When it comes to cybercrime, online attacks often follow seasonal trends. So as the kids head back to school, it’s safe to assume that cybercriminals have learned and developed some new ransomware tricks that will be coming to a computer near you this fall.
If you are like most healthcare organizations, you’re probably not prepared to deal with this new wave of attacks. Amongst the endless flow of sensationalistic cyberattack headlines, including NotPetya and the Erie County Medical Center, it’s easy to become numb to the threat of ransomware—choosing to believe that your organization is either too small to be a likely target or that your existing cybersecurity measures provide adequate protection. Unfortunately, this optimism has led to the peril of many healthcare providers and in turn the patients they serve.
When a ransomware disaster struck A1Care 12 years ago, CEO Percy Syddall wasn’t sure how hackers evaded his company’s defenses. All he knew was that A1Care’s computers were locked down and the perpetrators who promised to restore the system upon payment kept changing their demands. Each day the problem went unsolved further disrupted the in-home elderly care, facility placements and case management services that A1Care’s clients depended upon and threatened to destroy the business Syddall had worked so hard to build.
The Rise of Ransomware
The biggest cybersecurity concern used to be hackers invading healthcare systems to steal sensitive patient data and then selling it to the highest bidder. But today, one of the easiest assaults on a computer system is ransomware—a debilitating attack through which an anonymous criminal encrypts your files and then forces you to pay them whatever amount they request in order to regain access to your system—and all the important files it may contain.
SonicWall recently reported there have been 181.5 million ransomware attacks during the first six months of 2018, which marks a 229 percent increase over this same time frame in 2017. Encrypted threats are up 275 percent over last year.
Why has ransomware become the primary cyber threat out there? Most experts point to four primary factors:
Finding a buyer: The key to any successful transaction is finding a buyer that is willing to pay to acquire whatever it is that you are selling. When it comes to selling data on the dark web, searching for a buyer is tricky and comes with many risks. Selling something directly to the person you stole it from improves the odds of getting paid quickly and quietly.
The US government: In 2017, Shadow Brokers compromised government security defenses and delivered to the world the tools the NSA had been using to break into computers of its adversaries. Created at a huge expense to American taxpayers, those cyberweapons have now been picked up by hackers from North Korea to Russia and are being used against businesses and civilians. The WannaCry attack was born from these tools, as was the Petya attack which shut down millions of computers across the globe with demands for payments in order to restore access.
Cryptocurrency: In the old days, collecting a ransom involved suitcases full of cash (containing bills that could be marked) or wire transfers (which could be tracked). The cash then had to be laundered, which meant only large criminal organizations typically had the necessary resources. Today, anyone can sign up for a cryptocurrency wallet in a matter of minutes—some criminals even provide their victims with simple to follow instructions. With cryptocurrency, neither the wallet nor the resulting transactions can be easily connected to any real-world identities.
Ransomware-as-a-Service: Once upon a time, cybercriminals had to develop their own malware, which required coding skills and at least some knowledge of operating systems, networking and hardware. Now, easy-to-use “ransomware as a service” can be purchased cheaply on the darknet. Some vendors even offer customer support for buyers of their malware. And would-be hackers who want customized ransomware can hire black-hat coders for its development.
Healthcare is a favorite target for hackers
Smaller healthcare organizations are an easy target for hackers because most don’t have adequate financial or technical resources to defend themselves against the onslaught attacks. According to Cryptonite, healthcare organizations have reported an 89 percent year-over-year increase in ransomware attacks.
No healthcare provider wants to be a victim of an ransomware attack, but cybersecurity is a complex problem that requires multiple layers of defenses. Many owners of healthcare organizations feel they can’t afford to keep their practice safe because it typically requires deploying sophisticated endpoint technologies such as antivirus, anti-malware software and firewalls to keep intruders out and then hiring resources to keep up with frequent software, data backups and equipment security updates, as well as providing security training for staff.
Industry experts estimate that an organization with 50 employees may have to spend upward of $50,000 to have the best possible protection against cyberthreats and then thousands of dollars each year to keep everything up to date. But even when organizations make this investment in security, they might still have a breach.
Minding the security gap
Hackers are becoming extremely resourceful and have found ways to circumvent even the most advanced antivirus and anti-ransomware solutions. These solutions cannot protect against Fully UnDetectable (FUD) threats that were conceived by cyber criminals to directly evade existing security layers and harm data.
Recent Tenable research reveals, “cybercriminals have a median seven-day window of opportunity during which they can exploit a vulnerability to attack their victims.” Ponemon’s 2017 State of Endpoint Security Risk Report suggests that 69 percent of organizations don’t believe their antivirus can stop the threats they’re now seeing. Even FireEye reports “… in 100 percent of the breaches to which [they] responded … firewalls and antivirus protections were up to date.”
Antivirus software monitors for the signatures of known threats, so it can’t deal in real-time with all of the fresh attacks constantly evolving in dark web incubators. Other behavior-based security approaches use machine learning to identify threats. For example, if an email attachment tries to access a large number of files quickly or an unexpected file starts encrypting files, a behavior-based approach tries to shut it down. Today’s attackers simply avoid detection by changing the predictable characteristics of ransomware—slowing down or randomizing encryption or lying dormant for a period of time before executing the attack.
Over the past 5 years, healthcare data has fallen prey to unethical attacks that compromise sensitive patient information. If you look back at 2015, it was the worst year in healthcare data security when data breaches hit an all-time high by affecting 113 million individuals approximately.
As of today, the number of breaches reported to the Office for Civil Rights (U.S. Department of Health and Human Services) has been consistently increasing. Also, the number of individuals affected does not seem to improve despite regulatory enforcement procedures and laws drafted to put a check on this.
This infographic by Kays Harbor establishes a comparative analysis and infers how data breach patterns have evolved in all these years up to 2017. It highlights the following major findings:
HIPAA data breaches reported in 2017 were more than double the number of breaches in 2016. Though, the individuals that are estimated to be affected by these breaches was much less than the past four years.
Healthcare providers again made it to the top of the list for reporting 231 data breaches – highest in all these years.
Information technology continues to be a major reason for these breaches so far, showing an upward trend in contribution of hacking and IT incidents resulting in data loss.
Kentucky based healthcare organization, Commonwealth Health Corporation reportedly filed a breach confirmation related to theft affecting 697,800 individuals.
While Texas reported maximum hacking incidents, breached entities in California filed maximum thefts two years in a row.
Furthermore, it discusses the trends and predictions by the C-suite in healthcare industry for the coming year. David Muntz, principal at StarBridge Advisors said, “There seems to be a growing gap between the demand and supply of cybersecurity professionals that needs to be addressed. On the positive side, vendors are providing strict countermeasures for vulnerable products and services which will result in HIPAA being perceived as an enabler for data sharing as well.”
As a matter of fact, 2018 has set all hopes high and CIOs are looking forward to a decline in the breached numbers with active cybersecurity measures challenging the perils of vulnerable healthcare systems.
In time, this particular attack did manage to spread internationally from Europe over to America, but that only provided further evidence that ransomware, and cyber attacks more broadly, are a threat of seemingly unlimited potential. The failings of American healthcare to get its data safely organized look far less damning when the scale of cyber risk is made explicitly global, and even the NSA is caught off-guard by their own tools being turned into weapons in enemy hands.
Not Alone, but Not Ahead
Of course, that American hospitals weren’t the primary targets for once doesn’t remotely get them off the hook; nor does the jarring impact of this particular incident reflect a growing resilience among health data security in the U.S. American health data may not be alone in its vulnerability or attractiveness to thieves, but neither are our health systems leading the pack in protecting against ransomware, or any other form of cyber attack. Sadly, this wakeup call seems more likely to be heard outside of healthcare than within it; the scale makes it almost universally noteworthy, but otherwise it resembles a new status quo for data leaks in modern health systems.
Credit card data is relatively to protect; thieves are easily and quickly locked out of accounts, if not caught, thanks to everything from increased scrutiny by lenders and processing companies as well as consumer-facing transparency and 24/7 account monitoring via mobile credit card alerts and apps. Health data, by contrast, remains largely vulnerable. Clinics are not particularly good at recognizing fraud when thieves have a person’s medical data; hospitals have proven themselves no better at keeping that data secure in the first place. So compared to traditional identity theft leveraging plastic, digital health data presents a softer and more lucrative target end to end.
We live in a world where data and deception go hand in hand. So many everyday activities – from online shopping and banking to emailing and paying bills – are governed by passwords, profiles and personal details.
And as people’s phones, cars, and homes get smarter and more connected, the number of ways criminals can try and access and abuse your personal information is only going to rise.
Most people rely heavily on passwords to protect their information. But as quickly as organizations and financial institutions create safer and safer systems, hackers are finding smarter ways to commit cybercrime, and there are more and more cases of identity theft.
The payments landscape
For debit and credit card purchases and online banking, suppliers are making a shift from chip and PIN to contactless and app-based payment technologies, but these still have one thing in common – a thief who steals your card or phone might still be able to access your cash or personal information.
Finger vein recognition
Biometrics technology has been the focus of new innovative ways of authenticating people’s identities. Biometrics includes fingerprints, iris scanning, and facial recognition, but it’s finger vein recognition that looks set to shake up the way we secure our data.
Leading scientists at Hitachi, which patented the technology in 2005, has been developing new ways to incorporate VeinID into the everyday payments and personal data landscape.
How does it work?
The Hitachi sensor works by transmitting near-infrared light through the finger. This is partially absorbed by haemoglobin in your veins, which enables the device to capture your unique finger vein pattern profile. This is then matched with your account’s pre-registered profile to confirm your identity.
But what makes VeinID more safe and secure than other types of passwords and security options?
Your veins are unique
No two people, even identical twins, have the same finger vein pattern. And while most people have unique fingerprints, you leave fingerprints on objects you touch, making it possible for criminals to lift and replicate for their own use. As your veins are inside your finger, there’s no way of anyone else knowing what the pattern looks like and trying to copy it.
Fingers can’t be stolen
Relying heavily on fingerprints has caused public concern in the past. When Apple launched TouchID a few years ago, people were worried about criminals cutting off people’s fingers to gain access to their phone and personal data.
While these proved to be outlandish claims, finger vein recognition users can rest easy knowing that the VeinID sensors only work with living tissue. If your finger has been cut (or severed from your hand!) the veins collapse, meaning your unique pattern is lost. Obviously, this doesn’t prevent a determined criminal from cutting off your finger, but at least, if they do, they won’t be able to access your personal information.
The impact of the digital revolution is widespread, but arguably few industries have felt the impact more than the health informatics field. From medical mobile applications to vital-monitoring wearables, smart technology is taking the health care world by storm and remodeling patient care delivery.
Over the years, health informatics has strengthened provider-patient relationships and empowered patients to take control of their health care. But that’s just the beginning. Here’s a look at how health informatics will take shape in 2017 and continue to be one of the most promising fields for STEM careers.
Improving Patient and Hospital Information Security
Cybersecurity is top of mind for health care specialists as the world grows increasingly reliant on technology. From large retail chains to voting polls, cybersecurity breaches are on the rise. And hospitals are no exception. Earlier this year, a hospital in Kansas reported a cyber attack in which the hackers forced the hospital to pay a ransom in exchange for unfreezing their data.
Understandably, hospitals are desperately seeking new ways to improve the security of their data. Hospitals are addressing vulnerabilities by making security a part of their existing governance, risk management and business development initiatives. By building more secure network infrastructures and educating all staff, hospitals are able to better protect their information in the short term. In the longer term, it will come down to hiring more security specialists to identify and correct security threats. This is why the cybersecurity field is taking off and more individuals are earning cyber security degrees to gain entry into the field.
Decreasing Healthcare Costs in the Long Run
Before things get better, they tend to get worse—and that seems to be the case with healthcare costs. At first, the cost of health care will rise as hospitals and physicians’ offices purchase and implement new systems. But once the upfront cost has been covered, these new systems and machines will decrease operational costs for hospitals by simplifying daily processes.
On the other hand, individuals seeking health care will see the long term benefit thanks to the increased efficiency of electronic health records (EHRs). Since EHRs provide a comprehensive overview of health history, it will become easier to identify potential health risks and administer treatments early on with fewer doctor visits. Early detection and diagnosis is key to lowering health care costs and, ideally, making us a healthier population.
Guest post by Santosh Varughese, president of Cognetyx
Cybersecurity is a serious concern for every industry in America, but healthcare has been particularly hard hit. It is the most likely industry in the U.S. to suffer a data breach. According to the Ponemon Institute, nearly nine out of 10 healthcare organizations have been breached at least once, and nearly half have been breaced three times or more. Cyber-criminals are clearly winning this war, despite more funding, more firewalls, and more scrutiny. Here are five reasons why healthcare organizations are losing the cybersecurity war.
C-level healthcare executives still aren’t taking data security seriously.
Although the epidemic of healthcare cyber-attacks has C-suite executives claiming they finally realize the gravity of the situation, their actions tell a different story. A recent survey by HIMSS found that while most facilities have given information security a higher priority, healthcare IT personnel still complain of insufficient funding and staffing for cybersecurity. The same concerns were expressed by IT personnel surveyed in the Ponemon study and an earlier study conducted by IBM.
Frontline employees aren’t taking it seriously, either.
A group of security researchers from the University of Pennsylvania, Dartmouth and USC recently conducted an ethnographic study of cybersecurity practices among nurses, doctors, and other frontline medical personnel. The results showed a flagrant, widespread, shocking disregard for even the most basic data security practices; among other things, workers were observed:
Writing passwords on sticky notes and tacking them on machines in full view of anyone who wandered by.
Allowing other staff members to use their login credentials out of “professional courtesy.”
Purposefully defeating automated system timeouts by placing foam cups over sensors or by having another employee tap a spacebar at intervals.
Criminal hackers are fully aware of these types of practices and do not hesitate to take advantage of them; 95 percent of breaches occur when hackers get their hands on legitimate login credentials, either by obtaining them from a malicious insider or by taking advantage of an employee’s negligence or carelessness.
Too many facilities think that HIPAA compliance is sufficient to secure their data.
Most healthcare organizations focus primarily or exclusively on HIPAA compliance, erroneously thinking that complying with HIPAA is all they need to do to secure their systems. However, HIPAA was never meant to be a blueprint for a comprehensive data security plan. The law primarily addresses documentation and procedures, such as specifying when a patient’s medical records can legally be released, not technical safeguards. Information security experts surveyed by the Brookings Institution stated that HIPAA does very little to address the types of security challenges faced by large healthcare organizations with hundreds of employees and highly complex, interconnected data environments. The proof is in the numbers; if HIPAA compliance were enough to protect patient data, 90 percent of healthcare organizations would not have experienced breaches.
Guest post by Craig Musgrave, senior vice president, information technology, The Doctors Company.
Healthcare entities remain the top target for cyber criminals. Not only do over 50 percent of all cyberattacks occur in the healthcare industry, but there have been 4,000 daily ransomware attacks—focused mostly on healthcare entities—since early 2016, a 300 percent increase over the 1,000 daily attacks in 2015.[i]
All types of organizations must take steps to ensure they are protected. The following are six questions you should ask your IT department to evaluate your cybersecurity readiness, and some answers to these perplexing problems most industries face today.
Does our organization use a security framework?
The National Institute of Standards and Technology Cybersecurity Framework is voluntary guidance, based on existing standards, guidelines, and practices, for critical infrastructure organizations to better manage and reduce cybersecurity risk.
The Framework will help an organization to better understand, manage, and reduce its cybersecurity risks. It will assist in determining which activities are most important to ensure critical operations and service delivery. In turn, that will help to prioritize investments and maximize the impact of each dollar spent on cybersecurity.
What are the top risks I should worry about?
Human interaction: Over 80 percent of attacks are made possible by human error or human involvement, such as downloading malicious files, clicking on malicious links, or running unknown USB on computer systems. You need to provide security training for all employees and maintain constant employee awareness of the risks. There should also be a significant investment in security solutions that can help prevent damage if an employee action leads to an attack.
Technology vulnerabilities: Vulnerabilities in your defenses may be known—or newly discovered when an attack happens. Invest in tools that scan for hardware and software vulnerabilities and invest in IT staff to constantly update and patch software.
External intruders: Addressing non-stop attempts to access your network through unsecured or vulnerable access points involves investing in technologies and strategies like multi-factor authentication, advanced firewalls, web application firewalls, external monitoring, and penetration tests.
Data loss: Protected health information (PHI) could be lost through an unapproved employee data transfer. Invest in tools that encrypt data-in-transit and educate employees on proper data transfer procedures.
Delayed detection: This is the inability to detect an intrusion due to an unknown vulnerability, misconfigured technology, or employee error. Invest in constant IT training on event management, security threat detection, incident response, and technology configuration. Execute threat simulations (penetration tests) and do a continual review of system configurations.
Attacks through privileged accounts: Hackers try to gain access to privileged accounts—such as domain admin, database admin, or external vendors—to reach secure areas within computer networks. For example, the major Target hack occurred when an employee of Target’s third-party HVAC vendor responded to a spear phishing e-mail. The utilization of Privileged Account Management systems enables one-use passwords for evaluated accounts.
Guest post by Justin Sotomayor, pharmacy informatics director, CompleteRx.
The field of health informatics has grown exponentially over the past 50 years. From Robert Ledley’s work paving the way for the use of electronic digital computers in biology and medicine in the 1950s, to the founding of the American Medical Informatics Association in the 1990s, to the launch of the Medicare/Medicaid Electronic Health Record Incentive Program in the 2000s, it continues to mark new milestones at an astounding pace, presenting both challenges and opportunities for the healthcare industry.
Three trends – in particular – will have a marked impact on patients and practitioners, and are certain to define health informatics in the near future, if not for years to come.
The end of Meaningful Use
In 2009, with the passing of the Health Information Technology for Economic and Clinical Health (HITECH) Act, came the launch of the Meaningful Use program – and the related requirement that healthcare providers show “meaningful use” of a certified EHR to qualify for incentive payments. With both Stage 1 (adoption) and Stage 2 (coordination of care and exchange of information) behind them, hospitals are fully responsible for Stage 3 (improved outcomes) by 2018. While, undoubtedly, the program has improved EHR adoption – in many cases, streamlining and enhancing patient care – it has been widely criticized. In a 2015 news release, the American Medical Association regarded Stage 2 as a “widespread failure,” suggesting it monopolized staff attention without commensurate benefit to patients, and hampered innovation.
Most recently, following highly-publicized remarks in January by CMS Acting Administrator Andy Slavitt that Meaningful Use would be replaced, the U.S. Department of Health and Human Services has proposed transitioning Meaningful Use for Medicare physicians to the “Advancing Care Information (ACI)” program under the Medicare Access and CHIP Reauthorization Act (MACRA). According to Mr. Slavitt, this program is designed to be “far simpler, less burdensome, and more flexible,” primarily by loosening the requirements to qualify for extra payments, and incentivizing providers based on treatment merit, known as Merit-based Incentive Payment System (MIPS). While this update doesn’t yet affect hospitals or Medicaid providers, and these groups should continue to prepare for full Meaningful Use implementation, it’s an indication that industry concerns over meaningful use are being heard and responded to, and that additional changes may be forthcoming.
Guest post by Mike Baker, founder and principal, Mosaic451.
Over the past couple of months, hospitals and other healthcare facilities have come under siege by cyber-criminals. However, the hackers aren’t after patient data; they never even access it. Instead, they are infecting computers with ransomware, a type of malware that locks down a system and prevents the owner from accessing their data until they pay a ransom, usually in Bitcoin. Among the high-profile attacks that have made headlines:
In February, Hollywood Presbyterian Medical Center in Los Angeles fell victim to the Locky virus, which disabled the organization’s computers and kept employees from accessing patients’ electronic health records (EHRs). Access was restored a week later, after the hospital paid a $17,000.00 Bitcoin ransom to the hackers.
Shortly afterward, Methodist Hospital in Henderson, Kentucky, also fell victim to Locky and was forced to declare an internal “state of emergency.” However, instead of paying the ransom, the hospital reported that it was able to restore its data from backups.
In late March, Maryland/DC-based MedStar Health, which operates 10 hospitals and more than 250 outpatient clinics, was hit by an undisclosed ransomware virus that forced the organization to revert to paper records. Like Methodist Hospital, MedStar did not pay the ransom and restored its system using backups.
Although any organization can fall prey to ransomware, lately healthcare facilities have been the primary targets. Some experts feel the problem has reached crisis levels – and hackers are only getting started.
Why Ransomware Attacks are on the Rise
Ransomware is growing in popularity because it is far more lucrative than more traditional cyberattacks where hackers access and steal data. Once the data is stolen, the hacker must find a buyer. Then, the hacker has to negotiate a price. Conversely, in a ransomware attack, the hacker has a built-in “buyer” — the owner of the data, who is not in a position to negotiate on price.
Ransomware is also a simpler and quicker mode of attack than a data breach. Once a hacker has breached a system, downloading a large data set can take some time, during which the attack could be identified and halted. Because ransomware never actually accesses a system’s data – it just locks it down – it works far more quickly and covertly. Victims have no idea they have been compromised until they find they cannot access their system.
Guest post by Eduard Goodman, chief privacy officer, IDT911.
Earlier this year, Centene Corporation lost six hard drives containing personal and health information of almost one million of its clients, including names, addresses, dates of birth, Social Security numbers, member identification numbers and health information. Unfortunately, Centene is only one of many healthcare organizations that recently had their sensitive patient information exposed. More than 113 million health records were breached in 2015 – which translates to one out of every three Americans being affected by a healthcare record breach last year. Medical identity theft is a disastrous trend that needs to be addressed. The good news is there are many steps healthcare organizations can take to reduce the risk of data breaches.
Electronic Health Records
As more and more healthcare organizations transition away from paper medical records and move to electronic health records, it is critical that security features are put in place to protect the vast amount of data being collected. Just as the digitally stored health information is more easily accessible for employees, it is also easier for cyber criminals to access. According to the Ponemon Institute’s The State of Cybersecurity in Healthcare Organizations in 2016 report, nearly half of those surveyed said their organizations have experienced an incident involving the loss or exposure of patient information during the last year. Strong encryption, routine vulnerability patches and multi-factor authentication are key to protect health data.
Mobile and BYOD
Greater connectivity means more convenience, but this also opens more doors for hackers to access healthcare networks. Healthcare organizations should set clear BYOD policies so employees understand what can and cannot be accessed from mobile devices, what operating systems are approved for use on the network, what security features and settings are required and what type of data can be stored on devices. While using mobile devices can significantly improve productivity, it is important to minimize security risks in order to protect sensitive data.
Internet of Things
The Internet of Things is a growing trend in the tech world that has also become popular in the healthcare industry. Now, medical devices can collect, track and share enormous amounts of data instantly through internet connectivity. As these medical devices were most likely added to pre-existing networks, they may not have the necessary security protections. Security vulnerabilities are not just limited to EHR and health networks anymore – medical devices must be thoroughly inspected as well. Just as computers and servers are patched for vulnerabilities, medical devices that connect to healthcare networks must also be regularly patched. If these IoT enabled devices do not have the necessary layers of security, they will become an easy target for hackers to access the healthcare network.