Guest post by Santosh Varughese, president of Cognetyx
Cybersecurity is a serious concern for every industry in America, but healthcare has been particularly hard hit. It is the most likely industry in the U.S. to suffer a data breach. According to the Ponemon Institute, nearly nine out of 10 healthcare organizations have been breached at least once, and nearly half have been breaced three times or more. Cyber-criminals are clearly winning this war, despite more funding, more firewalls, and more scrutiny. Here are five reasons why healthcare organizations are losing the cybersecurity war.
C-level healthcare executives still aren’t taking data security seriously.
Although the epidemic of healthcare cyber-attacks has C-suite executives claiming they finally realize the gravity of the situation, their actions tell a different story. A recent survey by HIMSS found that while most facilities have given information security a higher priority, healthcare IT personnel still complain of insufficient funding and staffing for cybersecurity. The same concerns were expressed by IT personnel surveyed in the Ponemon study and an earlier study conducted by IBM.
Frontline employees aren’t taking it seriously, either.
A group of security researchers from the University of Pennsylvania, Dartmouth and USC recently conducted an ethnographic study of cybersecurity practices among nurses, doctors, and other frontline medical personnel. The results showed a flagrant, widespread, shocking disregard for even the most basic data security practices; among other things, workers were observed:
Writing passwords on sticky notes and tacking them on machines in full view of anyone who wandered by.
Allowing other staff members to use their login credentials out of “professional courtesy.”
Purposefully defeating automated system timeouts by placing foam cups over sensors or by having another employee tap a spacebar at intervals.
Criminal hackers are fully aware of these types of practices and do not hesitate to take advantage of them; 95 percent of breaches occur when hackers get their hands on legitimate login credentials, either by obtaining them from a malicious insider or by taking advantage of an employee’s negligence or carelessness.
Too many facilities think that HIPAA compliance is sufficient to secure their data.
Most healthcare organizations focus primarily or exclusively on HIPAA compliance, erroneously thinking that complying with HIPAA is all they need to do to secure their systems. However, HIPAA was never meant to be a blueprint for a comprehensive data security plan. The law primarily addresses documentation and procedures, such as specifying when a patient’s medical records can legally be released, not technical safeguards. Information security experts surveyed by the Brookings Institution stated that HIPAA does very little to address the types of security challenges faced by large healthcare organizations with hundreds of employees and highly complex, interconnected data environments. The proof is in the numbers; if HIPAA compliance were enough to protect patient data, 90 percent of healthcare organizations would not have experienced breaches.
In August 2015, my colleague Moshe Ben Simon contributed an Electronic Health Reporter story about how hospitals can protect against data breach using deception technologies. Since then, TrapX Labs, the research and development group within TrapX Security, has seen substantial evidence that cyber attackers have continued their attacks on healthcare targets. The number of attacks, quantity of data stolen and the sophisticated human attackers that TrapX Labs continues to track are increasing quarterly. Out of the top seven data breaches of 2015, three of them (Excellus BlueCross BlueShield, Premera Blue Cross and Anthem) lost more than 100 million records combined.
On Jan. 4, 2016, the Identify Theft Resource Center (ITRC) reported that 66.7 percent of all records breached came from the healthcare industry. Healthcare continues to be targeted because of the high value of the data and the vulnerabilities healthcare institutions are susceptible to, such as the medical device hijack (MEDJACK). More information on MEDJACK can be found here.
The convergence of this healthcare cyberwar with incomplete HIPAA compliance creates a double jeopardy situation for healthcare professionals. Not only must healthcare institutions deal with the damage inflicted by a cyber attacker and then manage the data breach penalties, but they also face investigation and additional penalties from HHS. Hospitals, accountable care organization (ACO) networks, large physician practices, health insurance companies, diagnostic laboratories, radiology/skilled nursing facilities, surgical centers and others are high value targets for attackers and all face these risks.
Training is Essential
New strategies to prevent healthcare data breaches have evolved in many areas. Regular training for both clinicians and non-clinicians can have a positive impact on reducing successful attacks.
Clinicians and non-clinicians need to recognize that their “connected” healthcare environment needs to be tightly controlled. IBM’s “2014 Cyber Security Intelligence Index” noted that 95 percent of all security incidents seem to involve human error. Even a MEDJACK usually starts with an email or website based attack. Assuming a healthcare organization’s network perimeter and internal defenses are properly configured and updated, the next step a healthcare organization should take to substantially reduce its risk is implement a rigorous employee training program.
The first component of training comes during orientation. New employees typically receive passwords and authentication information from information technology (IT), the help desk and supervisors in their area, and it’s imperative they manage them in a safe manner (no yellow sticky notes, please).
Guest post by David Thompson, senior director, product management, LightCyber.
A targeted data breach is one of the most vexing problems facing healthcare organizations today. Just in the first three months of 2015 alone, 99 million patient healthcare records were compromised—that’s about one-third of the entire U.S. population, and those are just the ones we know about. According to some sources, 90 percent of healthcare organizations have already been breached, but we aren’t sure which ones.
The cybercriminals behind a targeted data breach do not want to be exposed—and make no mistake, these breaches are run by people, not autonomous software. Unlike the hackers of earlier days, these operatives want to stay hidden and conduct their work in secret. Even if they have successfully completed their initial goals—let’s say exfiltrate patient medical records—a cybercriminal team will likely want to stay undiscovered to continue to steal more data as it is collected, or leverage this access to break into another company. Often this will involve commandeering valid credentials from the first organization to gain access to another, perhaps a partner healthcare organization, an insurance company, an independent lab or some other entity.
The simple truth is that most healthcare organizations lack the means to detect an active data breach. First, let me define a data breach, since there is so much confusion over the term. A breach is the entire process—from initial network penetration through data exfiltration— cybercriminals go through to achieve their goals.
Often a breach is perceived as only the initial penetration into the network or infection of a machine. This one act is over in an instant, but it is the focus of considerable security resources. In other words, a large proportion of security resources are devoted to preventing single step in the breach process that lasts less than a minute, but is only the first step toward a goal.
Also, initial penetration is not as easy to spot and block as you might guess. Since the way into the network may be accomplished through the use of valid credentials acquired through social engineering or clever spear phishing, detecting the intrusion can be difficult. Effective prevention of intrusions is based on use of statically defined descriptions of software code or behavior (signatures and hashes), so it is successful mainly when known malware is used to conduct a breach. So, preventing an intrusion has a marginal success rate, but it is often seen as the last change an organization has in defeating a targeted breach.
Once an attacker is inside the network, most organizations lack the ability to find them. At the same time, an attacker is inherently at a disadvantage, having landed inside an unfamiliar network. This disadvantage is quickly dissipated since they can often go completely undetected for weeks, months or even longer. The industry average dwell time is around six months, plenty of time for an attacker to explore a network and get at assets.
Why is it that organizations are seemingly powerless to find an active data breach once an intruder has penetrated a network? There are four main reasons.
Guest post by James Bindseil, president and CEO, Globalscape.
Health IT has reached a pivotal crossroad: On one end, consumers’ expectations for more timely care and instant access to health files and records continue to skyrocket; on the other, security and compliance risks are more complex and threatening than ever before.
This leaves health providers in a precarious position: should they prioritize security and compliance, or productivity and care?
In a perfect world, the answer would be all four. Unfortunately, today’s health IT landscape — which is going through a rapid and significant transformation to keep up with evolving compliance mandates, new demands around access to patient files, changing government policies, sophisticated security threats and new technologies — is far from perfect.
One of the most pressing issues lies within the policies and technologies provided by today’s IT teams. In fact, in many instances, the policies and tools implemented by IT to keep patient data safe and secure often end up having the opposite effect: they make it incredibly difficult for providers to deliver fast and efficient care in a secure, compliant manner.
For example, let’s imagine a day-in-the-life of a hospital care provider, who faces immense pressure to deliver top-notch care to as many people, and in as little time, as possible. On day one, an off-duty doctor is called at home to provide his take on the best care plan for a specific patient. How will he review the pertinent information while working remotely? In another scenario, the doctor is running from patient to patient, and is unable to take the necessary time to record his actions. Taking the work home on a USB drive seems like the best option. The next day, the hospital needs to quickly share files with the patients’ previous provider to care for an urgent medical issue.
The cost of IT security data breaches in the highly regulated healthcare industry is staggering, as it tops even the likes of financial services market. No one is immune. Nearly 94 percent of medical institutions report that their organizations have been victims of a cyber attack, according to findings by the Ponemon Institute. With the update last year to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and HITECH Act of 2009, signs of increasing expenses are again a reality. The annual cap on fines for security breaches has also skyrocketed from a maximum of $25,000 per year to $1.5 million.
With breaches in healthcare spanning from insider, nosey-neighbor snooping, to external, cyber-threats, such as malware, there is an obvious urgency for detection and remediation solutions that engage not only the hardened perimeter, but also the soft center, spanning all the way out to the ancillary systems which at once stood alone, but are now networked and part of the entire electronic healthcare ecosystem.
Establishing a single, integrated, active defense approach to bolster your security posture and mitigate insider breach, as well as cybercrime in healthcare, begins with a motion to break down internal barriers. Organizations need technology and organization leaders who champion a bridging the gap between the two influential and liable, yet often un-collaborating services providers responsible for protecting these domains: Privacy and compliance and enterprise IT security.
Coordinating the effort to monitor networks and applications to achieve a greater understanding of risky behavior is a giant step toward detecting early indicators of compromise and strengthening the weak links in your security practice. We recommend an assessment of the often overlooked, non-standard variety of electronic data carriers, which can fall into the category of the “Internet of Things,” those medical device end-points, video surveillance systems, x-ray machines and call contact systems. These must be treated as part of the entire electronic ecosystem to achieve a greater degree of data protection. They carry patient health information (PHI) and even intellectual business property, and are largely unprotected by traditional intrusion detection solutions. While often perceived as immune to breaches, they represent readily available ports of entry for an attacker.
A unified approach to end-user education and monitoring for early breach detection that fosters risk mitigation requires tight coordination between privacy and IT security. The challenge is in how. Functional groups are often siloed and share very little information with each other. This becomes a major issue in the event of a breach, as neither side is able to understand the full spectrum of the threat without the others’ data. Let’s take a look at a couple of examples.
Guest post by Darren Leroux, senior director of product marketing, WinMagic.
Gone are the days where all personal health information solely lived in giant filing cabinets behind a receptionist’s desk or in the administrative office of a hospital. Today, patient data resides everywhere – desktops, laptops, smartphones, tablets and USB drives. Understandably so – given the rise of mobile computing and bring-your-own-device (BYOD) policies in healthcare, the once straightforward process of protecting patient’s personal health information has since evolved into a complex and overwhelming undertaking.
Just the Facts
According to a recent study, 81 percent of healthcare organizations are now allowing employees and medical staff to use their personal laptops and mobile devices to connect to provider networks or access company email. Interestingly enough, the same study found that of that 81 percent of healthcare institutions enabling a BYOD strategy, 54 percent did not believe that those devices were secure enough in the workplace; 65 percent of data breaches reported to the Ponemon Institute occurred on laptops and mobile devices over the last five years — it’s no wonder that more than half of those surveyed aren’t confident in the security of their devices
When we refer to personal health information at risk, we’re not just talking about historical health records – the potential for a data breach casts a much wider net, including patient billing information, clinical trial data and even employee information like payroll numbers. With so much sensitive, unprotected data up for grabs, we’re inclined to ask ourselves – how? How is this significant rise in healthcare data breaches even possible, and how do we stop this from continuing?
Below are the top three gaping security holes in remote healthcare data practices that are answering our question of how is this rise in breaches in possible:
Guest post by George Bailey, senior advisor, health IT/security, Purdue Healthcare Advisors.
The recent large-scale data security breaches experienced by major retailers Target Corp. and Neiman Marcus provide opportunities for learning across industries. These data breaches are painful for the companies, shareholders and, certainly, for the consumers victimized by subsequent fraudulent transactions on their financial accounts.
But once the dust settles, will these 110 million consumers suffer long-term damage to their privacy and financial security? I would argue no. Surprised? I say this because most of the attributes compromised in the Target and Neiman Marcus data breaches are short-lived items. By “short-lived,” I mean bits of information that can be changed or replaced by the consumer.
For instance, charge card numbers can be changed and accounts closed; debit card PINs can (and should) be changed; lost funds can be reimbursed; and credit scores reinstated. Now I don’t want to imply that this cleanup is easy, quick or inexpensive to do. It’s not. But looking three to five years into the future, these data breaches—just as the T.J. Maxx breach in 2007—will have little-to-no lasting effect on those compromised.
For the healthcare industry, a data breach is a quite different. A patient’s social security number (contained many times within healthcare records), medical history, psychiatric notes and sexual preference are not considered attributes that are “short-lived.” While a social security number can be changed, it’s a difficult and time-consuming process. The other data contained in a healthcare record is very sensitive, private, and cannot be re-written, as it is there to guide physicians in providing optimum care. Once sensitive electronic patient health information (ePHI) is lost, stolen or leaked to the Internet, it can spread faster than the best Facebook gossip and be cached, indexed and copied to a seemingly endless number of devices.
Another interesting infographic, from Dell, that I thought worthy of sharing. It’s comprehensive, as you can see. Essentially, it asks and answers the question of how is healthcare IT changing through and because of its relationship with technology.
Without a doubt, the change we’re seeing, especially in the last 10 years, is monumental. Take a look at some of the figures below. In a nutshell: social media, which truly did not exist a decade ago is changing healthcare, especially consumer engagement with the industry. According to this data, more than 40 percent of patients are affected by the use of social media in the care space and it drives their decision when deciding which facility to give business to. Does this suggest that they want their physicians using social media platforms or to simply have a profile to interact with the office? The data doesn’t say, but it likely implies that they want the ability to be able to communicate through their own channels rather than the more archaic means like the phone and static websites. Patients want the ability to communicate somehow through the use of social and likely want to own more of the relationship with their providers. It is their health after all and they want the process of care to be efficient. This trend will likely only increase.
Another interesting point here is that more than 75 percent of healthcare CIOs believe that their health systems don’t have the infrastructure to support their technological advancement. This is a major issue as these leaders look to make long-term adjustments, keep up with reform and employ systems to drive efficiencies. However, in an ever-changing technological world where advancement never ends, I think this is likely to be an ongoing trend/problem/dissatisfaction. For example, over the last five years so much attention has been given the the use of and functionality of EHRs and how they will improve healthcare as a whole, but many say that the systems are antiquated and simply don’t meet the needs of modern practices and hospitals and more needs to be done to improve them and make them more robust and useful.
Guest post by Arron Fu, vice president of software development at UniPrint.
CIOs and IT professionals in healthcare organizations are tasked with achieving a balance between the demand for universal access to information and the need to ensure security. A recent report published by the Ponemon Institute and the Health Information Trust Alliance shows that the healthcare industry continues to struggle with curbing data breaches. According to the report, about 94 percent of the 80 participating healthcare organizations experienced at least one data breach of which they were aware in the past two years. Such breaches cost healthcare entities about $7 billion annually in the US alone.
While there is no shortage of companies that state that they go to great lengths to protect sensitive digital data, it’s rare to find a company that extends security measures to documents once they have been sent to a printer. Within an enterprise network, access to certain digital documents is restricted and limited only to those who are assigned the right to access those documents. But even a simple mistake like collecting the wrong document from a shared printer can also lead to a serious security breach. Why then does the security conversation stop when it comes to printed documents?
Profile of a Healthcare Professional
Healthcare mobility. Historically, healthcare professionals have always been mobile workers. Healthcare personnel rarely stay in one location, as they are often moving from one patient’s room to another, etc. This mobility also extends to the way documents are exchanged between staff, which creates a unique workstyle requirement where medical professionals need secure, location-based access to information at any given time.