- Moving to
New Billing system?
- Stuck With
- High / Aged
November 2, 2016
WikiLeaks: The Hacker’s Hacker
You would have to be living completely off the grid to be unfamiliar with WikiLeaks, the multi-national media organization founded by Julian Assange. WikiLeaks has elevated itself as the most well-known name in hacking, exposing classified, censored or otherwise restricted official materials involving war, spying and corruption. The organization is despised for uncovering secrets that were not meant for public consumption and applauded by millions who believe that the world’s most persecuted documents should be available to everyone. Who would have thought that hacking could land someone on the cover of TIME Magazine as the coveted Person of the Year? Assange held that distinction in 2010.
WikiLeaks is not the only hacking organization keeping information technology (IT) stakeholders up at night. Recently in healthcare, hackers have locked down provider databases, essentially putting them out of business until they pay a ransom to regain access to their data. Hospitals and health systems have more to lose than organizations in other sectors when it comes to hacks. According to Becker’s Health IT & CIO Review, patient data now sells for more money than any other kind of information on the black market, and the healthcare industry experiences more ransomware breaches than in any other, amounting to over 88 percent of all attacks.
The Ransomware Epidemic
One reason hospitals may be particularly vulnerable to ransomware is the multitude of systems and devices in use. There are many more entry and axis points for cybercriminals to exploit. Recent innovations in the hacker community have given rise to new strains of ransomware that are harder to guard against. Once patient data is infected, hospitals and clinics are locked-out of their own system. Unlike other industries where access to data is not as time critical, not having access to patient data could mean the difference between life and death.
Ransomware breaches represent a big payoff for criminals and it’s quite clear why healthcare is the primary target. According to the 2016 IBM X-Force Cyber Security Intelligence Index, a stolen medical record is worth more than 10 times that of a stolen credit card.
In a prepared statement, Jocelyn Samuels, director of the Department of Health and Human Services Office for Civil Rights (OCR), said, “One of the biggest current threats to health information privacy is the serious compromise of the integrity and availability of data caused by malicious cyberattacks on electronic health information systems, such as through ransomware.”
Medical Data Hacking on the Rise
According to X-Force research, healthcare record theft is up 1,100 percent in 2016, with more than 140 million medical records compromised worldwide. Out of the 249 incidents submitted to the OCR through October 26, 2016, 83 were caused by a hacking or IT incident. While hacking incidences garner the most attention, there were 104 unauthorized access or disclosure breaches, 46 cases of theft, 12 incidents involving loss and four caused by improper disposal.
The top five unauthorized breaches in 2016 were Banner Health, Newkirk Products, 21st Century Oncology, Valley Anesthesiology & Pain Consultants and Hollywood Presbyterian Medical Center. Banner, a large Arizona-based health system, discovered an incident on July 7, 2016 that affected approximately 3.6 million patients, members and beneficiaries, providers and food and beverage outlet customers. Newkirk Products, a New York-based service provider that issues healthcare ID cards for health insurance plans, announced in August 2016 that it experienced a data breach potentially compromising approximately 3.4 million plan members. 21st Century Oncology notified the OCR of a data breach in March 2016 that may have affected approximately 2.2 million individuals, and Valley Anesthesiology & Pain Consultants announced in August 2016 that 882,590 patients might have had their information exposed when an unauthorized party inappropriately accessed one of its computer systems.
The highest profile medical data breach in 2016 happened to Hollywood Presbyterian Medical Center in California. In March, the hospital was locked-out of its electronic health records (EHR) for over a week. During that time, providers reverted to operating via pen and paper until they made a decision to pay the hackers $17,000.
The advent of medical data hacking appears to have no end in sight. No one is immune to having his or her medical records compromised. It is troubling to think that even with the best security protocols in place, one out of every three people had a healthcare record compromised in 2015.
Medical Devices Also Pose a Security Threat
Most people do not realize that medical devices are often mini-computers linked to a corporate network. Without having an embedded encryption capability, hackers are easily able to gain access to the core network or other networks throughout the organization, including the EHR.
Hackers generally have one of two motives for what they do, says Stephanie Domas, an ethical hacker and lead medical device security engineer at Battelle, a research and development firm. She hacks organizations and is paid for it. Some devices hold a sizable amount of data that can be hacked; others don’t contain much data, but are a gateway to the network for hackers. Medical devices can include fetal monitors and other monitoring machines, ventilators, anesthesia machines, bypass machines, electrocardiographs, lasers, gamma cameras, medical apps, diagnostic imaging systems, powered wheelchairs, and implantable defibrillators and pacemakers, and many more.
Derek Jones, a senior security advisor at the consulting firm Impact Advisors, offers his advice regarding how to protect medical device data. In an article published by Health Data Management he said, “Many hospitals only use a perimeter firewall to provide protection for moving in and out of the core network, with no other firewalls protecting internal systems. Multiple firewalls across the organization—to the greatest extent possible, given available resources—represents a good start toward improving device security.”
“Layered security is important because we can’t trust the Internet” he explains. “All these devices that get plugged into the network, like security cameras, cash registers and biomedical devices are a risk to data security. Network access makes it easier to use the devices, but we often forget they are mini-computers and must be protected.”
Too often, Jones adds, the built-in firewall that comes with Microsoft Windows is viewed as adequate, and as a result, more advanced software with better scanning and reporting features is not deployed. A more sophisticated firewall will remove the Windows firewall, which does not have the capacity that enables a network administrator to know that malware has infected a computer or a device.
New and old medical devices alike can be a security threat. Both require the addition of embedded security, which includes the encryption of data at all access points. The Food and Drug Administration has provided guidance for manufacturers to reduce medical device hacking risks, however, there are no penalties for non-compliance.
The Human Element in Medical Data Security
The biggest threat to healthcare IT security is the human element. According to the 2016 HIMSS Cybersecurity Survey, the two primary healthcare IT security concerns from healthcare organizations (hospitals and physician practices) are phishing attacks (a concern for 77 percent of respondents) and viruses/malware (67 percent). Both events require human interaction for hackers to access patient data.
Training clinicians and staff one time is not enough to guard against attacks. Ongoing training is the key. A study by Wombat Security Technologies and the Aberdeen Group suggests that upgrading employee mindfulness can lessen security risk by anywhere from 45 to 70 percent. There is no such thing as a 100 percent secure IT system if people use it. It certainly makes no sense to make significant investments securing a technology if system users are not trained properly.
Steps for Prevention and Protection
The number one rule in securing medical data is never to assume you are completely protected. There are no “one size fits all” protections against security breaches. When implementing an effective prevention and protection strategy, you should consider these 12 points:
- Initially train users about the risk;
- Implement consistent high frequency data backups;
- Block all executable attachments that do not pass your security software assessment;
- Keep systems patched (especially J-Boss web servers, which are common in healthcare);
- Keep antivirus solutions updated;
- Maintain strong passwords;
- Ensure that active accounts connect to a current staff member;
- Make sure departing staff members return laptops and other mobile technology;
- Allow only the minimum necessary access to sensitive information;
- Secure medical devices by encrypting data and securing access points;
- Audit the system regularly; and
- Provide consistent ongoing security training for every staff member.
Leveraging robust user training, including an investment in preparedness, and implementing key security controls and protocols will go a long way in securing an organization’s medical data. It doesn’t end there. Health organizations must also ensure that they have an all-encompassing backup and recovery process that allows them to get back to business as usual quickly after a breach or attack.