IT Focus Area: Security
March 30, 2016
Better Health Care Security: The Way Forward in 2016
2015 was the health care industry's most challenging security year yet, with a series of massive data breaches exposing the records of over 100 million people. According to the U.S. Department of Health and Human Services, it brought the five year total of compromised patient records to 143 million, or 45 percent of the U.S. population. This crisis has extended into 2016 as cybercriminals continue to press forward with attacks on the industry, drawn by an assortment of opportunities for fraud.
The theft of health data can be hard to detect and it cannot be reissued like a credit card, which makes it more valuable to hackers. While credit card numbers are estimated to be worth around $1 on the black market, health records are worth 10 times as much, if not more; the FBI has reported criminals can sell health care information for as much as $50 a record.
According to the Ponemon Institute, criminal attacks are the number one cause of data breaches among large health care organizations. Attackers are monetizing health data in a variety of ways. Some sell stolen health insurance credentials, which are increasingly valuable as health care costs create a demand for free medical care that can be accessed through these credentials.
Others find health care providers to be easy targets for ransomware, a type of malware used to encrypt files and hold data hostage. Hospitals have money to spend, and cannot tolerate interruptions in access to systems or patient data. Several American hospitals have already been hit by ransomware attacks in 2016. Many — such as Hollywood Presbyterian in Los Angeles — have seen no alternative but to quickly pay the “ransom” to get their systems up and running again. However, just last week Methodist Hospital in Kentucky refused to do so, choosing instead to shut down the infected part of its computer system and rely on backups.
The Nation-State Threat
There is more at stake than money: electronic health records (EHRs) are like personal identity dossiers of individual users, consisting of highly sensitive medical information, financial information, regional and geographic data, and even behavioral detail. Governments can use stolen EHRs to enhance what they know about target populations, and cross-reference it with other hacked data. For example, the Chinese are suspected to be behind both the Anthem and the Office of Personnel Management (OPM) breaches. OPM is the central human resource planner for the U.S. Federal Government, and Anthem is the country’s largest health insurer. If the data stolen from those breaches were successfully combined, it would be what one security expert calls "the Holy Grail of electronic data on almost all people with U.S. government clearances.”
What’s Being Done?
While the health care industry has traditionally been known for its poor data security habits and reliance on antiquated technology, there are definite signs of improvement. The Cybersecurity Act of 2015 passed by Congress at the end of the year includes nine pages of proposed health care-related cybersecurity measures that focus on instating a plan for the future of the industry's security. And health care payers and providers have reportedly increased their information security budgets by 79 percent over the past two years. In response to rising threats, they’re actively working to advance prevention, detection and response capabilities.
Many organizations are adopting risk-based cybersecurity frameworks such as NIST to inform their overall security strategies, and taking better care to address the security practices of their service providers, contractors and other business partners by instituting strong policies around required certificates and/or attestations (HITRUST, SOC 2, etc.). They are also increasingly implementing encryption on laptops and portable media, which helps to prevent data loss by rendering data useless in the event of a breach. And according to PWC’s 2016 Global State of Information Security Survey, 60 percent of health care payers and providers said they are employing multi-factor authentication to strengthen access control.
Health care organizations are taking a cue from financial organizations and turning to security analytics platforms to strengthen detection efforts. These platforms can bring situational awareness to security events by gathering and analyzing a broad set of data, and helping to identify and prioritize threats that pose the most harm. SIEM and context-aware user behavior analytics (UBA) are two such solutions. Per PWC, 61 percent of organizations now report using cloud-based monitoring services, and 50 percent report using big data analytics to improve their understanding of risks and gain insight into user behavior.
Recognizing the inevitability of a breach, organizations in PWC’s survey reported a double-digit increase (up to 52 percent of respondents) in the purchase of cybersecurity insurance in an effort to mitigate the impact of incidents. Additionally, 65 percent of health care organizations have a formal incident response process in place with involvement from IT, information security and compliance, according to the Ponemon Institute’s Fifth Annual Benchmark Study on Privacy & Security in Healthcare.
The Way Forward
Attacks on the health care industry will continue as the list of Internet-connected devices, tools, and sites containing health data keeps growing. The industry is moving in the right direction to protect itself but should expand its efforts, and remain vigilant. Think of IT security as a chronic illness: it requires ongoing testing, treatment and re-evaluation not only through the use of technology, but with the regular use of services such as program assessments, threat assessments, compromise assessments and managed services. By realizing the value of medical data and protecting it accordingly, we can reduce the impact of data breaches.