Guest post by Carl Wright, general manager, TrapX Security.
In August 2015, my colleague Moshe Ben Simon contributed an Electronic Health Reporter story about how hospitals can protect against data breach using deception technologies. Since then, TrapX Labs, the research and development group within TrapX Security, has seen substantial evidence that cyber attackers have continued their attacks on healthcare targets. The number of attacks, quantity of data stolen and the sophisticated human attackers that TrapX Labs continues to track are increasing quarterly. Out of the top seven data breaches of 2015, three of them (Excellus BlueCross BlueShield, Premera Blue Cross and Anthem) lost more than 100 million records combined.
On Jan. 4, 2016, the Identify Theft Resource Center (ITRC) reported that 66.7 percent of all records breached came from the healthcare industry. Healthcare continues to be targeted because of the high value of the data and the vulnerabilities healthcare institutions are susceptible to, such as the medical device hijack (MEDJACK). More information on MEDJACK can be found here.
The convergence of this healthcare cyberwar with incomplete HIPAA compliance creates a double jeopardy situation for healthcare professionals. Not only must healthcare institutions deal with the damage inflicted by a cyber attacker and then manage the data breach penalties, but they also face investigation and additional penalties from HHS. Hospitals, accountable care organization (ACO) networks, large physician practices, health insurance companies, diagnostic laboratories, radiology/skilled nursing facilities, surgical centers and others are high value targets for attackers and all face these risks.
Training is Essential
New strategies to prevent healthcare data breaches have evolved in many areas. Regular training for both clinicians and non-clinicians can have a positive impact on reducing successful attacks.
Clinicians and non-clinicians need to recognize that their “connected” healthcare environment needs to be tightly controlled. IBM’s “2014 Cyber Security Intelligence Index” noted that 95 percent of all security incidents seem to involve human error. Even a MEDJACK usually starts with an email or website based attack. Assuming a healthcare organization’s network perimeter and internal defenses are properly configured and updated, the next step a healthcare organization should take to substantially reduce its risk is implement a rigorous employee training program.
The first component of training comes during orientation. New employees typically receive passwords and authentication information from information technology (IT), the help desk and supervisors in their area, and it’s imperative they manage them in a safe manner (no yellow sticky notes, please).
Cyber defense awareness should also be part of an organization’s HIPAA (The Health Insurance Portability and Accountability Act of 1996) training. This is a good time to review additional procedures for data security. HIPAA and enhanced data security procedures go hand-in-hand for healthcare providers. Everything that’s done to protect and secure protected health information (PHI data) from cyber attackers should also be a key component of an organization’s HIPAA policies and procedures.
Be Mindful of Personal Web Browsing Habits
As part of the training process, employees must learn that accessing personal email and surfing the Internet are two of the easiest points of entry for an attacker. Employees should refrain from opening any emails not essential to the ongoing operation of the healthcare facility. Further, they should not use organizational resources to browse or interact with the Internet. Non work related email and Internet browsing should be done on personal systems at home. A large percentage of email is spam and much of it contains malware that either redirects users to dangerous websites or contain malicious attachments. There’s an adage used by many security professionals; “Think before you click that link.” If there’s any question about a particular link, place a mouse cursor on it, and the actual URL will appear.
With regards to email attachments, attackers are embedding malware in the documents themselves and other executables, such as files ending in .bin, .exe and .scr.
To compound matters, attacks are often socially engineered, which means an email an individual thinks is coming from a friend or colleague is actually an attacker who’s spoofing their identity.
Encrypt All Data Internally
Review EMR/EHR systems to determine if they encrypt data internally. Amazingly, still today, over 40% of healthcare providers don’t encrypt all of the patient data in their systems.1 Given the current cyber environment within healthcare, organizations and vendors if necessary, need to consider new alternatives to make sure that all data is encrypted. If an organization has not carefully assessed the need for encryption in an annual risk review, which is required under the HIPAA security rules, they may run afoul of HHS. This is even more likely when an organization has reported a data breach due to a cyber attacker. All of this will bring close scrutiny to an organization.
Make Sure Voicemail and Text Messaging are HIPPA Compliant
Physicians, nurses and their non-clinician staff often forget that voicemail systems and text messaging must be HIPAA compliant. Most commercial voicemail and internal PBX systems are not, and this represents a liability of significant proportions. Consider that patients will often leave messages that include protected health information (PHI). Healthcare organizations are responsible for protecting that information. Seek out telecommunications vendors that support HIPAA compliance and will specifically sign business associate agreements.
Double Check Videoconferencing and Fax Solutions as Well
Web and videoconferencing is another source of security risk, especially for HIPAA compliance, because most commercial vendors cache conference session data in ways that aren’t compliant. Note that some conferencing vendors actually state that they are HIPAA compliant when in fact they are not. Seek out videoconferencing solutions that support HIPAA compliance and will specifically sign business associate agreements.
One of the most established legacy fixtures in healthcare is the fax machine, which represents an ongoing liability to patient data and HIPAA compliance. Doctors often send referrals to physicians via fax. Diagnostic lab test requests and results flow through the fax machines as well. A misdirected fax can result in the exposure of patient data.
Best practices today require that organizations find a path to fax machine replacement. The use of automated alternatives can reduce the potential for error. These cloud based systems use a secure network to tie together all of the physician resources, the diagnostic labs and radiology centers that serve them.
Be Mindful of Attaching Any Internet Connected Device to the Network
Be extremely vigilant when using network connected medical devices within a practice. Internet connected medical devices present substantial risk unless an organization has a carefully reviewed strategy for securing and monitoring the cyber status of each device. Our research has found medical devices are convenient cyber-attack points even in the largest and best protected healthcare institutions. Medical devices have become the new HIPAA time bomb for healthcare institutions. If a choice exists, do not place these medical devices on an internal network. If that’s not an option, consider retaining the ongoing services of a cyber security expert to monitor and remediate the network and the medical devices attached to it, and expect a considerable costs to do so.
Large institutions must consider a strategy that not only defends their perimeter with firewalls and end-point security, but also assume that attackers will successfully breach these defenses. New technologies such as deception, can reduce the time to breach detection and ultimately the risk of data theft and HIPAA compliance as it has the ability to detect invaders in a healthcare network within hours or days as opposed to months.