, enroll and manage their healthcare. Patients also go online to update their records, view and manage results and appointments, and make payments. Insurers and hospitals use email to communicate and confirm transactions, or to flag issues with accounts or with payments. This is where cybercriminals see their opportunity. Additionally, the ACA has introduced healthcare options – requiring online healthcare management — to many families who are not as familiar with online risks, so they are easy prey for phishing and other cyberattacks.
Reducing the Risk of a Successful Attack
Almost all cyber events start out the same way, with a successful attack on a single individual (an employee, doctor or patient) or device. This initial incursion, whether through malware, social engineering or another means, can lead to illegal network access and records theft over the course of weeks or months. But if a healthcare organization can successfully reduce the risk of a successful first attack, they make it harder for cyber criminals to gain this access.
What follows is a nice, yet concise, infographic developed by Clearwater Compliance — an organization that helps health systems ensure patient safety and improve the quality of care by safeguarding the confidentiality, integrity and availability of protected health information (PHI) – that provides a nice overview of the current state of healthcare breaches.
Clearwater Compliance states that according to Breach Level Index, there were 336 healthcare data breaches reported in the U.S. last year; “the Office for Civil Rights portal on the HHS website cited 165 breaches affecting 500 or more individuals in 2014.”
Interesting, the organization points out that non-digital breaches remain an issue. “Paper data breaches accounted for 9 percent of compromised records in the first half of 2014 – and a surprising 31 percent in the second half. In total, nearly 200,000 paper records were compromised last year, along with nearly 60,000 pieces of individually identifiable health information ranging from lab specimens to radiology film,” wrote the Clearwater Compliance team.
Additionally, insider mistakes and malice can be costly. In breaches examined, there were 45 incidents involving insider actions that resulted in the compromise of more than 478,000 records. “That means that about half of all the incidents we studied involved either mistakes or malice by an organization’s own employees and business associates.”
Clearwater Compliance makes the case that, despite an organization’s best efforts, “it’s almost impossible to eliminate all workforce-related data breaches. But organizations can take steps to foster an atmosphere of compliance and prevention.”
Lindy Benton, CEO of MEA|NEA, recently wrote in a piece for MultiBriefs: “According to the Wall Street Journal, Forrester Research recently conducted a survey of more than 2,100 healthcare IT pros and found that only about 60 percent of them said they encrypt devices like laptops, smartphones or tablets. Also according to the research, 39 percent of healthcare security incidents since 2005 have included a lost or stolen device.
“For some additional perspective, since federal reporting requirements started, the U.S. Department of Health and Human Services has tracked major breaches (those affecting 500 people or more) and has identified more than 945 incidents affecting patients’ personal information, affecting more than 30 million people.
“A majority of these breaches are tied to theft (17.4 million people), followed by data loss (7.2 million people), hacking (3.6 million) and unauthorized access of accounts (1.9 million people), according to The Washington Post. And these numbers do not even include the Community Health Systems numbers.
In light of the Premera Blue Cross cyberattack and data breach — which, so far, is the second-biggest of its kind in industry history that exposed personal, financial and medical information of more than 11 million customers — Bob Swanson, compliance engineer at LogRhythm provides some wonderful detail and perspective regarding the news.
In the following conversation, Swanson discusses what we know about the beach so far, how organizations can strengthen their security efforts, motivations of hackers, as well as provides a vast level of insight to help navigate the situation and guidance for others hoping to avoid breach,
What do you know about the hack and what don’t you know? How similar/dissimilar is it to other major hacks?
Although Premera has said the breach was detected back on Jan. 29,2014, the first signs of the attack date back to May 5, 2014. So with the breach going undetected for over six months, the culprit(s) had ample time to navigate through Premera’s network and find exactly what they were looking for – sensitive data with value in the black market, regardless of whether there is evidence indicating it has surfaced. Given time, a proficient hacker will set false trails and distort clues of their activities to confuse investigators or IT security professionals. However, they are currently under federal investigation working with the FBI and cyber security firm, Mandiant, to better understand the nature and scope of the attack. Many additional details will come to light as the investigation continues, but it is clear that early indicators were not picked up on. Similar to other major breaches in the healthcare and other industries, as the mean-time-to-detection (MTTD) increases, this gives proficient hackers time to navigate the network, find what they are after and make it more difficult to discover the true details around the attack.
Is it related to the Anthem hack? Several Blues plans that aren’t part of Anthem still were business partners and were affected by the hack. As Premera was investigating the effect of the Anthem hack, did they discover their own hack?
With many of the facts surrounding the breach still unclear or undefined, initially it does not appear to be linked to the Anthem breach; however, consider their targets or objectives for similarities. In healthcare, patient information containing elements of social security numbers or other protected health information (PHI) has a significant worth in various markets, both known and unknown. With this comes a demand and hackers are seeking out organizations to exploit and provide the supply. Also, as seen in both Anthem and Premera, the intrusion went on for some time without detection or actions taken to remediate compromised systems. The similarities between the attacks can be seen at a higher-level where the industry as a whole finds challenges in gaining the necessary budget allocation to support sound cyber security programs. Many healthcare organizations have highly integrated systems, so all you need is one back door to be left open, say a compromised account, and hackers can navigate to their targets unseen for lengthy periods of time.