Cybercrime is on the rise in 2015, dubbed “the year of the healthcare hack” as healthcare providers receive federal incentives to implement new Electronic Health Record (EHR) systems. These new systems make the healthcare industry an inviting target for increasingly sophisticated and organized hackers.
This year’s biggest health data breach victims include insurers Premera and Anthem, affecting nearly 100 million patients combined. The Office of Personnel Management breach exposed more than 20 million federal employees– some of the records included behavioral health data and identifiers such as fingerprints.
It’s clear that healthcare organizations must strengthen their cyber security systems to protect themselves and their patients, or they’ll be targeted again. Yet healthcare is still 20 years behind other sectors, in terms of cyber security technology adoption, and catching up is costly.
Where Threats Come From
Hackers have a specific goal in mind: steal protected healthcare information (PHI). This information includes social security numbers and other data elements–personal identifiers, usually– that carry significant value in the black market and can be used to access a patient’s other online financial accounts.
Healthcare’s IT landscape is inviting and lucrative to hackers because it contains highly-integrated systems, stores massive amounts of PHI and lacks strong cyber security. At Anthem and Premera, the breaches occurred and went undetected for some time, which plays in favor of the hacker to navigate, locate the objective and potentially cover up a trail.
CISOs of healthcare organizations should devise security plans that address several different groups of threat actors:
• Those targeting defense, finance, energy and retail are the same ones targeting healthcare, including nation-state-sponsored groups hunting many digital assets including VIP patient records, advanced medical research or business ventures in countries like China.
• Financial hackers interested in identity theft and fraud.
• Insider threats: Employees who may be interested in stealing drugs; sometimes foreign nationals–working on research on their personal laptops—can knowingly or unknowingly take that with them to their home country or to a competing healthcare organization.
• Terrorist groups and hacktivists, who have their own interest in targeting healthcare.
The threat actors have always been the same; the mass targeting has shifted to healthcare.
Health IT Triage: Learning from the Emergency Department Workflow
Tactically speaking, IT people in healthcare organizations must understand that they are a target, and, as such, change their behaviors. Those in IT likely have higher privileged access to data than most employees. Attackers know this and will target them.
Strategically, healthcare organizations must change the way they have operated for the past 30+ years. Speed and availability are still important attributes for IT, and now cyber security is another significant business differentiator. Some experts recommend taking a silo approach or applying network segmentation for servers containing sensitive healthcare information. This would segregate high-risk servers from other, more vulnerable components of the organization’s network.
Instead of a mandate to “protect everything on the network,” IT staff must work more like a triage unit, centralizing and protecting the most critical resources (data and medical devices/patients). This comes down to understanding what's important to the business. This approach moves defense-in-depth to the most critical business components of the organization.
Healthcare organizations should also look to their HIPAA compliance programs as a platform from which to build, drawing upon risk assessments and data classification exercises to identify the most at-risk components of their network. Focusing on high-risk elements containing PHI, organizations can allocate budget to mitigate those risks and, as the security program matures, work to address less critical risks.
“Healthcare’s IT landscape is inviting and lucrative to hackers because it contains highly-integrated systems, stores massive amounts of PHI and lacks strong cyber security”
Another way to strengthen a strategic architecture is to reduce the mean-time-to-detection (MTTD) and mean-time-to-respond (MTTR). In doing so, attacks can be thwarted early on in the attack life-cycle; steps to remediate the exposure can be implemented sooner. To do this, the industry must have resources dedicated to continuous monitoring and ongoing improvement of their security posture.
Preparing Staff; Changing Behavior
Healthcare has culturally been a very open, trusting and collaborative community, so changing the way people in it operate and behave is hard and will take time.
Some organizations have an entire department dedicated to training users and shaping behavior to be more mindful of data security and patient privacy. This goes beyond traditional security awareness presentations and annual certifications. They focus on educating the staff and clinicians by first making them aware of the threat, training them on common attack vectors and how they should respond, and rewarding staff who exhibit good security behaviors.
The growing complexity and sophistication of cyber attacks, coupled with the increasing amount of data at risk, presents a significant challenge for information security teams to sift through the noise, prioritize the investigation, gather sufficient evidence, understand the scope of the breach, centrally track progress and ultimately take steps to remediate the compromised systems. This includes a focus on behavior patterns to weed out what is normal from what is not normal within an environment.
Security is everyone's responsibility. The CISO might be accountable for security, but the buy-in must come from the board of directors down through every level of the staff. Staff and the clinicians must understand what they are doing is making the organization a safer place for themselves and their patients–their effective security behaviors allow clinicians to do their job in treating patients better.
Healthcare companies which will survive this EHR era will need an appetite to take it on with manpower, technology and professional services. It may seem like a daunting task as many of these organizations are strapped for resources to invest in data security. But when taking this argument to the C-suite, there are a couple positives to bring to the table for more data-security resources: it’s a greenfield to start building security programs, and it will enhance HIPAA compliance programs, which are now subject to federal audits. With proper protocols in place, healthcare organizations have the ability to protect themselves and avoid a costly data breach.