Hospital health data has been a clear target for hackers. They’re getting smarter, and education, and buy-in from the C-suite are key prevention strategies.
From a cybersecurity perspective, November 2016 wasn’t a good month for the healthcare industry. According to Protenus, there were 58 health data breaches in November, the highest number of such events in 2016. Come to think of it, 2016 wasn’t a very good year as a whole. An average of at least one health data breach occurred every day in 2016 affecting 27,314,647 patient records, according to Protenus. “We’d love to tell you that by the end of the year things were starting to improve, but unfortunately that wasn’t the case,” the data protection company stated.
If these trends continue (and it looks like it may), hospital CIO and CISOs will certainly have their work cut out for them in 2017. As hospitals and health systems continue to build on their cybersecurity strategy, focus should highlight workforce training, access management, device encryption and a willingness to engage in proper cybersecurity best practices. “As healthcare providers, we owe it to patients to protect their data,” Daniel Barchi, CIO at NewYork-Presbyterian (NYP) in New York City, told Healthcare Dive.
A quick year in review
Notable cyberattack highlights last year included Hollywood Presbyterian Medical Center paying $17,000 to hackers making ransomware a lunchroom topic across hospital executive offices everywhere. Banner Health won the unfortunate award for Most Patients Affected by a Cyberattack last year by disclosing in August an incident that compromised 3.7 million patient records.
Preventing and managing cyberattacks has become an everyday task for CIO and CISO’s job descriptions as bad actors seek to access protected health information. Still, the majority of data breaches come from inside the hospital. Out of the 450 incidents Protenus analyzed, 192 of them (43%) were an inside job, compared to the 26.8% of breaches accredited to hacking and ransomware. However, hacking and ransomware account for larger breaches that affect patients. “For the 120 hacking incidents included in our analyses, we had the number of records affected for 99 incidents; those 99 incidents resulted in a staggering 23,695,069 breached records, or 87% of all patient records included in the analyses,” Protenus stated.
“As healthcare providers, we owe it to patients to protect their data.”
HHS’ Office for Civil Rights (OCR) in the latter half of 2016 put the industry on the defensive as it gently reminded healthcare organizations to reassess their electronic authentication methods as well as direct its regional offices to increase investigations of smaller breaches. Such efforts can be seen culminating in one example where Children’s Medical Center of Dallas in February was fined $3.2 million after HHS investigating multiple breaches and determined the organization had failed to take actions to prevent such events until 2013, despite being aware of the risks. The news underscores just how such an event can cost an organization: About $7 million is the average total cost of a data breach, a June 2016 Ponemon Institute study conducted for IBM found.
Top leadership needs to be involved and invested
Cybersecurity’s importance can be a hard message for hospital executives at times because when organizations don’t experience an attack, it’s out of sight, out of mind, according to Dr. Robecca Quammen, CIO at Howard University Hospital in Washington, DC, and CEO at MyConsultQ. However, forward-looking health organizations should be ready to react to breaches. “It’s not if you get breached, it’s when,” Arthur Ream III, director of applications and CISO at Cambridge Health Alliance, a three-hospital system in the greater Boston area, told Healthcare Dive.
One of NYP’s cybersecurity’s strategies is to first acknowledge that it’s important. “We have an environment where we want to get issues on the table” to discuss the organization’s skeletons in the closet, Barchi told Healthcare Dive, adding that top executive brass needs to think about what the real risks can be when some organizational secrets are revealed in print.
Noting healthcare has been clearly targeted over the last five years by bad actors, one of the best prevention methods is to invest in people and tools, David Finn, health IT officer for Symantec and former CIO and vice president of information services for Texas Children’s Hospital, told Healthcare Dive. “Healthcare historically hasn’t invested in security.” Ream agrees, “Hospitals and health systems have yet to embrace the full funding of a security team.” To Ream, healthcare data is becoming more valuable than credit card data where bad actors can siphon health data from organizations and sell it piecemeal over a long period of time.
“Healthcare historically hasn’t invested in security.”
Arthur Ream III, Director of Applications and CISO, Cambridge Health Alliance
“We frequently talk about information security being an existential threat to healthcare in general and as a result our leaders have given us the freedom to hire people and implement the tools we need to,” Barchi stated adding that sometimes the benefits can be seen near immediately. For example, a new email system was recently implemented that identifies when emails are coming from inside ([INT]) or outside ([EXT]) the organization. According to Barchi, the system was installed at 10 a.m. on a Friday morning and by 11:30 a.m., the security team identified a suspicious message marked [INT] that was in reality an [EXT] email.
“Healthcare should not be focused on some kind of crazy or exciting threat as much as we should be focused on basic blocking and tackling,” Jennings Aske, vice president, CISO at NYP.
Workforce education is important
Quammen acknowledges CEOs’ desire to have ubiquitous data with high liquidity and easy access can go against cybersecurity initiatives to protect patient data. “Pressures to succumb to convenience and ease of use are the biggest killers of security,” Quammen told Healthcare Dive.
Appropriate access levels and measures of authentication among workers are essential efforts, according to Quammen. “Convenience can’t trump security,” she stated.
In addition to locking down access (some workers may want to read a celebrity’s file, for example), cybersecurity education should be deployed across an organization. Ream puts it a bit more bluntly: “Your employees are your biggest risk.”
Judging from the stories Healthcare Dive heard, Ream’s not wrong. Finn noted in phishing attack trials, he typically sees a clickthrough rate of 20% across industries, meaning someone clicked on a link containing a virus. In healthcare, the range is much broader from 20-60%. “The single highest clickthrough rate I’ve ever seen was a healthcare provider with 92% of people who got the phishing email clicked on it,” Finn told Healthcare Dive.
Quammen shared a story from a previous hospital where she was only made aware of and prevented a virus from infiltrating a system because an employee couldn’t open an infected file on a shared folder housed on the system’s network and called the organization’s help desk to request the file be opened who fortunately reported it to resources able to isolate it after identifying it contained malware.
“Pressures to succumb to convenience and ease of use are the biggest killers of security.”
Dr. Robecca Quammen, CIO, Howard University Hospital and CEO, MyConsultQ
In his experience, Finn found hospitals frequently rehearse hurricane or chemical spill reaction plans but many hospitals lack cybersecurity rehearsals much less employ a chief information security officer (CISO), a role he feels should be in a position of authority and able to manage a budget.
Cambridge Health Alliance also runs phishing campaigns. Individuals that click on the “bad” links are sent to an educational page to complete before being able to return to the fun portions of the internet like cat GIFs and Kermet the Frog memes. In addition, twice a year Cambridge Health Alliance runs breach drills that starts at the CEO and runs its way down the organization. Through this process, the organization adapts and changes its security policies.
While there are a lot of technologies on the market for cybersecurity, “it’s all about the people,” Barchi said noting educating workforce and making them aware of and alert to threats will make them better respond to such threats when they present themselves.
On roaming devices and log management
In 2010, you couldn’t not fire up your internet browser of choice and not read about a stolen or misplaced laptop or USB drive from a healthcare organization that resulted in notifying x number of patients their health data may have been compromised.
As more records are moving to the cloud and workers are getting smarter about encrypting such devices, you see less of these breach notifications. “It’s still happening but pales in comparison to the more exciting breaches,” Barchi said who added the move to clinical storage digitally has spurred the sea change to larger breaches occurring as a result of hacking.
“Healthcare should not be focused on some kind of crazy or exciting threat as much as we should be focused on basic blocking and tackling.”
Quammen notes unencrypted laptop breaches may be down but attacks occur in ways many administrators may not expect. For example, biomedical devices or movable carts can come equipped with unencrypted laptops housed in unsecured offices and clinical areas. Such laptops need to be encrypted, tethered and secured in locked rooms, Quammen said, because patient data is often manually keyed in and sometimes the unprotected laptops can be walked out the door. She described one instance where such a laptop was stolen and reviewing billing records for specific CPT test codes was the only method available to identify a patient cohort list to notify patients of a possible breach.
“Encryption requires management of all devices and maintaining currency in an enterprise-level encryption software contract and being vigilant you don’t deploy a device without it,” Quammen said. The clinical areas where laptops come with diagnostic testing and biomedical devices that are not controlled by IS are on the table for a potential HIPAA breach.
On the cyberattack side, every device on the network generates an activity log that provides information that can be analyzed to understand an attack, Aske noted. “Log management is a real driver in terms of security posture,” he said.
Hackers are getting faster and smarter and realizing how to enter healthcare’s wall. Healthcare IT News recently reported 48% of successful cyberattacks from bad actors involve using malware. “The thing to realize is that securing PHI or any type of protected information is not a one-time task, it is an everyday task that requires staying one step ahead of the creativity of bad actors,” Quammen said.
For example, Quammen offered a story where she and her team had to manually thwart about 7,000 hits from a Zepto virus over a 24 hour period. “There was a moment in time when machine learning got bored and morphed the attacks to a different address format as the technical team was watching its behavior,” she said. “I had never experienced that before.”
Ream shared the trend toward the Internet of Things (IoT) can open up cybersecurity threats that may not be top of mind in security officers. For example, with smart buildings, networked water pipes hooked up to report volume is another avenue into an organization’s information system.
He sees a trend occurring where vendors are beginning to market themselves as one-stop security solutions to capitalize on the fact that building out an internal security team is expensive. Solutions such as security operation centers (SOCs) and network operation centers (NOCs) will likely be attractive to healthcare organizations in the future.
“AI technologies incorporating forensics are growing in popularity. Right now the best defense security officials can provide is strong protection that focuses on the EHR,” Santosh Varughese, president at Cognetyx, said. “This only makes sense since that is where the data is stored as opposed to protecting the network. Why guard the entire road leading to the castle when you can keep the gold in a safe?”
One question Finn often gets is “when is ransomware going to end?” The easy answer is to respond “when people stop pay for it” but he also believes in late 2017 there will be a decline in ransomware as enough prevention best practices information will be shared and end user staff receive training on the attacks. Barchi told Healthcare Dive one of the most effective means to reduce ransomware is through outstanding storage management, including investing in simple storage backups that help to keep from losing health data or obviate the need for paying ransomware attackers. “We’ve been able to take affected computers offline and move to back-ups and quickly restore the data and keep going”using such an approach, Barchi said.
What Finn does worry about for the future of cybersecurity is attacks moving into the cloud. If one big cloud provider is successfully attacked, it could in theory shut down many subscribing organizations, according to Finn, noting many small providers use cloud-based EMRs or hosted EMRs.
For more information, please click HERE and fill out the request form.