2015 was the year of the health care security breach. Nearly 100 million electronic health records were compromised, according to a December 2015 IBM Security report, blowing away the number of data breaches that occurred in the computer services and financial sectors.
The increase in stolen records was staggering, says John Kuhn, senior threat researcher at IBM Managed Security Services. Between January 2011 and December 2014, health care accounted for just 0.63 percent of the records compromised across all industries, the IBM report found. That figure ballooned to 33.6 percent for January through October 2015.
“Last year, it seemed like criminals finally caught on to the value of this data,” Kuhn says. “When you think about health care records, that’s your entire life — your health history, your address, your past addresses, your Social Security number — everything.”
That’s why medical records fetch $50 or more on the black market, compared with a dollar or less for credit card numbers. “Credit card data expires,” Kuhn explains. “Health care data is yours for life, and that’s why they’re after it.”
Insurers experienced the largest number of health care breaches last year, but hospitals were not immune. The Healthcare Information and Management Systems Society surveyed 297 security professionals for its 2015 Cybersecurity Survey, mostly from hospitals. Sixty-eight percent of respondents reported that their organization experienced a significant security event in the recent past. Sixty-four percent said the cyberattack was carried out by somebody outside the organization.
Cyberattacks come in several forms. The term hackers commonly refers to programmers or engineers who have expertise in computer technology and can penetrate a security system. Social engineering involves conning a business’s employees into inadvertently providing information that allows the bad guys to get past privacy mechanisms. Nation-state actors work for foreign governments to obtain digital information on a rival country’s agencies, defense programs and major businesses. Hacktivists do all of the above to promote a social or political agenda.
The most common online attack in health care is called phishing and often involves an email that appears to come from a legitimate organization, such as a bank. The email includes a link to a convincing-looking but fake website. The purpose, as always, is to obtain confidential information, in this case, primarily credit card data. Last year, phishing accounted for 36 percent of external attacks on online health care data.
Phishing has become much more sophisticated in the last couple of years. Gone are the days when someone half a world away would send an email promising — usually in poor English — that the recipient would earn millions of dollars for helping the individual out of a financial or legal problem just by sending along personal financial account information.
Nowadays, the message could look as though it comes from the hospital president, the facility’s parent company, the help desk or the human resources department. “It has the official logo, looks very professional and might have graphics,” says Lee Kim, director of privacy and security for HIMSS North America. “You can’t necessarily tell by quickly glancing that it’s phishing.”
Hospitals are stepping up to the challenge. Eighty-seven percent of the HIMSS survey respondents said cybersecurity increased as a business priority in the past year. They’re using a combination of technology, policy and training to lessen the chances that bad actors will succeed, and they’re formulating plans to mitigate the damage if they do.
Technology as a barrier
When it comes to phishing, some older technologies continue to be crucial prevention tools. Strong spam filters that can be updated quickly and easily as new threats emerge are essential, as are firewalls and malware.
At Munson Healthcare in Michigan, 95 percent of all external emails are filtered out immediately because they’re either identified as spam or malicious, says Ryan Winn, information systems director of security and privacy. Nevertheless, a bad email occasionally gets through because vendors haven’t yet added it to their spam filters.
That vulnerability means the old tools are no longer enough. “There are other technologies that you put in place [to create] a multilayered defense,” says John D. Halamka, M.D., chief information officer for Beth Israel Deaconess Medical Center, Boston.
Criminals often count on victims to click on email links to sites that either are laden with malware or that encourage the person to enter his username and password. “Spam filters and virus detection look at emails for content; often the content may be fine but the link that you click is actually to a known virus site,” Halamka says. So Beth Israel Deaconess uses a third-party service that screens the URLs employees click on and only allows access if the website is deemed appropriate and safe.
Prevention tools are just one weapon in the technology arsenal. Increasingly, hospitals are turning to detection tools, which spot intrusions. In the HIMSS survey, 64 percent of security professionals said they use audit logs of each access to patient health and financial records. Nearly 55 percent have intrusion detection systems and 49 percent use network monitoring tools.
Munson uses monitoring software and runs audits that look for a variety of suspicious activities. “If someone were to log in and start randomly looking at patient records, we’d find them pretty quickly,” Winn says. “If you assume you’re OK but you’re not monitoring for it, you just can’t state that you’re doing your job from a HIPAA perspective.”
Alerts allow his department to quickly investigate and act if an intrusion occurs. Winn estimates that a warning fires every other day. “Most of the things we investigate turn out to be nothing, but we look at every alert that pops up and try to make sure there is no deeper issue,” he says.
An essential part of network security is knowing where all the data are. Patient data could be on a number of information systems, on hard drives, laptops and phones. “If you don’t know where the jewels that you’re trying to protect are, it’s very difficult to protect them,” Kuhn says. “It’s a matter of getting granular visibility into the network.”
Controls on access to information based on user need also protect patient and financial information in the case of a breach, Halamka notes. A criminal who successfully scams a hospital maintenance worker, for example, still won’t have access to patient data if strong user controls are in place.
User privilege controls, called for under HIPAA, are especially important because criminals have started targeting hospital executives in sophisticated phishing schemes, a practice known as whaling. At Beth Israel Deaconess, the CEO doesn’t have access to clinical data, so a phishing scam directed at him won’t net patient medical records. Similarly, the chief medical officer doesn’t have access to the financial systems. “We do everything we can to segregate access to data based on role,” Halamka says. [Continued.]