The February 2015 cyberattack on health insurer Anthem, in which medical records affecting nearly 79 million people were stolen, brought focus to the potential vulnerability of electronic health records. The breach also promised to spur greater and more effective efforts to keep those records secure.
Unfortunately, while cybersecurity remains a prevalent topic in health IT discussions, breaches and attacks have only increased in the two years since the Anthem attack. In December 2016, medical laboratory Quest Diagnostics reported a breach affecting 34,000 clients.
Global information services group Experian’s data breach forecast for 2017 ranked health sites as the most attractive targets for cyber thieves.
“Healthcare organizations will be the most targeted sector, with new sophisticated attacks emerging,” the report said, according to an article on the Healthcare IT News website.
Many healthcare facilities have been subjected to attacks using ransomware, a type of software that locks up a computer or computer system, preventing users from accessing data until the hackers are paid a ransom.
Hospitals are an ideal target for this sort of malicious attack. The information being held for ransom can literally be a matter of life and death.
“If you have patients, you are going to panic way quicker than if you are selling sheet metal,” Stu Sjouwerman, CEO of the security firm KnowBe4, said in an article on the Wired website.
“Without quick access to drug histories, surgery directives and other information,” the Wired article said, “patient care can get delayed or halted, which makes hospitals more likely to pay a ransom rather than risk delays that could result in death and lawsuits.”
Hospitals also make good targets, Sjouwerman told Wired, because cybersecurity often isn’t a primary concern, as is patient privacy, required by the Health Insurance Portability and Accountability Act of 1996 (HIPPA).
HIPAA and other federal regulations spurred healthcare providers to rapidly transfer paper records to digital. However, efforts to protect that electronic data from criminals were not pursued as vigorously.
If there’s any consolation, it’s that healthcare isn’t the first industry to experience these particular growing pains.
“Between 1997 and 2005 banking went through this transformation as well,” said Bill Coady of PwC’s National Cyber Security and Privacy Practice in an article on the MD Magazine Web site (hcplive.com). “Banking had a lot of similar problems that we see today in healthcare,” Coady said.
The vulnerability, Coady said, stems from systems’ inability to detect unauthorized activity.
“They forgot to put in detections — alarms, bells, and whistles along the way — that would have allowed you to know that the person who compromised you has been inside your environment for five months,” Coady said.
Adding to the burden is the facility of hackers to quickly maneuver around new defenses, with those ransoms paid out by some facilities funding the criminals’ research.
“As a new defensive technique is developed, its effectiveness increases until attackers are compelled to develop countermeasures to evade it,” said Vincent Weafer, vice president of Intel Security’s McAfee Labs, as quoted in an article on the Health IT Outcomes website.
“To change the rules of the game between attackers and defenders, we need to neutralize our adversaries’ greatest advantages,” Weafer said. Weafer said security must “go beyond understanding the threat landscape to changing the defender-attacker dynamics.”
Weafer identified six key areas in which changes are needed:
- Information asymmetry, or an imbalance of information between two parties
- Making attacks more expensive
- Improving visibility
- Better identifying exploitation of legitimacy
- Improving protection for decentralized data
- Detecting and protecting in agentless environments.
In the MD Magazine article, Tony Consoli, president of the Mid-Atlantic Region at CBIZ Insurance Services, Inc., advises healthcare providers to use these methods of prevention.
- “Know what’s at risk and create a response strategy that is holistic and allows you to respond quickly in any situation.”
- Hire a third party to run penetration tests that will simulate a hack into your system. “This is a great way to find out if your company is using its security technology effectively,” Consoli said.
- Install a deception-based security layer into your network that, Consoli said, will create “an environment that attracts and detects malicious insiders as soon as they begin their attacks.”