By Brad Spannbauer, senior director of product management, eFax Corporate.
When it comes to cybersecurity, healthcare organizations are up against a constantly shifting threat landscape. New technologies and techniques, employed by increasingly advanced criminals, require organizations to be proactive in their defense efforts, or they risk being outsmarted by those who seek to expose them. But security threats don’t just come from external sources; risks are just as prevalent within organizations. In fact, the latest edition of Verizon’s Data Breach Investigations Report found that healthcare is the only industry where insiders pose the greatest threat to sensitive data, with 58 percent of incidents coming from within.
Whether malicious in intent or the result of innocent mistakes by healthcare workers doing their best in a high-stress environment, a failure to recognize these risks and apply appropriate safeguards can have grave consequences for healthcare providers. For example, an IBM & Ponemon Institute study revealed that healthcare data breaches cost organizations $408 per record on average, which is more than three times the global average across all other industries. That may not seem like a lot of money, but multiplied by the thousands of records that could be contained on a stolen and unencrypted laptop, it adds up to a significant financial penalty.
It has become clear in the last few years that when it comes to cybercrime, hackers are not fussy about which organization or sector they focus on – if there’s profit to be made, anyone is a potential target.
However, there are of course institutions which will always be of particular desirability to cybercriminals. Financial institutions, banks and retail are among the most targeted because the goal of most cyberattacks is financial gain, and organizations in these industries are the most lucrative targets for cybercriminals. The healthcare sector is also heavily targeted because of the personal data it holds. This data may be stolen and used for different purposes, including fraud. As a consequence, the focus on healthcare institutions by hackers has ramped up in recent years.
This increased attention on the health sector is due to hackers seeing it as an inexhaustible source of money. On multiple occasions, media reports have described leaks of data from medical centers, followed by a ransom demand sent to clinic management and patients.
There are a number of other ways criminals can monetize attacks on healthcare equipment and applications. These include threatening patient health by altering stored information; using stolen data to fraudulently obtain access to medical care or controlled medications; leveraging personal information on patients and their family members; and sabotaging websites and/or infrastructure on behalf of unscrupulous competitors. Attacking healthcare institutions also allows criminals to resell stolen data to third parties such as insurance companies, healthcare providers, banks, and others, who can use this valuable information for a number of purposes (such as advertising, research, or even discrimination based on pre-existing conditions).
One such specific way that criminals can carry out attacks is by exploiting advancements in health technology and equipment in recent years. We’ve seen an increasing number of medical devices such as pacemakers, drug pumps (like insulin infusion devices), implantable defibrillators, and other devices implementing wireless connectivity for doctors to control and fine-tune their work and update firmware. This makes these devices potentially incredibly dangerous for patients. A criminal could research and reverse communication protocols and exploit vulnerabilities in a simple piece of software used in those tiny devices, for example changing the heart rate controlled by pacemakers, injecting incorrect doses of drugs or even making them show the wrong data — leading doctors to the wrong conclusions and causing them to make mistakes in their treatment.
With new technology comes to new terminologies, like cybersecurity. Unfortunately, this new technology also spawns the creation of new methods to bypass security measures. And while data breach may not be a new term or even a new problem, in 2019, it’s become a massive issue, particularly in the healthcare industry.
In 2015 alone, there were more than 750 cyber data breaches, with the top seven cumulatively involving 193 million personal records that were available for hackers to use for fraudulent activities and identity theft. The top three data breaches that year were all in the healthcare industry.
Healthcare records are full of highly sensitive information, from social security numbers and other personal data to medical histories and health insurance information — everything a hacker needs to steal someone’s identity. But besides the wealth of juicy details these records include, it’s the vulnerability that exists in the industry that attracts trouble.
Besides being a repository of vital information that hackers need, the healthcare industry has been particularly vulnerable because of the weak link philosophy. You’ve probably heard that a chain is only as strong as its weakest link. This is also true when it comes to cybersecurity. And it’s something hackers prey on.
According to a 2016 Healthcare Industry Cybersecurity Report, the healthcare industry had the fifth highest amount of ransomware counts of all industries. The report also stated that more than 77 percent of the entire industry was infected with malware. According to the report, the most prevalent weaknesses existed in “health treatment centers, insurance providers, manufacturers and hospitals.” In other words, everywhere.
The authors of the report mention how the industry is facing pressure from both sides ? from hackers who specifically target them and employ different methods in doing so, and from regulatory agencies who are trying to prevent this from happening.
The problem doesn’t rest with the IT departments in most cases, but rather with the employees who aren’t prioritizing, or even aware of, security issues and with those who have been tasked with training and managing them.
“The low social engineering scores,” the report states, “among a multitude of healthcare organizations show that security awareness and employee training are likely not sufficient and this poses a real risk to those organizations.” Hackers know that these employees represent low-hanging fruit. This is why they’ve become such a target.
The main risks, according to the report, are the wireless devices so prevalent in the industry and the amount of information that’s exchanged through them. While these devices are beneficial for their speed and access to information, the way in which they’ve been mishandled and implemented is resulting in added security risks.
How these breaches affect consumers
A survey by Accenture in February of 2017 revealed that healthcare security breaches affect 26 percent of U.S. consumers. And 50 percent of those had their identity stolen, resulting in an average out-of-pocket cost of $2,500 per person. That means for every eight people, one person has had their identity stolen as a result of a healthcare data breach. But perhaps the greater aspect of this problem is reach, as in nearly everyone has health records in the system.
In the largest healthcare data breach to date, Anthem Blue Cross, in January of 2015, had 78.8 million patient records stolen. This included information such as dates of birth, addresses, and social security numbers ? the information hackers most need to steal someone’s identity.
In the case of the Anthem Blue Cross breach, consumers weren’t told about the breach by law enforcement or Anthem themselves. They found out the hard way: by noticing something was wrong on their bank and credit card statements.
How healthcare companies can improve security
The need to take extra precautions when dealing with sensitive healthcare data is obvious. But if the problem was easy to solve, it wouldn’t be a problem to begin with. And unfortunately, for every zig in security measures, there are a hundred hackers ready to zag.
Assess the larger risk as it pertains to the entire system, rather than relying on specific vulnerability analyses.
Always know where your sensitive data is being stored.
Improve training across the board. Impart the risks and precautions to employees, and make certain all understand policies and procedures before handling any consumer data.
Address the issue of third-party vendors. Make sure they’re handling your sensitive data properly.
Reinforce the infrastructure, including all software, with extra cybersecurity measures.
While the theft of information that leads to someone’s identity being stolen is the main risk, it isn’t the only risk. When sensitive medical conditions are made public, it can affect a person’s ability to get or keep a job and their professional and personal relationships.
The impact on businesses and organizations is also dire when leaks occur, as their trust, credibility, and reputation suffer dramatically. They also open themselves up to the possibility of massive fines and lengthy investigations.
The FDA recently issued new guidelines for securing data in medical devices, such as smartphone apps. This is especially important, as the HIPPA (Health Insurance Portability and Accountability Act) Journal has stated that 91 percent of cyberattacks are the result of personalized phishing emails sent to employees.
Abbott and The Chertoff Group, a security and risk management advisory group, have released a white paper that shares key findings from a recent study of 300 physicians and 100 hospital administrators on cybersecurity challenges in the hospital environment. Results found that while physicians and hospital administrators view cybersecurity as a priority, the majority of them feel under prepared to combat cyber risks in the connected hospital.
“Cybersecurity is a shared responsibility across all of us working in today’s healthcare system,” said Chris Tyberg, divisional vice president, product security, Abbott. “Hospitals are critical hubs within this system, and as the use of advanced medical technology and attention to cybersecurity and connected health increases, it is important for us to understand the challenges hospitals face and how we can collaborate on potential solutions.”
The survey revealed several key findings, including:
Cybersecurity is a priority in today’s connected hospital: 92 percent of physicians and 91 percent of hospital administrators say that keeping patient and hospital data secure is a focus of their hospital.
Physicians and hospital administrators feel underprepared to combat cyber risks: 75 percent of physicians and 62 percent of hospital administrators feel inadequately trained or prepared to mitigate cyber risks that may impact their hospital.
Physicians and hospital administrators view medical device cybersecurity as a shared responsibility: 71 percent of physicians and 74 percent of hospital administrators believe cybersecurity is a shared responsibility among all participants in the healthcare system.
Communication about medical device cyber-related vulnerabilities can improve: Only 15 percent of physicians and 45 percent of administrators report having seen or read advisories related to medical device security in the last six months.
Standards are widely desired: 82 percent of physicians and 73 percent of administrators believe there should be industry-wide standards and consistent terminology.
Using these survey insights, Abbott partnered with The Chertoff Group to develop the white paper on connected healthcare security, which outlines key considerations for managing cybersecurity risk in the connected hospital. The white paper, “Building a More Secure Connected Healthcare Environment,” identifies members of the healthcare ecosystem can work together to mitigate cybersecurity risk while preserving the benefits of connected medical devices for patients.
The white paper calls for the healthcare industry to come together to address three key areas:
Industry-wide standards and cybersecurity by design to ensure cybersecurity protections are built into medical device development and that physicians and patients feel confident in the security and safety of the devices they use.
Investment in cybersecurity incident response processes for identifying and responding to vulnerabilities in a timely manner, while supporting safe clinical care.
Improved education, focus and training to increase all stakeholders’ understanding of cyber risk in the healthcare setting.
When it comes to cybercrime, online attacks often follow seasonal trends. So as the kids head back to school, it’s safe to assume that cybercriminals have learned and developed some new ransomware tricks that will be coming to a computer near you this fall.
If you are like most healthcare organizations, you’re probably not prepared to deal with this new wave of attacks. Amongst the endless flow of sensationalistic cyberattack headlines, including NotPetya and the Erie County Medical Center, it’s easy to become numb to the threat of ransomware—choosing to believe that your organization is either too small to be a likely target or that your existing cybersecurity measures provide adequate protection. Unfortunately, this optimism has led to the peril of many healthcare providers and in turn the patients they serve.
When a ransomware disaster struck A1Care 12 years ago, CEO Percy Syddall wasn’t sure how hackers evaded his company’s defenses. All he knew was that A1Care’s computers were locked down and the perpetrators who promised to restore the system upon payment kept changing their demands. Each day the problem went unsolved further disrupted the in-home elderly care, facility placements and case management services that A1Care’s clients depended upon and threatened to destroy the business Syddall had worked so hard to build.
The Rise of Ransomware
The biggest cybersecurity concern used to be hackers invading healthcare systems to steal sensitive patient data and then selling it to the highest bidder. But today, one of the easiest assaults on a computer system is ransomware—a debilitating attack through which an anonymous criminal encrypts your files and then forces you to pay them whatever amount they request in order to regain access to your system—and all the important files it may contain.
SonicWall recently reported there have been 181.5 million ransomware attacks during the first six months of 2018, which marks a 229 percent increase over this same time frame in 2017. Encrypted threats are up 275 percent over last year.
Why has ransomware become the primary cyber threat out there? Most experts point to four primary factors:
Finding a buyer: The key to any successful transaction is finding a buyer that is willing to pay to acquire whatever it is that you are selling. When it comes to selling data on the dark web, searching for a buyer is tricky and comes with many risks. Selling something directly to the person you stole it from improves the odds of getting paid quickly and quietly.
The US government: In 2017, Shadow Brokers compromised government security defenses and delivered to the world the tools the NSA had been using to break into computers of its adversaries. Created at a huge expense to American taxpayers, those cyberweapons have now been picked up by hackers from North Korea to Russia and are being used against businesses and civilians. The WannaCry attack was born from these tools, as was the Petya attack which shut down millions of computers across the globe with demands for payments in order to restore access.
Cryptocurrency: In the old days, collecting a ransom involved suitcases full of cash (containing bills that could be marked) or wire transfers (which could be tracked). The cash then had to be laundered, which meant only large criminal organizations typically had the necessary resources. Today, anyone can sign up for a cryptocurrency wallet in a matter of minutes—some criminals even provide their victims with simple to follow instructions. With cryptocurrency, neither the wallet nor the resulting transactions can be easily connected to any real-world identities.
Ransomware-as-a-Service: Once upon a time, cybercriminals had to develop their own malware, which required coding skills and at least some knowledge of operating systems, networking and hardware. Now, easy-to-use “ransomware as a service” can be purchased cheaply on the darknet. Some vendors even offer customer support for buyers of their malware. And would-be hackers who want customized ransomware can hire black-hat coders for its development.
Healthcare is a favorite target for hackers
Smaller healthcare organizations are an easy target for hackers because most don’t have adequate financial or technical resources to defend themselves against the onslaught attacks. According to Cryptonite, healthcare organizations have reported an 89 percent year-over-year increase in ransomware attacks.
No healthcare provider wants to be a victim of an ransomware attack, but cybersecurity is a complex problem that requires multiple layers of defenses. Many owners of healthcare organizations feel they can’t afford to keep their practice safe because it typically requires deploying sophisticated endpoint technologies such as antivirus, anti-malware software and firewalls to keep intruders out and then hiring resources to keep up with frequent software, data backups and equipment security updates, as well as providing security training for staff.
Industry experts estimate that an organization with 50 employees may have to spend upward of $50,000 to have the best possible protection against cyberthreats and then thousands of dollars each year to keep everything up to date. But even when organizations make this investment in security, they might still have a breach.
Minding the security gap
Hackers are becoming extremely resourceful and have found ways to circumvent even the most advanced antivirus and anti-ransomware solutions. These solutions cannot protect against Fully UnDetectable (FUD) threats that were conceived by cyber criminals to directly evade existing security layers and harm data.
Recent Tenable research reveals, “cybercriminals have a median seven-day window of opportunity during which they can exploit a vulnerability to attack their victims.” Ponemon’s 2017 State of Endpoint Security Risk Report suggests that 69 percent of organizations don’t believe their antivirus can stop the threats they’re now seeing. Even FireEye reports “… in 100 percent of the breaches to which [they] responded … firewalls and antivirus protections were up to date.”
Antivirus software monitors for the signatures of known threats, so it can’t deal in real-time with all of the fresh attacks constantly evolving in dark web incubators. Other behavior-based security approaches use machine learning to identify threats. For example, if an email attachment tries to access a large number of files quickly or an unexpected file starts encrypting files, a behavior-based approach tries to shut it down. Today’s attackers simply avoid detection by changing the predictable characteristics of ransomware—slowing down or randomizing encryption or lying dormant for a period of time before executing the attack.
Over the past 5 years, healthcare data has fallen prey to unethical attacks that compromise sensitive patient information. If you look back at 2015, it was the worst year in healthcare data security when data breaches hit an all-time high by affecting 113 million individuals approximately.
As of today, the number of breaches reported to the Office for Civil Rights (U.S. Department of Health and Human Services) has been consistently increasing. Also, the number of individuals affected does not seem to improve despite regulatory enforcement procedures and laws drafted to put a check on this.
This infographic by Kays Harbor establishes a comparative analysis and infers how data breach patterns have evolved in all these years up to 2017. It highlights the following major findings:
HIPAA data breaches reported in 2017 were more than double the number of breaches in 2016. Though, the individuals that are estimated to be affected by these breaches was much less than the past four years.
Healthcare providers again made it to the top of the list for reporting 231 data breaches – highest in all these years.
Information technology continues to be a major reason for these breaches so far, showing an upward trend in contribution of hacking and IT incidents resulting in data loss.
Kentucky based healthcare organization, Commonwealth Health Corporation reportedly filed a breach confirmation related to theft affecting 697,800 individuals.
While Texas reported maximum hacking incidents, breached entities in California filed maximum thefts two years in a row.
Furthermore, it discusses the trends and predictions by the C-suite in healthcare industry for the coming year. David Muntz, principal at StarBridge Advisors said, “There seems to be a growing gap between the demand and supply of cybersecurity professionals that needs to be addressed. On the positive side, vendors are providing strict countermeasures for vulnerable products and services which will result in HIPAA being perceived as an enabler for data sharing as well.”
As a matter of fact, 2018 has set all hopes high and CIOs are looking forward to a decline in the breached numbers with active cybersecurity measures challenging the perils of vulnerable healthcare systems.
In time, this particular attack did manage to spread internationally from Europe over to America, but that only provided further evidence that ransomware, and cyber attacks more broadly, are a threat of seemingly unlimited potential. The failings of American healthcare to get its data safely organized look far less damning when the scale of cyber risk is made explicitly global, and even the NSA is caught off-guard by their own tools being turned into weapons in enemy hands.
Not Alone, but Not Ahead
Of course, that American hospitals weren’t the primary targets for once doesn’t remotely get them off the hook; nor does the jarring impact of this particular incident reflect a growing resilience among health data security in the U.S. American health data may not be alone in its vulnerability or attractiveness to thieves, but neither are our health systems leading the pack in protecting against ransomware, or any other form of cyber attack. Sadly, this wakeup call seems more likely to be heard outside of healthcare than within it; the scale makes it almost universally noteworthy, but otherwise it resembles a new status quo for data leaks in modern health systems.
Credit card data is relatively to protect; thieves are easily and quickly locked out of accounts, if not caught, thanks to everything from increased scrutiny by lenders and processing companies as well as consumer-facing transparency and 24/7 account monitoring via mobile credit card alerts and apps. Health data, by contrast, remains largely vulnerable. Clinics are not particularly good at recognizing fraud when thieves have a person’s medical data; hospitals have proven themselves no better at keeping that data secure in the first place. So compared to traditional identity theft leveraging plastic, digital health data presents a softer and more lucrative target end to end.
We live in a world where data and deception go hand in hand. So many everyday activities – from online shopping and banking to emailing and paying bills – are governed by passwords, profiles and personal details.
And as people’s phones, cars, and homes get smarter and more connected, the number of ways criminals can try and access and abuse your personal information is only going to rise.
Most people rely heavily on passwords to protect their information. But as quickly as organizations and financial institutions create safer and safer systems, hackers are finding smarter ways to commit cybercrime, and there are more and more cases of identity theft.
The payments landscape
For debit and credit card purchases and online banking, suppliers are making a shift from chip and PIN to contactless and app-based payment technologies, but these still have one thing in common – a thief who steals your card or phone might still be able to access your cash or personal information.
Finger vein recognition
Biometrics technology has been the focus of new innovative ways of authenticating people’s identities. Biometrics includes fingerprints, iris scanning, and facial recognition, but it’s finger vein recognition that looks set to shake up the way we secure our data.
Leading scientists at Hitachi, which patented the technology in 2005, has been developing new ways to incorporate VeinID into the everyday payments and personal data landscape.
How does it work?
The Hitachi sensor works by transmitting near-infrared light through the finger. This is partially absorbed by haemoglobin in your veins, which enables the device to capture your unique finger vein pattern profile. This is then matched with your account’s pre-registered profile to confirm your identity.
But what makes VeinID more safe and secure than other types of passwords and security options?
Your veins are unique
No two people, even identical twins, have the same finger vein pattern. And while most people have unique fingerprints, you leave fingerprints on objects you touch, making it possible for criminals to lift and replicate for their own use. As your veins are inside your finger, there’s no way of anyone else knowing what the pattern looks like and trying to copy it.
Fingers can’t be stolen
Relying heavily on fingerprints has caused public concern in the past. When Apple launched TouchID a few years ago, people were worried about criminals cutting off people’s fingers to gain access to their phone and personal data.
While these proved to be outlandish claims, finger vein recognition users can rest easy knowing that the VeinID sensors only work with living tissue. If your finger has been cut (or severed from your hand!) the veins collapse, meaning your unique pattern is lost. Obviously, this doesn’t prevent a determined criminal from cutting off your finger, but at least, if they do, they won’t be able to access your personal information.
The impact of the digital revolution is widespread, but arguably few industries have felt the impact more than the health informatics field. From medical mobile applications to vital-monitoring wearables, smart technology is taking the health care world by storm and remodeling patient care delivery.
Over the years, health informatics has strengthened provider-patient relationships and empowered patients to take control of their health care. But that’s just the beginning. Here’s a look at how health informatics will take shape in 2017 and continue to be one of the most promising fields for STEM careers.
Improving Patient and Hospital Information Security
Cybersecurity is top of mind for health care specialists as the world grows increasingly reliant on technology. From large retail chains to voting polls, cybersecurity breaches are on the rise. And hospitals are no exception. Earlier this year, a hospital in Kansas reported a cyber attack in which the hackers forced the hospital to pay a ransom in exchange for unfreezing their data.
Understandably, hospitals are desperately seeking new ways to improve the security of their data. Hospitals are addressing vulnerabilities by making security a part of their existing governance, risk management and business development initiatives. By building more secure network infrastructures and educating all staff, hospitals are able to better protect their information in the short term. In the longer term, it will come down to hiring more security specialists to identify and correct security threats. This is why the cybersecurity field is taking off and more individuals are earning cyber security degrees to gain entry into the field.
Decreasing Healthcare Costs in the Long Run
Before things get better, they tend to get worse—and that seems to be the case with healthcare costs. At first, the cost of health care will rise as hospitals and physicians’ offices purchase and implement new systems. But once the upfront cost has been covered, these new systems and machines will decrease operational costs for hospitals by simplifying daily processes.
On the other hand, individuals seeking health care will see the long term benefit thanks to the increased efficiency of electronic health records (EHRs). Since EHRs provide a comprehensive overview of health history, it will become easier to identify potential health risks and administer treatments early on with fewer doctor visits. Early detection and diagnosis is key to lowering health care costs and, ideally, making us a healthier population.
Guest post by Santosh Varughese, president of Cognetyx
Cybersecurity is a serious concern for every industry in America, but healthcare has been particularly hard hit. It is the most likely industry in the U.S. to suffer a data breach. According to the Ponemon Institute, nearly nine out of 10 healthcare organizations have been breached at least once, and nearly half have been breaced three times or more. Cyber-criminals are clearly winning this war, despite more funding, more firewalls, and more scrutiny. Here are five reasons why healthcare organizations are losing the cybersecurity war.
C-level healthcare executives still aren’t taking data security seriously.
Although the epidemic of healthcare cyber-attacks has C-suite executives claiming they finally realize the gravity of the situation, their actions tell a different story. A recent survey by HIMSS found that while most facilities have given information security a higher priority, healthcare IT personnel still complain of insufficient funding and staffing for cybersecurity. The same concerns were expressed by IT personnel surveyed in the Ponemon study and an earlier study conducted by IBM.
Frontline employees aren’t taking it seriously, either.
A group of security researchers from the University of Pennsylvania, Dartmouth and USC recently conducted an ethnographic study of cybersecurity practices among nurses, doctors, and other frontline medical personnel. The results showed a flagrant, widespread, shocking disregard for even the most basic data security practices; among other things, workers were observed:
Writing passwords on sticky notes and tacking them on machines in full view of anyone who wandered by.
Allowing other staff members to use their login credentials out of “professional courtesy.”
Purposefully defeating automated system timeouts by placing foam cups over sensors or by having another employee tap a spacebar at intervals.
Criminal hackers are fully aware of these types of practices and do not hesitate to take advantage of them; 95 percent of breaches occur when hackers get their hands on legitimate login credentials, either by obtaining them from a malicious insider or by taking advantage of an employee’s negligence or carelessness.
Too many facilities think that HIPAA compliance is sufficient to secure their data.
Most healthcare organizations focus primarily or exclusively on HIPAA compliance, erroneously thinking that complying with HIPAA is all they need to do to secure their systems. However, HIPAA was never meant to be a blueprint for a comprehensive data security plan. The law primarily addresses documentation and procedures, such as specifying when a patient’s medical records can legally be released, not technical safeguards. Information security experts surveyed by the Brookings Institution stated that HIPAA does very little to address the types of security challenges faced by large healthcare organizations with hundreds of employees and highly complex, interconnected data environments. The proof is in the numbers; if HIPAA compliance were enough to protect patient data, 90 percent of healthcare organizations would not have experienced breaches.