OR WAIT 15 SECS
While recent attacks on Anthem, Community Health Systems, Premera and CareFirst helped focus awareness on the importance of cybersecurity, many healthcare payers and providers are still mired in outmoded or unfocused strategies and thus remain vulnerable.
The U.S. healthcare industry is struggling to keep pace with an ever-widening number of global threats being perpetrated by increasingly sophisticated cyber criminals.
Criminal attacks in healthcare are up 125% since 2010 and are now the leading cause of data breach, according to a recent study by the Ponemon Institute. And while recent attacks on Anthem, Community Health Systems, Premera and CareFirst, compromising millions of Americans’ personal data, helped raise awareness, many healthcare payers and providers are still mired in outmoded or unfocused cybersecurity strategies and thus remain vulnerable.
Experts say that unless healthcare organizations utilize strong approaches to manage risk and protect data, the potential costs could be staggering.
In April 2014, prior to some large publicized attacks, the FBI issued a private industry notification, warning healthcare providers that their networks were too lax compared to other industries. Some industry experts worry that the situation is much the same more than a year later. “They’re just being sloppy,” chief executive officer Mac McMillan of CynergisTek, Inc., says of the healthcare industry’s current efforts to manage data and risks to its environment. McMillan’s healthcare information technology (IT) consulting firm focuses on improving privacy, security and regulatory compliance for payers, providers and business associates.
“Once you get beyond the shock factor [on recent healthcare data breaches], you wonder ... 'Why did people have all this information?’” says McMillan, who also chairs the Healthcare Information and Management Systems Society (HIMSS) Privacy & Security Policy Task Force. “With CareFirst, why do you still have data on former customers that are accessible to anyone to steal? Even if you have a business purpose to retain data, why isn’t it in some long-term storage that isn’t accessible online? ... We need to be more responsible with how we handle data.”
He cites two paradigms in play: For payers, having accessible data is a business driver. For providers, patient care and safety come first and everything else, including cybersecurity, is second. Yet in both scenarios, a rapid response when a breach is suspected is of the essence, says McMillan, former director of security for the U.S. Department of Defense. CareFirst executives had “holes in their security approach,” he asserts, since CareFirst saw anomalous behavior months before the breach but didn’t follow up until after other payers’ breaches.
“There’s nothing that healthcare is dealing with that other folks haven’t dealt with already,” McMillan says. “The same person that shows up at your hospital to work is the same person that worked yesterday in retail ... The only thing special about healthcare is the operational aspect of care to the patient-so you err on the side of caring for the patient first, not protecting the data.”
Nationwide, data breaches could be costing the healthcare industry $6 billion, says the Poneman Institute report issued in May. That total arises from two factors: The average cost of a data breach for healthcare organizations is estimated to exceed $2.1 million, and 91% of organizations have had a breach, with four in 10 having had more than five breaches over the past two years.
“There are only two types of [healthcare] organizations right now: Those that know they’ve been breached and those that don’t know they’ve been breached,” says Rick Kam, president and cofounder of ID Experts, the Ponemon report’s sponsor. “ The problem is, it’s already in. And if they’re spending millions of dollars assuming they haven’t been infected, they’re wasting their time and effort.”
Broadly speaking, cyberattacks are frequent and swift. Five malware events occurred every second in healthcare in 2014, according to Verizon’s 2015 data breach investigations report.
Email phishing has been increasing since 2011, Verizon says, and in 60% of cases, cyberattackers compromised an organization within minutes-with organizations’ response time lagging well behind. Healthcare was among the most affected industries for “insider misuse” and errors made by internal staff-notably system administrators-such as sending sensitive information to incorrect recipients.
It also isn’t a matter of cyberattackers only trying to topple giants. Experts say no healthcare organization, regardless of its size, is immune from cyber risks.
As healthcare organizations grow, innovate and and work to comply with regulatory requirements for initiatives like electronic health records (EHRs) and health information exchanges (HIEs), they open themselves up to new cyber threats, experts say. This forces a balancing act between opportunities presented by technology and risks associated with it.
“All this new technology was set up to better share information and get the best value from this data ... It wasn’t set up with protection in mind,” says Emily Mossburg, a principal with Deloitte & Touche LLP’s cyber risk services practice.
The problem, Mossburg says, is that today’s cyberattacks are advanced, persistent threats, with the adversary often already inside the network. “This isn’t about a point-in-time event, so organizations can’t fight it as a point-in-time event.”
Related:The hidden risk of mHealth apps
While the actual threat to healthcare organizations might be coming from the IT space, the impact is to the business as a whole, Mossburg stresses. Health information, which serves as an entryway to identity theft, medical claim and financial fraud, is worth 10 times more than credit card numbers on the black market, experts say. Unlike lone hackers of the past, organized crime rings are now targeting the health industry for profit.
As Ponemon’s recent report puts it: Over the past five years, the most-often reported root cause of a data breach is shifting from lost or stolen computing devices to criminal attacks.
Getting one’s house in order and having the resources and team in place before an incident occurs is critical, says Katherine Keefe, global head of Beazley’s Breach Response Services. “As much as you can tighten security and use best practices, where you have the creativity of hackers we’re seeing, you have to figure it not only could happen to you-it will happen to you,” she says.
“Until something bad happens to a company, there’s a certain amount of denial,” adds Keefe, whose firm provides cyber insurance coverage to the healthcare industry. Since 2009, Beazley has handled about 1,300 breaches for healthcare clients.
The Anthem breach, affecting about 80 million people, “really had some tentacles,” notes Keefe, a healthcare regulatory attorney and former deputy counsel at Independence Blue Cross. “We had 80 to 90 companies with our cyber coverage that notified us they’d been impacted.”
Keefe cites the difficulty for organizations of all sizes to handle cybersecurity compliance and spend what’s needed on tools. A receptionist or office manager might handle compliance issues in small providers’ offices, she says, and even large organizations’ privacy officers are “very thinly stretched.”
Often, healthcare organizations focus on perimeter threats despite the fact that internal threats from business associates, employees, patients and others are increasing, experts say. Many rely on employees within their IT departments to handle risks alongside numerous other pressing issues.
Instead, payers and providers should have dedicated cybersecurity staff and a culture that elevates the discussion to the boardroom level, experts assert. In addition, organizations need policies, procedures and controls in place to prevent or minimize risks and liability now-not after publicly embarrassing, costly cyberattacks.
A long and growing list of healthcare breaches affecting at least 500 patients is available on HHS’ website. Incidents-which totaled 1,249 as of June 15-are publicized as part of the Health Information Technology for Economic and Clinical Health (HITECH) Act, created in 2009 to support widespread adoptions of EHRs. Eight incidents were reported in the first half of June, 2015, including theft of a laptop affecting 14,000 individuals in Oregon’s Health CO-OP, and “unauthorized access/disclosure” to a network server affecting 843 individuals in Blue Shield of California.
At the Department of Defense, “We were constantly under attack,” McMillan says, “and healthcare for the longest time wasn’t in that environment.” But HITECH requirements exponentially increased attackers’ entry points, he says: “So it shouldn’t be surprising we’re seeing the number of hacks we’re seeing in healthcare right now, because it’s where the information is. It’s where the money is ... and the bad guys know it.”
Elsewhere on the federal front, the National Institute of Standards and Technology is working with stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure including the healthcare sector. And HHS has developed health IT privacy and security tools for providers’ use (bit.ly/security-resources).
To comply with federal privacy rules under the Health Insurance Portability and Accountability Act (HIPAA), healthcare organizations must take steps to discover and address suspicious network activity and vulnerabilities. These include reviewing log data, implementing intrusion detection systems (IDS) and conducting regular system monitoring scans.
McMillan asserts that the healthcare industry remains too focused on HIPAA compliance, even though HIPAA isn’t offering a thorough way to protect the environment. “If all you’re focused on is HIPAA compliance, then you are going to have breaches,” he says. “It’s that simple. You need to adopt a legitimate security environment ... and instill discipline.”
McMillan makes the case for vendors to handle IDS, citing huge costs associated with a 24/7 undertaking. “Few organizations have the time, money and expertise,” he says, noting that, even if a large health system can create its own securities operations center, analysts at a single location only see what’s affecting their particular organization. Global system-monitoring vendors “see threats present themselves before it can impact your facility, so they have the ability to get out ahead,” typically at less cost, he says.
Against this backdrop, many cybersecurity experts agree on several basic steps to take. Among them:
Put data security first
Healthcare executives must recognize cyber risk “as a tier one business issue,” not as a technology issue, says Mark Ford, Deloitte’s principal and leader of the cyber risk services practice. “That’s the difference between today and even a year ago: The conversation has elevated ... I’ve talked to more boards in the last six to eight months than I have in my whole career.”
Ford says cybersecurity must be handled by healthcare organizations “at the risk, regulatory and technology intersection.” He suggests going “from the business level down to the technical level, starting with an assessment of what risks are presented to your organization uniquely. That’s your first stop: to know your exposure to risks. Then you can attack the problem ... but just throwing it over to the IT folks, that’s setting you up for failure.”
Currently, Ford says his firm is discussing cybersecurity issues with America’s Health Insurance Plans, trying to determine how it can help address the problem of being “under attack as an industry.”
McMillan and others agree that cybersecurity should be moved out of IT and treated as a business function. “It should be independent-like audit and compliance and legal are-so its voice can be heard,” he says. “One of the hallmarks of a smart organization is listening to its advisers ... and why wouldn’t you want to hear what security has to say?”
But McMillan notes that most chief information officers are rewarded for innovative strategies and up-time on networks, not on how they protect an organization’s security. He asserts that too many people in healthcare cybersecurity lack the background, knowledge and skills to guide their organizations in the right direction, while those with such skills often are lured to other industries.
“I can’t tell you the number of hospitals we work with that have lost their entire security team because of more opportunities elsewhere,” he says. His advice to small healthcare organizations? Outsource the whole thing. For small- to mid-range health systems, it’s difficult to attract and hold on to people with the right skills, he says. Annual salaries of cybersecurity beginners without much experience may exceed $100,000, making them unaffordable to many healthcare organizations, he adds.
Deloitte’s Mossburg describes cybersecurity as a constantly moving process, “and as you’re shifting, there are new vulnerabilities.” An enormous amount of data is coming off myriad devices, and handling the required analytics is tough, she says. Thus, she says, “It’s about securing your environment, then staying vigilant and monitoring for what appears outside of the norm.
“One of the biggest challenges we find with our clients, regardless of industry, [is that] they don’t even know where all of their data is,” Mossburg says. “You need to identify your most critical data assets ... and you can’t protect everything with the same level of rigor ... so you’ve got to prioritize.”
While healthcare organizations need to retain some records, they should determine what data are absolutely necessary from a regulatory perspective, says Mossburg.
“Minimization isn’t just about fewer records. It’s about fewer copies of records as well,” Mossburg says, noting that information in many cases is moving across several systems at once, including provider and insurance processing networks.
“You want to give people the least privilege, so they only have access to what they need,” says Jessica Dore, senior manager at Rehmann, a technology risk-management firm. “Many organizations aren’t taking this approach,” she adds, “and it’s becoming more and more of a threat” because of many more risks and internal paths to fraud.
To determine access, organizations must define workers’ roles, Dore says. A medical clerk doesn’t need the access that an administrator needs, for example, while physicians, nurses and many administrators typically don’t need financial access.
Given the broad mix of users, devices and applications in the healthcare industry, it’s a challenge to create an encompassing data protection policy and have sufficient technical control over it, says Scott Gordon, chief operating officer of FinalCode, Inc. Yet organizations must get a sense of types of data (i.e., confidential versus sensitive and regulated), who is using it, how it is being used, and the risk of potential exposure.
FinalCode’s product protects sensitive files’ confidentiality, extending controls over shared files as they leave the client organization’s environment, Gordon explains. It identifies authorized recipients of files, encrypts files on the receiving side, determines the length of receivers’ access and whether they can copy files, and lets files be remotely deleted if necessary. All of this is required in a healthcare environment experiencing an upswing in internal threats from contractors and employees alike because “the likelihood of data leakage is greater because they’re already inside the organization.”
While many IT and health security companies are focused on perimeter security, “building thicker and higher walls against cybercriminals, what they’re not doing as much is preventing problems on the inside,” says Randy Vanderhoof, executive director of the Smart Card Alliance, a non-profit, multi-industry association working on adoption of smart card technology.
To alleviate internal threats, Smart Card Alliance advocates the creation of more secure credentials for hospital employees, among others. “We know usernames and passwords can be easily compromised,” he says. Using a smart card instead would involve using an ID card with an embedded chip, along with a biometric marker such as a fingerprint, and a required password to enter secure parts of a facility.
If insurers were to issue member cards with smart technology, network providers could read electronic information off the chip, replacing manual forms, he says. It could streamline billing and leave an electronic audit trail to confirm visits, thus reducing medical claims fraud.
“We’re actively in discussions with the insurance industry and the health IT industry to help them recognize it’s more cost-effective to build security into systems rather than going back after the fact into networks,” Vanderhoof says.
While there is a broad range of security threats, Deloitte’s Mossburg says, “There is almost always, in every attack, some level of social engineering. There’s a human element to this.”
Sometimes the attack takes the form of a targeted email that seems to come from the chief executive officer to the chief financial officer or controller, stating that a wire transfer to a certain (false) account must be initiated. Adversaries are watching traffic patterns, figuring out how to make movements within the organization at accepted times-and they “have user identities and access, so they can go in the front door,” says Mossburg.
In the last nine months to a year, Beazley’s Keefe says her firm has handled an increasing number of phishing attacks directed toward healthcare leadership and senior teams in hospitals, including medical directors. The email message may be tailored by finding online information on executives, she says, describing the creativity of some phishing emails as “extraordinary .... and people are fooled by them.
“Training is so critical,” Keefe says. “HIPAA has had a training requirement for a long time, but you need regular reminders to staff, not an annual training, on data security.” Some healthcare organizations are building security hygiene into employees’ annual review/evaluation, she notes.
To minimize phishing, healthcare organizations can buy services to phish their employees as a training exercise, she says. As a way of “building teeth”, employers can structure workplace policies that levy corrective action if workers violate the phishing policy more than a certain number of times.
Dore agrees that employee training is key, including stressing that workers question whether they were expecting certain types of email. “The phishing emails [that attackers] are using now have become extremely sophisticated,” she says. “Previously, they had spelling errors [and other noticeable flaws] ... but now it can look legitimate, so it’s difficult to know.” Many organizations are trying to put in more sophisticated spam filtering systems, “but you can’t protect from everything,” she says.
Jettison old data
Keefe says proper security measures include looking at whether data are encrypted at rest as well as in transit, whether intrusion measures are in place-and whether data are destroyed in a timely manner. “We’ve had larger breaches because organizations kept data too long,” she says.
“There is an adage in security [that applies to] every industry,” says Brad Cyprus, chief of security and compliance at Netsurion LLC, a firm providing cloud-managed IT security services. “If you don’t need data, destroy it.” Cyprus also cites the importance of having a firewall, knowing how it’s managed, and making sure it’s regularly monitored.
Organizations often prioritize to keep hackers from breaking into systems, but it’s just as important to protect the data within the system, says Cyprus. Thus, he says, the database server should lock down information as much as possible. “Databases are like huge file cabinets: You can ask questions ... [and] it’s possible to limit to whom it will respond.” Thus, you might have malware in your system, but it would be prevented from sending anything. “Your outbound policy is ultimately your last defense against a breach,” he says.
He cites a “huge uptick” in hackers’ attempts to infiltrate healthcare organizations using remote-access tools to get into networks. For example, a large U.S. hospital’s computer help desk for its workers may be located in Singapore. If hackers were to gain access to the remote access system, they might introduce malware into the hospital’s system to steal data.
Conduct penetration tests
“If you are housing a huge amount of sensitive information ... you should do penetration testing multiple times a year” to look at the system’s most vulnerable areas, Cyprus says. In essence, that means hiring a former hacker whose job is to try to break into your system.
“You need to educate your employees,” Cyprus explains. “A penetration test is not just technology. It also looks at hardware, software, procedures, and physical security-down to how your file cabinets are locked.”
Give cyber risk its due
A healthcare organization needs an appropriate governance structure around its cyber risk program that goes well beyond IT, Deloitte’s Mossburg says. And the cyber risk go-to person must have the ability to understand the business as a whole and have appropriate interface with others in the organization.
It remains a struggle to ensure alignment between people dealing with cybersecurity from the technical perspective and from the business perspective, Mossburg says. But, she adds, “this is the reality now. It’s not going to go away and we need to adapt to it ... and keep pace with the attackers and adversaries.”
Prepare a response plan
Mossburg says it’s more a question of when a healthcare organization is going to have a cyberattack, not whether it will occur, and organizations must be prepared to respond immediately. Rehmann’s Dore urges organizations to make sure they have incident response plans in place because a cyberattack “could come on very quickly, and the more preparation, the more ease in handling it.”
Recent cyberattacks also illustrate the need to have proper controls in place and use them, Dore says. Target, for example, had a monitoring tool in place but essentially wasn’t using it, she says. Had Target properly implemented the software, it would have helped to identify the problem before the company was compromised, though using the tool would have taken away some of the system’s ease of use.
In the end, collaboration is key to guarding against cybersecurity threats, says Jennifer Covich Bordenick, chief executive officer of Washington, D.C.-based eHealth Initiative, an independent, non-profit group trying to drive improvements in healthcare’s quality, safety, and efficiency through information and IT. The national group, whose board chair is Sam Ho, MD, UnitedHealthcare’s chief medical officer, represents all stakeholders in the industry.
Despite legal concerns about working with private-sector competitors, Bordenick says, the fact remains that cybersecurity often breaks down outside of one’s organization. Thus, she says, there is “starting to be a new level of acceptance” toward collaboration efforts to combat breaches.
According to Bordenick, eHealth Initiative seeks to create information-sharing standards across the healthcare industry. It is also developing principles for a secure common platform that will allow industry stakeholders to share information on how to handle cybersecurity issues. Its executive advisory board on privacy and security, which issued a meeting report on healthcare and cybersecurity in November 2014, regularly invites regulators to closed-door forums for public sector input because regulations must change to keep up with the times.
“You can’t just look internally,” Bordenick says. “It’s all about when information leaves through different doors ... and [healthcare] organizations have hundreds of doors ... Every partnership, every vendor, every third-party that they deal with is a different door-and patients and providers have access to that information as well.”
Bordenick says that is why healthcare organizations must conduct thorough self-audits of their vulnerabilities and security protocols, complete with an understanding of downstream organizations-especially since small provider groups, vendors and third parties may lack the resources for robust cybersecurity systems. “It’s really about understanding your place in the world,” she says.
Judy Packer-Tursman is a writer in Washington, D.C.