Hackers are coming for your healthcare records — here’s why
Data stolen from a bank quickly becomes useless once the breach is discovered and passcodes are changed. But data from the healthcare industry, which includes both personal identities and medical histories, can live a lifetime.
Cyberattacks will cost hospitals more than $305 billion over the next five years and one in 13 patients will have their data compromised by a hack, according to industry consultancy Accenture.
The recent study by Brookings showed that, since late 2009, the medical information of more than 155 million Americans has been exposed without their permission through about 1,500 breaches.
The Brookings research demonstrates that the healthcare sector is uniquely vulnerable to privacy breaches. For one thing, government regulations forced healthcare operations to adopt electronic health records (EHR) and other advances under the Patient Protection and Affordable Care Act (Obamacare) even if they weren’t ready to adequately invest in security.
Healthcare records also contain the most valuable information available, including Social Security numbers, home addresses and patient health histories — making them more valuable to hackers than other types of data, according to the study by the Brookings Institution’s Center for Technology Innovation. Since cybercriminals can sell data for a premium on the black market, hackers have a big incentive to focus their attacks on the healthcare industry.
With the push toward more integrated care, “medical data are now being shared with many different types of entities in which many employees have access to patient records,” the study said. “Extended access to medical records increases the potential for privacy breaches.”
To comply with legal requirements, healthcare organizations often store detailed medical information for many years. The probability of a breach — and the potential severity of the consequences — increases according to the amount of data stored and the length of time it is stored.
A focus on regulatory compliance, not security
With the industry so focused on regulatory compliance as it moves to digital record-keeping, cybersecurity has largely been a secondary thought, according to Lisa Gallagher, former vice president of technical solutions at the Healthcare Information and Management Systems Society (HIMSS) in Chicago.
“Enterprises with legacy systems are trying to connect to and integrate EHRs. Security is not always considered as a part of that, and patching systems is always fraught with peril. You’re always a little behind with that,” Gallagher said. “It’s a formula for being behind.”
Gallagher sees a healthcare industry facing ever more sophisticated and persistent threats from one-off hackers and nation-state attackers who stow patient data for future use.
“I don’t think we were prepared,” said Gallagher, who was formerly senior director of cybersecurity at HIMSS.
One of the more common attacks against healthcare providers involves the use of ransomware, where patient records or hospital networks are hacked and subsequently locked down until a ransom is paid, typically in untraceable electronic currency, such as bitcoin.
This week, for example, a hacker claimed to have stolen databases from three U.S. healthcare organizations and one insurer and is holding 10 million patient records for ransom, demanding as much as $500,000 in bitcoins.
In February, a Los Angeles hospital paid nearly $17,000 in bitcoins to hackers who disabled its computer networks.
Hackers don’t focus solely on hospitals and insurers; they also go after affiliated vendors who service the industry.
Today, for example, Massachusetts General Hospital (MGH) announced that almost 4,300 patients had their healthcare records exposed when “a trusted third-party vendor” that provides software to manage dental practice information for providers had its databases hacked.
CenturyLink, a worldwide communications company headquartered in Monroe, La., is currently tracking ransomware, the most common being large-scale email campaigns. Some reports indicate that they are more than 300 million malware strains and 150 variants of ransomware.
“I really think in terms of ransomware, the stories of about hospitals paying the ransom are spreading among attackers, letting them know that they’re a successful place to attack,” said Cory Kennedy, lead information security engineer at CenturyLink.
Defending against ransomware can be relatively simple: healthcare providers, insurers or affiliated vendors need only keep current backups offline, Kennedy said. When an attack does occur, the backups can be used to restore the data.
Healthcare organizations have also been slow to educate employees about the dangers of cyberattacks, and to manage who in an organization has access to critical systems that store sensitive data.
However, while healthcare entities can become more proactive about security, cyberattacks will only grow more sophisticated. For example, hackers recently deployed a phishing attack against Amazon Prime users that was disguised as shipping confirmation emails.
Another new development came when hackers were able to disguise ransomware links in a way that makes the links look legitimate when a victim hovers a mouse pointer over them, Kennedy said.
“I think attackers will continue to do what they do, looking for holes,” Kennedy said.
Not a matter of if, but when
The Institute for Critical Infrastructure Technology has determined that ransomware will wreak havoc this year. Cybersecurity experts agree that it’s not a matter of if or when your data will be hacked, but whether you’ll know your data was hacked.
Instead of focusing only on hardening perimeter defenses such as firewalls and using rules to block outside PDFs or other documents, Kennedy and other experts believe detection and data encryption are the best cybersecurity techniques.
“Assume data will be taken, but make it useless,” said Kaveh Safavi, senior managing director for Accenture’s global healthcare business.
The greatest threat to the healthcare industry today, Safavi said, is not from one-off hackers seeking quick paydays, but from foreign governments that can store intimate personal health data for future use against individuals.
For example, hackers last year stole the records of about 80 million customers of Anthem Inc., the second largest U.S. health insurer.
“The presumption was that they were state actors,” Safavi said. “The purpose of the state actor was to harvest the database in order to create a dossier of individuals that they could use for social engineering for future attacks.”
Foreign governments could use healthcare information to target government employees with emails containing notices related to medical conditions they may have. When a targeted individual opens one of those emails, malware infects his or her desktop computer.
“There’s nothing in a bank’s data that will give [hackers] the answer to that question, but it is in your health records and [insurance] claims data,” Safavi said. “They’re trying to build a big database of Americans for some future purpose.”
Is the cloud safer?
Healthcare organizations, Safavi said, can better protect data by first recognizing that they’re not in the cybersecurity business. For example, a cloud storage provider is better qualified to handle security, he said.
“There’s a discussion going on right now about whether or not the public cloud is more or less secure than private. The traditional thinking was… ‘If I have control over data in my own private data center that’d be more secure.’ The thinking is beginning to pivot,” Safavi said.
Never was that shift in thinking more evident than two years ago, when the CIA awarded Amazon Web Services a $600 million contract to develop a cloud service for the 17 agencies that make up the intelligence community.
“There’s an evolving thinking among CIOs that one of the benefits of going to a public cloud is you avail yourself of state-of-the-art security that you could probably never replicate with your own IT organization,” Safavi said.
Safavi said the healthcare industry is also looking at fighting fire with fire, so to speak, by using blockchain technology — just as bitcoin does — as a distributed, peer-to-peer database in which to store sensitive information.
“The nature of blockchain… requires both public and private encryption keys [that make it] virtually impossible for someone to get a nugget of data,” Safavi said. “That’s the reason why it’s used for cryptocurrency.”
With more than 175.5 million records lost in healthcare breaches and new threats emerging every day, the industry should act quickly to safeguard data that can’t be resecured once it’s stolen, Gallagher said.
Sharing is caring
One problem is that organizations may have no idea that data has even been compromised. That points to the need for intrusion-detection systems (IDS) and security information and event management (SIEM) software, which can monitor networks for malicious activity and alert administrators when something is detected.
Additionally, the healthcare industry needs access to better resources on threat data from local and federal law enforcement agencies, Gallagher said.
“If I was asked by a healthcare CIO where to go for cyberthreat data, I’ve got to give them a list of at least five or six sources, maybe more — whether it’s the FBI or homeland security… or some private companies,” Gallagher said. “There are lots of different sources for the data, and sometimes it’s in different formats.”
There have been several efforts by Congress to enact a law that would foster sharing of security information. The latest was the Cybersecurity Information Sharing Act (CISA), which was finally incorporated into an Omnibus spending bill and signed into law last December. CISA paves the way for sharing data on cyberthreats among seven government entities and local police.
However, Rod Piechowski, senior director of health information systems at HIMSS, noted that the problem of data security goes beyond what the government or sophisticated software can do, and he said healthcare organizations must focus on educating members of their medical and administrative staffs.
All it takes is one person opening up an email attachment for hackers to gain access to hospital systems. Educating employees on how to detect and report suspicious emails is crucial, said Piechowski.
“I would reiterate that security is everybody’s business. It’s not just up to the IT department,” Piechowski said. “If you work with electronic devices, it’s your responsibility too.”