On High Alert for Hackers
By Juliann Schaeffer
For The Record
Vol. 28 No. 9 P. 14
A versatile defense and good cyber "hygiene" can help keep data safe.
A throng of cyberthieves has set its eyes on the health care industry. The precious and prized nature of protected health information paired with the industry's IT vulnerabilities make it unlikely this trend will diminish on its own anytime soon.
What can health care organizations do to stay ahead of hackers? Some experts say a multipronged approach—one part strategy, one part technology solutions—along with a whole lot of "never taking your eyes off the ball" is in order.
According to Emily Vaughn, director of client services at Gem, the health care industry has officially moved into the undesirable spot of being the top target for cyberattacks, "with over 100 million medical records compromised in 2015 alone," she says, citing findings from IBM's 2016 Cyber Security Intelligence Index. "From 2010 to 2015, one [Ponemon Institute] study found a 125% rise in reported cyber attacks in health care with 91% of study participants reporting at least one data breach."
In addition to those findings, a recent survey by accounting, audit, and advisory firm KPMG found that more than 80% of health care providers and payers have had their systems compromised in the prior two years.
Whereas five or 10 years ago health care organizations were more likely to be worried about employee-related security incidents, today the bigger concern is cyberattacks, says Michael Justice, MBA, president of MICA Health.
But why health care and why now? According to Michael Ebert, CPA, cyber leader for health care and life sciences at KPMG, it's twofold. "Our work in this industry has shown the richness of the information the hackers can gain access to as well as the direct funds they can get from those they compromise as good reasons why this industry, above all others, is so threatened," he says.
While it may seem like small and medium-sized organizations lacking security budgets and resources would be most at risk, all health care organizations are vulnerable. "Hackers target honey pots of critical data, so any business that stores or has access to vast amounts of private data is a potential target," Vaughn says.
Ebert says it hasn't helped that the health care industry as a whole has traditionally underinvested in data protection technologies. While it rightly has placed more emphasis on patient care, he says security concerns are becoming entangled in that process.
"Traditionally, health care providers were focused on patient care and safety, but the effects of cyber threats have [threatened] their ability to treat and care for patients," Ebert explains. "Recent events have resulted in full shutdown of services to a community and large regional population areas and the inability to properly care for existing patients already within the system."
Ebert says health care has been fortunate to this point in that a cyber attack has yet to directly result in a patient death. However, he warns, the risk is there.
Health Care's Best Defense
How do organizations combat these ever-evolving cyberthreats? "It will take time for the industry to react to these new threats and money to be lined up within already tight budgets to effectively address the cyber risks today and in the future," Ebert says.
A strong defense includes determining the type of attacks—even the unsuccessful ones—being launched against the organization. "Visibility is always a better strategy, provided that it is not too distracting," says James Scott, a senior fellow at the Institute for Critical Infrastructure Technology, a cybersecurity think tank. "If health care organizations can get a holistic understanding of the threat landscape without making rash decisions, then they can adapt their defenses and develop their cyber posture according to emerging threats and nascent technologies."
Vaughn explains the strategy in more colorful terms. "If someone came to your house every day and tried to break in, would you wait for them to be successful before increasing security? Data breaches don't break the security system—they take advantage of its weaknesses," she says. "If hackers are constantly coming for your data and failing, that is the opportunity to understand their methods and motivations and to counter them."
Moreover, Vaughn notes that taking an out-of-sight, out-of-mind approach to information security is particularly dangerous for health care organizations "because it assumes you even know what to look for," she says. "Data breaches can happen without setting off any alarms, so it's important to be as proactive as possible about building, maintaining, and improving your security."
Not only is proactive monitoring, along with real-time response, the best approach to protecting patient information, employing anything less would be irresponsible, Justice says. "Health care organizations have a duty to protect patients' privacy and information," he notes.
While noting that there's no one technology that will eliminate cyber threats, Ebert says health care organizations are best off making a series of concerted efforts to create an effective cyber defense. This strategy demands a well-organized network security architecture that includes technologies to detect, prevent, eliminate, and monitor cyber threats. "It's an effective combination of these efforts that present the best cyber defense," he says.
Technology is a vital piece to securing data, but according to Hema Krishnamurthy, vice president of research and development at Guardtime, the majority of modern security solutions target data confidentiality—an approach that not only leaves inherent holes but also is ill equipped to tackle the number of ever-increasing endpoints. "[These solutions] try to erect barriers against unauthorized access into endpoints in order to create a secure perimeter that keeps the whole system safe," Krishnamurthy says. "However, there is not a security expert in the world who can say with 100% certainty that their network doesn't have any vulnerabilities."
With the proliferation of cloud technology, remote access options, and Internet of Things devices, Krishnamurthy says most private networks have far too many endpoints to properly secure. "There is currently no transparent and scalable way to verify that data is trustworthy, that it hasn't been altered in an unauthorized way or exfilterated," she says.
What's more, Krishnamurthy says that in the event of a breach, organizations often don't discover the compromise until months later when system administrators must actively search each endpoint to identify which pieces of data were accessed and which were manipulated. "This is a costly exercise, equivalent to searching for needles in a haystack. And that's if they realize the attack at all—70% of cyberattacks go undetected," she says.
Krishnamurthy says data integrity looms large in the fight against cyber thieves. "Data integrity is the biggest threat to businesses, governments, and health care organizations today," she says. "With health care fraud costing hundreds of billions of dollars every year, we need a system that allows for an unprecedented amount of auditability and transparency, one that makes it impossible to manipulate information and hide what was changed."
Krishnamurthy says blockchain-based keyless signature infrastructure (KSI) technology can address data integrity, noting that the Estonian government protects more than 1 million patient health care records via this method.
"Estonia has been at the forefront of innovation in digital society for the last 20 years and is the only country where a majority of citizens carry a smart card with access to over 1,000 electronic government services," she says. "EHRs are a critical component of these services, and blockchain technology enables an independent, forensic-quality audit trail for the lifecycle of those records, making it impossible to manipulate information or hide what was changed."
The Estonian eHealth Foundation is integrating Guardtime's KSI blockchain into its Oracle database engine, which will provide real-time visibility into the state of electronic systems and the lifecycle management of patient records.
While blockchain technology isn't security software, Vaughn says it could be a critical component to future security systems. A blockchain essentially creates a network through which many entities can connect and exchange information directly, she says. "Blockchains are relevant to data security because they utilize public key infrastructure to authorize user permissions and they create cryptographically secure historical records of network activity," Vaughn says. "So in English, that means blockchains use a stronger security method than passwords to grant access to information. They also keep a permanent, tamper-proof record of the entire network that proves who did what, when."
Scott says blockchain technology uses many computers and authorizations to ensure the integrity of a shared database without the need of a central authority. "In theory, this prevents manipulation or exfiltration of data by requiring multiple authorizations of access to that data," he explains. "For instance, say a doctor, nurse, and patient all have authority over a record. Then permission of at least two of the three might be required to access that record."
For sure, blockchain technology offers increased data security. However, Vaughn says some organizations have found it difficult to use thus far. "This technology is in its nascence," she says. "Most people have trouble keeping track of their password, let alone maintaining encryption keys. It will take time and innovation to deliver a blockchain-based security solution that is scalable."
Threat intelligence services are also available to health organizations looking to beef up cyber defenses. According to Ebert, these services are positioned to fill an important role. "No longer is it the simple virus that is detectable by antivirus software based upon a signature," he says. "Today, threats are metamorphic, with no unique identifier for antivirus software to detect. Threat intelligence services provide information on threat actors or indicators of compromise for organizations to understand how cyber threats today act within an environment, move data, influence communication protocols, and identify ports opened on the network, along with other vital information on virus actors."
No matter what technology an organization employs, Scott emphasizes that users will continue to be the ultimate determinants of any network's strengths and weaknesses. "No matter how impervious a system is to compromise, its defenses will not matter if its users click phishing e-mails or mistakenly download malware or ransomware," he says. "Systems that preempt human error are vital."
Scott adds that organizations considering cybersecurity options should favor any technology that detects malicious activity according to heuristics instead of relying on malware signatures. Also, technology that reduces the amount of noise in collected and logged information—thereby focusing responder attention on suspicious activity—is preferred. "Finally, user behavioral analytics, which monitors changes in employee behavior and detects insider threats, can help to identify employees who are negligent or malicious," he says.
Scott points out that no matter what technology or mix of technologies an organization selects for its cybersecurity, threats will continue to circumvent or even exploit the latest and greatest. Because of this reality, he says how an organization views cybersecurity can make all the difference, including whether it supports basic cyber hygiene.
"Basic cyber hygiene means having a collection of guiding strategies that support a holistic cybersecurity strategy throughout the organization," Scott says. "Once the organizational mindset is focused and risk informed, and scenario-based strategies are in place, then technologies can be employed to support that strategy and defend the network. In medieval terms, what good is a shield or sword without the training to use them?"
According to Scott, cyber hygiene fundamentals include policies that focus on the following:
• network segmentation;
• the principles of least privilege and least access;
• continuous risk assessments; and
• reducing human error.
"Humans are both the strongest and the weakest link in cybersecurity," Scott says. "Health care organizations need programs that teach employees to care about basic cybersecurity practices, such as credential management, spear-phishing avoidance, recognizing insider threats, and other best practices."
Vaughn echoes the importance of education, noting that a solid cybersecurity plan involves education and adherence within the company, along with proactive testing and implementing best-in-class security software. "There is no magic pill or one-time installation," she says. "Cybercrime is like a bacteria that evolves to develop immunities to medication—security software being the medication. To fight this type of problem, it requires being educated about the conditions for risk, adopting strict practices that reduce risk, and employing the proper resources to eliminate it."
Education means little without enforcement, and strong password policies are a must, with dual-factor authentication whenever possible, Justice says. "Control software vendor access and mandate strict remote access policies," he says. "Remote desktop protocol and other remote access applications like TeamViewer have recently been implicated in health care data breaches. These applications are commonly used by vendors to support applications remotely."
This would seem to indicate the need for a data security boot camp for contractors and vendors as well employees. "Remember, legacy applications (EMR, practice management, general ledger systems) are oftentimes overlooked in the overall planning for cyberattacks," Justice says. "Get those systems archived or virtualized so that they can be secured with the rest of the enterprise. Terminate contractor and vendor passwords at the end of projects or contracts. And end the use of service account passwords.'"
"Encrypt everything," Vaughn says. "Even though regulators don't require encryption, Social Security numbers, birthdays, addresses, and other personal information should never be stored in plain text."
According to Ebert, any well-rounded approach to cybersecurity must take into account people, processes, and technology. "People are certainly the most important part of that equation to make any strategy or mindset more effective when it comes to protecting patient information," he says. "Regardless of strategy or culture around data security, both require a commitment from the organization in terms of resources and just an overall degree of conscientiousness about managing risks."
More broadly, Krishnamurthy says the health care industry needs an entirely new mindset when it comes to cybersecurity. "Traditional security solutions try to protect organizations' data by limiting access to it," she says. "But as we have seen in the last year with numerous costly cyberattacks to health care systems, those kinds of solutions are failing."
Public key infrastructure and encryption-based security are essential controls, but they're not enough, she notes. Krishnamurthy believes organizations must start thinking differently about the problem to find a new set of strategies and tools.
"We have a massive need for visibility into all the places where data live—the insides of files, networks, and systems," she explains. "To defend against cyberattacks, organizations need to implement a system that allows for full transparency into their data—one that is multipronged and focused on data-centric security showing if and when their data have been changed, what specifically has been manipulated, and who has manipulated it."
Because of the huge stakes in play, Scott says cybersecurity must be top of mind. "Health care organizations protect immensely valuable data, and lives are literally at risk if their systems are vulnerable," he says. "Health care organizations are an enormous target for cyber threat actors, and they need to realize that and they need to invest in improving their cyber posture and cyber hygiene before their organization becomes the next one in the news."
Improving cybersecurity efforts can not only save lives but also deter attacks against the sector as a whole by forcing hackers to look for more vulnerable targets, Scott says. However, the opposite is also true.
"The sector currently has a reputation for being five to 10 years behind the cybersecurity curve," Scott says. "If the culture and strategies within the sector don't change soon, attacks will increase to the point that change is impossible. Action now is better than continuous loss of life, reputation, and finances throughout the next decade."
— Juliann Schaeffer is a freelance writer and editor based in Alburtis, Pennsylvania.