Cyberattacks on US Healthcare
Read more from the latest issue of Billing.
If you look around you, chances are you'll see some form of technology. Whether it's a computer, smartphone, or tablet, these days technology in the workplace is as ubiquitous as coffee or meetings.
The same is true in healthcare, and for many reasons, this is a good thing. Information technology and Web-based tools have helped the healthcare industry manage patient records and conduct billing, research, and administrative functions with greater efficiency. But with these tools comes the threat of cyberattacks.
Any institution – be it a private practice or a public hospital – that uses health IT systems with inadequate security or enforcement is susceptible to a cyberattack. What's more, a breach of security in the healthcare industry is particularly challenging because the impact is widespread and carries very specific legal, organizational, and individual accountability issues. Indeed, the rising prevalence of cyberattacks poses a huge problem for the healthcare industry.
The State of Cybersecurity in Healthcare
The advent of health IT systems has, unfortunately, allowed hackers to commit traditional crimes of theft and financial fraud faster and easier. Additionally, the Internet provides an unparalleled degree of anonymity, making it difficult – if not impossible – for police to investigate and prosecute these crimes. And although healthcare institutions have processes and basic security systems in place to stem the threat of cyberattacks, I have seen that the healthcare industry in general lacks the technical and administrative knowledge necessary to combat advanced, persistent threats.
Recent reports help illustrate this issue. Healthcare IT News reported that Ponemon Institute's 2012 "Benchmark Study on Patient Privacy and Data Security" showed that "some 94 percent of hospitals have experienced data breaches over the past two years, with medical files, billing, and insurance records accounting for the majority of them."1 Other instances of cyberattacks in healthcare include complex, sophisticated spear phishing attacks and social engineering methods for data infiltration.
The impact of a cyberattack can be huge. There is the potential for the loss of intellectual property, personally identifiable data, and public confidence. And cyberattacks in the healthcare industry always have multiple victims: the healthcare provider/institution and the patients. Not only can this be financially devastating, but the lack of patient confidence and trust can undermine the infrastructure of the entire industry.
So, how can you stem the threat of cyberattacks? To be fully effective, you will need to bring in an expert. Advanced, persistent threats such as the ones that can occur in the healthcare industry require an ability to plan, design, and implement effective cybersecurity controls that can stay ahead of emerging threats and current technologies. Indeed, cybersecurity should not be randomly assigned to any employee. Instead, cybersecurity requires a higher level of education, training, and certification.
Defense in Depth and Breadth
The following is an overview of best practices for cybersecurity implementation, as well as the techniques a cybersecurity professional should use.
Just as practitioners use data to make healthcare decisions, IT personnel should also use data when designing and implementing cybersecurity programs and policies. To start, IT staff should conduct a robust risk analysis, which will generate data on the types of information and information systems that need security controls and therefore serve as the foundation of a strong and effective risk management plan.
A robust risk analysis includes a detailed inventory of the organization's active and inactive information systems, networks, programs, applications, hardware, and software. It is important not to confuse the inventory with an audit or confuse an audit with security. They are three tasks that have very separate and distinct functions.
The data from the inventory represents a holistic and intricate view of all the health information that is generated daily within the IT systems. An effective cybersecurity plan uncovers every point of entry for all systems identified in the inventory – similar to listing all points of entry and exit when developing an evacuation plan for a building.
The next piece of the plan is to determine where this information goes. A process known as mapping details the flow of data from one system to the system that stores the personal health information. There are many factors that influence the flow of data. These factors include internal policies and guidelines and any applicable federal and state regulations regarding the retention, classification, and transmission of personal health information, as well as financial regulations such as The Payment Card Industry Data Security Standard (PCI DSS) security triangle in healthcare, which helps protect cardholder data.
The next phase of the risk analysis is the audit, which is a bird's-eye view of an elaborate process with minute details. This is a very complex process and will be need to be conducted by a cybersecurity expert.
The final phase of the risk analysis is security. Cybersecurity practices in the healthcare industry must be integrated into the planning, design, and implementation of technical, administrative, and physical levels of controls. This includes incorporating layers of what are called defense in depth (DiD) and defense in breadth (DiB) strategies that are relative to an organization's specific risk management plan. DiD requires an organization to use more than one layer of security to protect information and information systems from cyberattacks. Securing a laptop to the desk, using a password-protected screen saver, and using data encryption are examples of DiD strategies. On the other hand, DiB involves using multiple layers of security within a single layer. Examples of DiB include locking the door to the server room and keeping the server locked inside a server cabinet, as well as using more than one method of data encryption to store and transmit sensitive information.
Why Use This Level of Protection?
Using multiple layers of protection also serves as a deterrent. It is similar to posting a "beware of dog" sign – it warns potential intruders that you have taken the necessary steps to secure your property, thereby making them less likely to break in. By making it more difficult for hackers to penetrate the system, they will be more likely to move on to a different one. But this is not a fail-proof approach. These deterrents do little – if anything – to stave off an advanced, persistent threat. If a hacker targets a specific person or organization, they will spend months, even years, trying to penetrate the system. More than likely, the hacker has collected a great deal of information about you, your business, or your patients during that time and has a very specific purpose for the breach. They know what they are looking for and how they plan to use the data once they get it.
Still, using DiD layers of protection will help mitigate the consequences of a security breach. Also, in the unfortunate event of a lawsuit, you can prove that you acted with due diligence by demonstrating use of DiD layers and other security protocol as outlined in the organization's risk management plan. This is becoming increasingly important, as the rise in organizational security breaches has resulted in an increase in lawsuits against first- and third-party providers, and the healthcare industry is a growing target. Even HIPAA does not offer any level of protection for providers if they become a victim of a security breach. Compliance with HIPAA simply means that you and/or your organization will not receive a penalty for noncompliance. The provider must take the additional security measures to protect not only the organization's data, but also the patient's data. Taking these additional precautions is the only way to decrease your (or the provider's) liability.
Organizations routinely make several common errors when attempting to develop and implement cybersecurity plans. The first error occurs with the budget process. In many cases, organizations budget for expenses such as cybersecurity after the budget has already been determined for other areas of operation. And while many organizations modify budgets when needed, not including cybersecurity needs in the initial budget forecast can leave your organization vulnerable to emerging cyberthreats.
There are many reasons why an organization might allocate funds for cybersecurity management after the budget has been created. One reason is that many organizations have not fully grasped the inherent dangers associated with Web-based applications. Another reason is that most do not fully understand the various levels of a healthy cybersecurity plan or the implications of a security breach. Another trend is the reliance on cloud-based applications and the false sense of security they provide. Whatever the reason, developing a budget for your health information systems and processes that is flexible and can respond to current trends is critical.
The second mistake many organizations make is assigning cybersecurity responsibilities and duties to the IT department. Cybersecurity is not an IT function. The IT department is, at the most basic level, responsible for making things work, troubleshooting, and connecting wires. Even if you have someone in IT who also understands security, allowing them to wear both hats presents additional challenges. Cybersecurity is labor intensive. It requires regular monitoring of both internal and external threats. Ultimately, one function will suffer if you have the IT department also serve as cybersecurity management.
Another mistake organizations make is conducting an audit before they plan, design, and implement security. This is often done by getting the checklist in advance, then ensuring everything is in place. This practice is referred to as "checking the box." Organizations should instead focus on security by design first.
The fourth mistake that organizations make is having the IT department facilitate the internal audit. This is like asking your administrative staff to identify which programs are overbudget and why. The staff can probably make a few educated guesses, but they cannot provide the depth of information needed to resolve the situation. Likewise, the IT department is not able to provide the level of analysis needed to adequately protect systems from a cyberattack. The unintended consequence of cutting corners on cybersecurity is a HIPAA violation, which can result in fines in the range of $100,000 to $1.7 million for individuals and organizations – not to mention the prospect of imprisonment if a court determines there was gross negligence on behalf of the provider in failing to adequately secure personal information.
Finally, the fifth error many in the healthcare industry make is assuming that cyberattacks only happen in the retail or banking industry. Clearly, cyberattacks do occur in the healthcare industry, and recent data show some startling figures. The February 2014 SANS-Norse Healthcare Cyberthreat Report shows data on the percentage of cyberattacks in several sectors of the US healthcare systems – revealing an overwhelming majority of malicious traffic occurring in one area:2
- Healthcare Providers: 72 percent of malicious traffic
- Healthcare Business Associates: 9.9 percent of malicious traffic
- Health Plans: 6.1 percent of malicious traffic
- Healthcare Clearinghouses: 0.5 percent of malicious traffic
- Pharmaceutical: 2.9 percent of malicious traffic
- Other Related Healthcare Entities: 8.5 percent of malicious traffic
The Security Triangle in Healthcare
The data from the SANS-Norse report underscores the importance for cybersecurity in healthcare organizations. Again, though, implementing cybersecurity requires a high level of skill and expertise. This is particularly true in the healthcare industry, which has unique application and program requirements when using proprietary software. It is a complex system that requires reliable, sturdy systems and processes that allow medical professionals and supporting staff to effectively provide quality care. The reliance on technology and Internet Protocol communication devices in the healthcare industry makes it necessary for healthcare organizations to scrutinize the system, people, and processes that use these special technologies.
The goal of cybersecurity as it relates to HIPAA and PCI DSS compliance is to protect the confidentiality, integrity, and availability of information systems that store, transfer, and maintain protected health information and personally identifiable information. Maintaining the confidentiality, integrity, and availability of these information systems is known as the CIA triad.
There are specific ways to do this. To maintain confidentiality, you must implement layers of defense to prevent unauthorized disclosure of information. This includes ensuring that unauthorized parties do not have access to personal information, and that authorized parties do not disclose personal information to unauthorized parties. To build integrity, you must implement layers of defense to prevent unauthorized changes to systems and processes, ensuring that only authorized parties make approved changes. The last piece – availability – involves taking measures to ensure healthcare information and information systems are available to authorized users and operating at full capacity.
A cybersecurity expert can help you implement the CIA triad. To effectively determine an organization's ability to withstand a cyberattack, all three pieces of the CIA triad must be evaluated separately against every information system that processes and stores protected heath information. In addition, the CIA triad must be evaluated within the framework of HIPAA and PCI DSS.
No Silver Bullet
The threat of a cyberattack can be a scary prospect, and the consequences of one are immense and serious. Additionally, there is no silver bullet for cybersecurity – each organization has its own systems, processes, and challenges. In order to help you protect your organization against a cyberattack, first seek the advice of a cybersecurity consultant. The consultant can conduct an audit and assessment and provide you with recommendations on implementing a compliant cybersecurity system. In doing so, you are taking a significant step in warding off cyberattacks.
Dr. Dwayne Hodges is a certified information systems security professional (CISSP) with the International Information Systems Security Certification Consortium (ISC) 2 and is the CEO of DH Cyber Security Solutions. He is a professor in higher education, as well as an academic engineer in several disciplines, including homeland security defense and preparedness and cybersecurity. For more information on cybersecurity assessments and practices, contact Dr. Hodges at dwaynehodges@DH-cybersecuritysolutions.com. Listen to Dr. Hodges speak at http://youtu.be/X9jSFRiJX_k.