The threat to healthcare data and systems has never been greater than it is right now, and the need for security professionals who possess the skills, experience and education to address it are at an all time high.
Healthcare organizations are being impacted by a higher than average number of system outages due to an absolute explosion of malware on the internet. Malware is being developed and released at a rate that has rendered antivirus products successful at detecting less than 50% of what the network sees.
The second highest cause of outages has been unscheduled changes on systems managed by business associates or due to poor internal practices. Healthcare has seen directed attacks involving new threats such as ransomware, zero day attacks, advance persistent threats (APT) and sophisticated spear phishing.
Gone Phishing
Phishing accounts for a large percentage of the initial compromises that lead to larger more sophisticated and costly breaches. Healthcare has seen State sponsored hackers who have stolen intellectual property and massive amounts of patient data. While smaller breaches still far outnumbered hacks, breaches like the ones that affected Anthem, Premera, Community Health System, CareFirst and Beacon Health System have suffered compromising hundreds of thousands to millions of records are a testament to how damaging those attacks can be.
There have been ideological attacks by well-known hacktivist groups, such as Anonymous, which engineered an attack on Boston Children’s Hospital recently. Anonymous telegraphed its intentions, attacked and then completely compromised the hospitals external connections, email and phone systems forcing them to rely on verbal communications and other measures to conduct business. And as late as this past week the first healthcare system we’ve heard of was hacked by a pro-ISIS group and had their website defaced with pro ISIS images, videos and messages against the U.S. Hacking, which increased significantly in 2014 over 2013, has outpaced other incidents at the outset of 2015 as the cause for breaches.
Paradigm Shift
These events and the shear number of these events until recently was unprecedented in healthcare, but that has changed, and it’s this shift that healthcare system leadership needs to be more cognizant of, because what it represents is an increased set of challenges to the business. It is the new norm. It reflects the continued evolution of the threat and threat actors who once focused on systems, then networks, next applications and today mobile devices and people.
Many healthcare institutions recognizing this paradigm shift have looked to Cyber Insurance to help defray the rising costs of breaches, but this too is eroding as Insurance companies raise premiums to offset huge payouts associated with recent breaches. In a landmark case one hospital, Cottage Health, that suffered a breach this spring is being sued by its insurer Columbia Casualty, to return the money they paid because the health system allegedly failed to take appropriate precautions. This case also portends a new reality where healthcare can expect tougher underwriting provisions and higher premiums for cyber insurance.
SEE ALSO: Securing Patient Data on Smartphones
Valuable Information
Why healthcare? Because the information that healthcare organizations hold is anywhere from 50 to 250 times more valuable than other personal information, according to the Rand Corporation, National Security Research Division who published a study on the Black Market activities. More importantly it is not perishable as other information such as credit card numbers and is particularly valuable for purposes of fraud.
What has really landed healthcare in the cross hairs of would-be criminals is the fact that virtually everything the industry does today is supported by automated processes. More than 98% of patient information is digitized and the number of people both inside and external to the hospital that have access to patient information has more than tripled in the last five years, and much of its data is now hosted or handled by third party providers.
Healthcare has an over reliance on systems and data for everything from routine practices to accountable care, patient engagement, information exchange, population health, big data, etc. More data, more systems, more connections, more sharing all translates to greater opportunity for mistakes, theft or abuse. As a result, health systems must do a better job of protecting the enterprise, hardening their systems, enhancing detection capabilities of networks, testing application environments and increasing the education of its workforce.
“The threat to healthcare data and systems has never been greater than it is right now.”
Baseline Risk Assessments
To meet these challenges healthcare should conduct regular baseline risk assessments to identify weak areas in their program and develop a workplan to address them. Work to implement a security program around the National Institute of Standards and Technology (NIST) Healthcare Cyber Security Framework or another recognized framework to cover all the areas that are important. Review options to improve detection capabilities by enhancing audit and monitoring activities with automated processes.
Look to improve defenses against hacking and malware with more current technologies that don’t rely solely on antiquated signature-based approaches. Address encryption priorities and ways to control mobile devices and the data they access. Adopt control structures and technologies that make it more difficult for hackers and malicious insiders to exfiltrate sensitive information reducing the risk of breach. Embrace ways to enhance workforce training to include practical knowledge such as phishing exercises to make training relevant.
Last, but not least, understand that this is not a problem you can or should solve alone. Engage with external experts and service providers that can add a force multiplier effect to your program through their industry knowledge, expertise and independent assessment.
Get the Board Involved
We should get the Board involved. It is well known that healthcare organizations who enjoy Board attention to privacy and security enjoy better success at building strong programs. The Board can play an important role in ensuring we create the right culture around data security by focusing their attention and the organization’s resources on; the selection of competent security personnel, empowering those assigned privacy and security duties, receiving regular reports on privacy and security, requiring independent audit and assessment of risk, and demanding accountability and encouraging respect for individual privacy.
Mac McMillan is CEO at CynergisTek, Inc.
