Guest post by David Thompson, senior director, product management, LightCyber.
A targeted data breach is one of the most vexing problems facing healthcare organizations today. Just in the first three months of 2015 alone, 99 million patient healthcare records were compromised—that’s about one-third of the entire U.S. population, and those are just the ones we know about. According to some sources, 90 percent of healthcare organizations have already been breached, but we aren’t sure which ones.
The cybercriminals behind a targeted data breach do not want to be exposed—and make no mistake, these breaches are run by people, not autonomous software. Unlike the hackers of earlier days, these operatives want to stay hidden and conduct their work in secret. Even if they have successfully completed their initial goals—let’s say exfiltrate patient medical records—a cybercriminal team will likely want to stay undiscovered to continue to steal more data as it is collected, or leverage this access to break into another company. Often this will involve commandeering valid credentials from the first organization to gain access to another, perhaps a partner healthcare organization, an insurance company, an independent lab or some other entity.
The simple truth is that most healthcare organizations lack the means to detect an active data breach. First, let me define a data breach, since there is so much confusion over the term. A breach is the entire process—from initial network penetration through data exfiltration— cybercriminals go through to achieve their goals.
Often a breach is perceived as only the initial penetration into the network or infection of a machine. This one act is over in an instant, but it is the focus of considerable security resources. In other words, a large proportion of security resources are devoted to preventing single step in the breach process that lasts less than a minute, but is only the first step toward a goal.
Also, initial penetration is not as easy to spot and block as you might guess. Since the way into the network may be accomplished through the use of valid credentials acquired through social engineering or clever spear phishing, detecting the intrusion can be difficult. Effective prevention of intrusions is based on use of statically defined descriptions of software code or behavior (signatures and hashes), so it is successful mainly when known malware is used to conduct a breach. So, preventing an intrusion has a marginal success rate, but it is often seen as the last change an organization has in defeating a targeted breach.
Once an attacker is inside the network, most organizations lack the ability to find them. At the same time, an attacker is inherently at a disadvantage, having landed inside an unfamiliar network. This disadvantage is quickly dissipated since they can often go completely undetected for weeks, months or even longer. The industry average dwell time is around six months, plenty of time for an attacker to explore a network and get at assets.
Why is it that organizations are seemingly powerless to find an active data breach once an intruder has penetrated a network? There are four main reasons.
Guest post by Todd Weller, vice president of product development, Hexis Cyber Solutions
According to a 2014 Identity Theft Resource Center Report, the healthcare industry has officially surpassed other major industries and now accounts for 42.3 percent of all data breaches recorded last year. As the number of patient medical records transitions to a digital sharing model, the potential cost of data breaches is now substantially higher than for those less regulated, like retail and public services. It’s clear that the industry is increasingly vulnerable to sophisticated cyberattacks; hackers are after vital patient information such as social security numbers and past medical records. With limited budgets and priorities often, and rightfully, placed on patient care, many healthcare organizations lack the resources to implement stronger security levels. Despite these constraints, with the right technology and best practices in place healthcare organizations can position themselves for success.
The costs associated with “damage control” for many healthcare providers is steep with the annual cap on fines for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and HITECH Act of 2009, up from a maximum of $25,000 per year to $1.5 million. And fines are only part of the financial burden. Investigation and legal efforts, business downtime and decreased credibility all drive up costs even further.
Unfortunately, many healthcare organizations are still facing challenges when it comes to effectively communicating and collaborating on security. In many of these healthcare organizations, there is a department for privacy and compliance and then a separate department for enterprise IT security. Functional groups are often siloed and share very little information with each other. This becomes a major issue in the event of a breach as neither side is able to understand the full spectrum of the threat without the others’ data.
The consequences of the gap between compliance and IT security becomes evident when dealing with insider threats. An individual’s actions may look legitimate but when correlated against other activity, could indicate that malicious activity is occurring. A workstation that has always previously accessed clinical data or some other patient information doesn’t raise suspicion. But a subtle, steady increase in traffic, say of five or ten percent, correlated with communication to an unauthorized or new IP address, likely indicates a breach. The same example could apply to an external threat with a malicious actor using social engineering methods to entice an unwitting user to download malware. Once inside the network, the malware can replicate the very same scenario. Either way, a breach has occurred. The IT security department may discover the situation, investigate and handle it and move on to the next task. But without visibility into this type of data, how would the compliance department learn about possible data leakage and take the necessary steps to investigate and report?
IDC Health Insights announces a new report, “Business Strategy: Thwarting Cyber Threats and Attacks against Healthcare Organizations.” that features findings from the 2014 IDC Insights Cross Industry Cyber Threat Survey. The report is designed to gauge how financial services, healthcare provider organizations and retailers are responding to increasing cyber threats and the impact of successful attacks on business operations. The study also highlights how healthcare organizations are investing in their cyber strategy to protect their most valuable electronic assets.
Today’s healthcare organizations are at greater risk of a cyber attack than ever before in part because electronic health information is more widely available today than in the nearly 20 years since the Health Insurance Portability and Accountability Act was passed in 1996. Cyber criminals view healthcare organizations as a soft target compared to financial services and retailers because historically healthcare organizations have invested less in IT, including security technologies and services, than other industries, thus making them more vulnerable to successful cyber attacks.
The value of health information, which can be used to commit medical fraud, is surpassing the value of social security and credit card numbers on the black market, thus increasing the attractiveness of stealing health information.
Key findings include:
After physical loss or theft of a laptop, mobile or portable device, malicious hacking or IT incident was the most common breach reported on the Department of Health and Human Services (DHHS) website. In 2013, 20 (out of 175) breaches related to hacking or an IT incident represented 9 percent of the individuals affected and 11.4 percent of the attacks.
All respondents of the 2014 IDC Insights Cross Industry Cyber Threat Survey reported that they had experienced a cyber attack in the past 12 months; 39.4 percent reported that they were attacked more than 10 times and 27.1 percent of the attacks were described as “successful attacks.”
Security is a top IT initiative for health care providers. In 2014, according to the 2014 IDC Global Technology and Industry Research Organization IT Survey, security and risk management technologies was the number 1 initiative (29.0 percent). In 2013, it was also the top ranked initiative (20.1 percent).
Approximately one out of four cyber attacks had an impact on normal business operations. The majority of respondents (52.2 percent) indicated that the shortest impact lasted less than an hour and 43.3 percent reported that the longest duration was between eight and 24 hours.
The overwhelming majority of healthcare executives reported that their spending on cyber threats increased (59.6 percent) or stayed the same (38.3 percent) over the last three years. On average, the increase for those respondents that reported an increase was 14.8 percent.
Consumers highly value their privacy according to a recent 2014 IDC Insights Cross-Industry Consumer Experience Survey, but are not as confident that healthcare organizations were adequately protecting their data. Concerned consumers are willing to end a healthcare relationship after a breach, including changing their care providers (21.6 percent) and changing health plans (5 percent).
Guest post by Reed Liggin, founder and president, RazorInsights.
Since the Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law in February 2009, rural, community and critical access hospitals are turning to electronic health record (EHR) systems to receive significant incentive payments based on meeting meaningful use regulations. However, the impact on workflow makes achieving a return on investment (ROI) after implementation challenging. Additionally, the burden is placed on these hospital’s small IT departments to meet federally mandated deadlines such as meaningful use.
According to a 2014 HIMSS Analytics survey, 83 percent of healthcare providers are using cloud services. Compared to server-based networks, the cloud is especially beneficial to rural hospitals because of the lower upfront, implementation and maintenance costs, resulting in increased ROI. The cloud system’s pay-as-you-use method removes the need for expensive hardware, and the accessibility and security of patient records improves efficiency and patient care, allowing hospitals to prove they are meaningfully using EHR technology.
Implementation and Maintenance
Because of budgetary restraints, rural hospitals typically have outdated technology and some areas do not even have computers. Recently, I visited a hospital with only one computer on each floor and no EHR system in place at all. Because of this, these hospitals must implement user-friendly healthcare technology that is easily implemented across the network– even for clinicians with limited or no experience in a high-tech environment. This type of easy-to-use EHR systems not only improves patient care, but also helps hospitals qualify for federal incentive payments. However, time is running out. Hospitals only have one more year to receive incentives for being MU compliant. After this timeframe they not only won’t receive payments, but they will be penalized financially for not meeting regulations, which is especially detrimental to smaller hospitals.
Cloud-based solutions allow hospitals to deploy EHR systems quickly and at a lower cost. While server-based EHR systems can cost $40, 000 or more, a cloud network does not require any hardware to be installed on-site. Therefore, upfront, implementation and maintenance costs are much lower than a server-based solution. Less hardware means less opportunity for failure – thus, maintenance costs decrease drastically as the lifespan of a cloud-based system is much longer than a physical server solution.
Dr. Cliff Bleustein, chief medical officer and head of Dell’s global healthcare consulting services, leads an integrated team of clinical, business, and technical professionals who provide expertise to health systems, hospitals, physician practices, health plans and life sciences organizations. Here he discusses Dell’s healthcare vision; improving patient engagement and how he defines the term; data security; and trends that he thinks will be worth tracking in the near term — here’s a hint: smartphones, yes; wearables, no.
In your new role as chief medical officer and global head of healthcare consulting at Dell Services, what are your responsibilities?
As chief medical officer, I play a key role in Dell Services’ healthcare division supporting our aggressive strategic initiative to revolutionize the way healthcare is managed. I spend a lot time listening to customers and helping them to better manage patient-specific data that spans the entire continuum of care. Ultimately, better information and technology will drive improvements in quality, patient safety, efficiency and outcomes. I help shape our strategy and ensure that it meets the needs of our customers, both now and in the future.
Tell me about your background in healthcare and how you came to be passionate about the space.
Ever since I was a child, I knew that I wanted to be a physician. Originally I was fascinated with the ability of body builders to be able to grow muscle to such huge proportions and lift weights several times greater than their mass. As my career developed, I focused on how treatments and diagnostics could move from the lab to the bedside. During training and private practice, I became more involved in understanding how systems work and function and what drives them. I was fortunate enough in my career to work internationally, as well. This gives a much broader view about how healthcare can be improved on a larger scale. I am driven by a desire to continue to disrupt the market with new technologies and solutions that can have a meaningful impact on improving health at scale.
What is Dell’s background in healthcare IT and why does the company put an emphasis on this sector (other than for obvious financial reasons)?
People are often surprised to learn that Dell has more than 20 years of experience in serving healthcare customers. That, combined with our deep bench of clinical and technical experts, is why Gartner has ranked Dell number one among healthcare IT service providers for four years running. But it goes beyond that; it’s also personal. Michael Dell is keenly interested in exploring how technology can improve healthcare systems around the globe. And we have thousands of employees who get up every day and focus solely on the needs of our healthcare customers. With an aging population and the impact of chronic diseases, such as heart disease and diabetes, we must find ways to reduce cost, improve productivity and improve health outcomes. Technology has a huge role to play. We also know we can’t do it alone, and for that reason we work with and partner with some of the leading companies in the industry.
What solutions does Dell offer and how do they set the company apart from competing vendors?
What sets Dell apart is our holistic approach. It’s not enough to just add technology. It’s also about connecting people to the right technology and integrating that technology into their workflows. Processes need to be re-examined and, in many cases, re-engineered. So, in addition to the traditional IT products and services Dell is known for, we also offer a robust suite of solutions and services that are specially designed for healthcare. These include secure cloud solutions such as our Unified Clinical Archive, EHR implementation, mobile clinical computing, sophisticated analytics tools, social media integration, HIX and HIE services and support, and clinical transformation. We also have a strong focus on the life sciences, with a genomics analysis platform that supports clinical trials investigating personalized treatments for cancer.