New Strategies for Preventing Healthcare Data Breaches
Guest post by Carl Wright, general manager, TrapX Security.
In August 2015, my colleague Moshe Ben Simon contributed an Electronic Health Reporter story about how hospitals can protect against data breach using deception technologies. Since then, TrapX Labs, the research and development group within TrapX Security, has seen substantial evidence that cyber attackers have continued their attacks on healthcare targets. The number of attacks, quantity of data stolen and the sophisticated human attackers that TrapX Labs continues to track are increasing quarterly. Out of the top seven data breaches of 2015, three of them (Excellus BlueCross BlueShield, Premera Blue Cross and Anthem) lost more than 100 million records combined.
On Jan. 4, 2016, the Identify Theft Resource Center (ITRC) reported that 66.7 percent of all records breached came from the healthcare industry. Healthcare continues to be targeted because of the high value of the data and the vulnerabilities healthcare institutions are susceptible to, such as the medical device hijack (MEDJACK). More information on MEDJACK can be found here.
The convergence of this healthcare cyberwar with incomplete HIPAA compliance creates a double jeopardy situation for healthcare professionals. Not only must healthcare institutions deal with the damage inflicted by a cyber attacker and then manage the data breach penalties, but they also face investigation and additional penalties from HHS. Hospitals, accountable care organization (ACO) networks, large physician practices, health insurance companies, diagnostic laboratories, radiology/skilled nursing facilities, surgical centers and others are high value targets for attackers and all face these risks.
Training is Essential
New strategies to prevent healthcare data breaches have evolved in many areas. Regular training for both clinicians and non-clinicians can have a positive impact on reducing successful attacks.
Clinicians and non-clinicians need to recognize that their “connected” healthcare environment needs to be tightly controlled. IBM’s “2014 Cyber Security Intelligence Index” noted that 95 percent of all security incidents seem to involve human error. Even a MEDJACK usually starts with an email or website based attack. Assuming a healthcare organization’s network perimeter and internal defenses are properly configured and updated, the next step a healthcare organization should take to substantially reduce its risk is implement a rigorous employee training program.
The first component of training comes during orientation. New employees typically receive passwords and authentication information from information technology (IT), the help desk and supervisors in their area, and it’s imperative they manage them in a safe manner (no yellow sticky notes, please).
Cyber defense awareness should also be part of an organization’s HIPAA (The Health Insurance Portability and Accountability Act of 1996) training. This is a good time to review additional procedures for data security. HIPAA and enhanced data security procedures go hand-in-hand for healthcare providers. Everything that’s done to protect and secure protected health information (PHI data) from cyber attackers should also be a key component of an organization’s HIPAA policies and procedures.
Be Mindful of Personal Web Browsing Habits
As part of the training process, employees must learn that accessing personal email and surfing the Internet are two of the easiest points of entry for an attacker. Employees should refrain from opening any emails not essential to the ongoing operation of the healthcare facility. Further, they should not use organizational resources to browse or interact with the Internet. Non work related email and Internet browsing should be done on personal systems at home. A large percentage of email is spam and much of it contains malware that either redirects users to dangerous websites or contain malicious attachments. There’s an adage used by many security professionals; “Think before you click that link.” If there’s any question about a particular link, place a mouse cursor on it, and the actual URL will appear.
With regards to email attachments, attackers are embedding malware in the documents themselves and other executables, such as files ending in .bin, .exe and .scr.
To compound matters, attacks are often socially engineered, which means an email an individual thinks is coming from a friend or colleague is actually an attacker who’s spoofing their identity.
Encrypt All Data Internally
Review EMR/EHR systems to determine if they encrypt data internally. Amazingly, still today, over 40% of healthcare providers don’t encrypt all of the patient data in their systems.1 Given the current cyber environment within healthcare, organizations and vendors if necessary, need to consider new alternatives to make sure that all data is encrypted. If an organization has not carefully assessed the need for encryption in an annual risk review, which is required under the HIPAA security rules, they may run afoul of HHS. This is even more likely when an organization has reported a data breach due to a cyber attacker. All of this will bring close scrutiny to an organization.
Make Sure Voicemail and Text Messaging are HIPPA Compliant
Physicians, nurses and their non-clinician staff often forget that voicemail systems and text messaging must be HIPAA compliant. Most commercial voicemail and internal PBX systems are not, and this represents a liability of significant proportions. Consider that patients will often leave messages that include protected health information (PHI). Healthcare organizations are responsible for protecting that information. Seek out telecommunications vendors that support HIPAA compliance and will specifically sign business associate agreements.
Double Check Videoconferencing and Fax Solutions as Well
Web and videoconferencing is another source of security risk, especially for HIPAA compliance, because most commercial vendors cache conference session data in ways that aren’t compliant. Note that some conferencing vendors actually state that they are HIPAA compliant when in fact they are not. Seek out videoconferencing solutions that support HIPAA compliance and will specifically sign business associate agreements.
One of the most established legacy fixtures in healthcare is the fax machine, which represents an ongoing liability to patient data and HIPAA compliance. Doctors often send referrals to physicians via fax. Diagnostic lab test requests and results flow through the fax machines as well. A misdirected fax can result in the exposure of patient data.
Best practices today require that organizations find a path to fax machine replacement. The use of automated alternatives can reduce the potential for error. These cloud based systems use a secure network to tie together all of the physician resources, the diagnostic labs and radiology centers that serve them.
Be Mindful of Attaching Any Internet Connected Device to the Network
Be extremely vigilant when using network connected medical devices within a practice. Internet connected medical devices present substantial risk unless an organization has a carefully reviewed strategy for securing and monitoring the cyber status of each device. Our research has found medical devices are convenient cyber-attack points even in the largest and best protected healthcare institutions. Medical devices have become the new HIPAA time bomb for healthcare institutions. If a choice exists, do not place these medical devices on an internal network. If that’s not an option, consider retaining the ongoing services of a cyber security expert to monitor and remediate the network and the medical devices attached to it, and expect a considerable costs to do so.
Large institutions must consider a strategy that not only defends their perimeter with firewalls and end-point security, but also assume that attackers will successfully breach these defenses. New technologies such as deception, can reduce the time to breach detection and ultimately the risk of data theft and HIPAA compliance as it has the ability to detect invaders in a healthcare network within hours or days as opposed to months.
9 comments on “New Strategies for Preventing Healthcare Data Breaches”
Excellent article. As a hospital administrator I’m very concerned about HIPAA compliance. I’ve also heard about MEDJACKER but my team is still trying to figure out the right mix of budget and prevention. Yes, the fax machines are a major source of trauma. Yes, it is likely that faxes with PHI are misdirected more than once a year. It is a problem for sure.
We are trying to negotiate with our vendors so that they fix medjack when it is discovered. our cyber software cannot install on the medical devices. these cyber attacks seem to get past the firewalls with ease. so the standard sw catches much of the attackers in the standard workstations, but not in the medical devices. almost nothing out there can detect medjack. maybe one or two vendors and that’s it. you need to find the budget for something because based upon risk assessment you cannot ignore the implications of medjack. good luck.
There is an old book, and I’m an old healthcare IT guy, so you also may remember catch-22. An impossible choice where either option puts you in jeopardy. There is no budget, yet because medjack now figures into the risk assessment, then we must address it. We will have to scramble to find a vendor that can scan for medjack because there is so much of it that we really have no choice. We’re already scrambling to convert most systems to two factor authentication, notwithstanding ambulatory physicians that can barely deal with passwords. welcome to the healthcare cyber war, perhaps undeclared, but definitely under way.
MEDJACK is a serious concern for hospitals. We really don’t have a dedicated security team. Our information technology staffers try to do everything related to security. Our compliance people that try to keep up with them and HIPAA. The reality of the situation is that existing notions about hospital budgets for security will likely change. We’re dealing with knuckle dragging cyber thiefs and hackers that work full time to exploit our data. It is becoming an impossible situation and one that our current budgets cannot support.
There are many issues on the healthcare front today and both hipaa and cyber security are pretty much at the top. doctors used to do just fine treating patients before hipaa and all of this cyber mess is just taking more and more of our time. Most of the clinicians and admins follow hipaa but don’t have time to think, even for a second, about anything else involving cyber attackers. we are tremendously busy and insurance only lets us get paid for the work we do with patients. nothing else. We keep getting dragged back into constant security and privacy officer meetings to review security events. Most of the time we don’t even know if they stole data. There is so much malware inside that the security officer has to constantly make the call over whether or not an event should be logged, reported. On top of that there is likely subtle pressure that if there is no clear evidence of a breach, then there is nothing to log. It is a mess. On top of all of this is that this medjack thing is just another nightmare come to life. i laughed when I read about fax machines. no kidding. doctors send more faxes than just about anyone on the planet. faxes are antiquated, prone to risk, certainly time bombs for hipaa as the article stated. i don’t know much about the cloud networks to replace them but it sounds like a good idea.
As I understand it, 3rd party software can detect the medjacker medical device hijack. Our medical device vendors cannot. We ask them and we get a blank look. The only option is that when your cyber defense detects it, that you need cyber consultants to figure out what in-the-!@$@ is going on. Figuring out what data moved through where is very difficult without expensive and talented consultants. The manufacturer usually says this “maintenance” or “repair” is not mandatory under the existing contract. So you have to pay them to reload the software in the med device, and then in 90 days the reinfection happens again. Is this budgeted? Not a chance.
Yellow stick notes do abound. You know, that is the standard security process in many facilities. Off the record, I work with a large SNF and the nurses here have over a dozen accounts they need to access daily, each with its own authentication. It is even worse if you consider the ambulatory physicians that also need to tie into the SNF networks, even in a basic way. Password management is challenging. Yes, the fax machines are a big part of the problem. We have mobile xray machines here and mobile ultrasound machines that are on our networks. Do these devices get infected with medjacker? how would we know? They have one IT manager that visits here once a month and rotates between facilities. And a help desk. We’re really not equipped to handle a major hacker or anything like that.
The issue is that all of the IT mumbo jumbo about firewalls and intrusion detection really just don’t work. Anyone can see that. Go to a meeting with on compliance with the security guys and the compliance people talking about 2000+ security events. That might be in a week’s time. So one gets through and trashes your network and breaches data. Lets get real. Most of the technology out there, let alone the existing best practices, just don’t work.
Have you seen this as of today? MEDJACK seems alive and well. Hollywood hospital captured by ransomeware and they had to pay to free up their networks. Was data stolen? How much HIPAA reporting and databreach reporting is required on this one? If you networks were held hostage, how would you even know what they viewed, copied, or stole? Its a mess. This is from Forbes today: http://www.forbes.com/sites/thomasbrewster/2016/02/18/ransomware-hollywood-payment-locky-menace