2015 was the year of the health care security breach. Nearly 100 million electronic health records were compromised, according to a December 2015 IBM Security report, blowing away the number of data breaches that occurred in the computer services and financial sectors.
The increase in stolen records was staggering, says John Kuhn, senior threat researcher at IBM Managed Security Services. Between January 2011 and December 2014, health care accounted for just 0.63 percent of the records compromised across all industries, the IBM report found. That figure ballooned to 33.6 percent for January through October 2015.
“Last year, it seemed like criminals finally caught on to the value of this data,” Kuhn says. “When you think about health care records, that’s your entire life — your health history, your address, your past addresses, your Social Security number — everything.”
That’s why medical records fetch $50 or more on the black market, compared with a dollar or less for credit card numbers. “Credit card data expires,” Kuhn explains. “Health care data is yours for life, and that’s why they’re after it.”
Insurers experienced the largest number of health care breaches last year, but hospitals were not immune. The Healthcare Information and Management Systems Society surveyed 297 security professionals for its 2015 Cybersecurity Survey, mostly from hospitals. Sixty-eight percent of respondents reported that their organizations experienced a significant security event in the recent past. Sixty-four percent said the cyberattack was carried out by somebody outside the organization.
Cyberattacks come in several forms. The term hackers commonly refers to programmers or engineers who have an expertise in computer technology and can penetrate a security system. Social engineering involves conning a business’s employees into inadvertently providing information that allows the bad guys to get past privacy mechanisms. Nation-state actors work for foreign governments to obtain digital information on a rival country’s agencies, defense programs and major businesses. Hacktivists do all of the above to promote a social or political agenda.
The most common online attack in health care is called phishing and often involves an email that appears to come from a legitimate organization, such as a bank. The email includes a link to a convincing-looking but fake website. The purpose, as always, is to obtain confidential information, in this case, primarily credit card data. Last year, phishing accounted for 36 percent of external attacks on online health care data.
Phishing has become much more sophisticated in the last couple of years. Gone are the days when someone half a world away would send an email promising — usually in poor English — that the recipient would earn millions of dollars for helping the individual out of a financial or legal problem just by sending along personal financial account information.
Nowadays, the message could look as though it comes from the hospital president, the facility’s parent company, the help desk or the human resources department. “It has the official logo, looks very professional and might have graphics,” says Lee Kim, director of privacy and security for HIMSS North America. “You can’t necessarily tell by quickly glancing that it’s phishing.”
Hospitals are stepping up to the challenge. Eighty-seven percent of the HIMSS survey respondents said cybersecurity increased as a business priority in the past year. They’re using a combination of technology, policy and training to lessen the chances that bad actors will succeed, and they’re formulating plans to mitigate the damage if they do.
Technology as a barrier
When it comes to phishing, some older technologies continue to be crucial prevention tools. Strong spam filters that can be updated quickly and easily as new threats emerge are essential, as are firewalls and malware.
At Munson Healthcare in Michigan, 95 percent of all external emails are filtered out immediately because they’re either identified as spam or malicious, says Ryan Winn, information systems director of security and privacy. Nevertheless, a bad email occasionally gets through because vendors haven’t yet added it to their spam filters.
That vulnerability means the old tools are no longer enough. “There are other technologies that you put in place [to create] a multilayered defense,” says John D. Halamka, M.D., chief information officer for Beth Israel Deaconess Medical Center, Boston.
Criminals often count on victims to click on email links to sites that either are laden with malware or that encourage the person to enter his username and password. “Spam filters and virus detection look at emails for content; often the content may be fine but the link that you click is actually to a known virus site,” Halamka says. So Beth Israel Deaconess uses a third-party service that screens the URLs employees click on and only allows access if the website is deemed appropriate and safe.
Prevention tools are just one weapon in the technology arsenal. Increasingly, hospitals are turning to detection tools, which spot intrusions. In the HIMSS survey, 64 percent of security professionals said they use audit logs of each access to patient health and financial records. Nearly 55 percent have intrusion detection systems and 49 percent use network monitoring tools.
Munson uses monitoring software and runs audits that look for a variety of suspicious activities. “If someone were to log in and start randomly looking at patient records, we’d find them pretty quickly,” Winn says. “If you assume you’re OK but you’re not monitoring for it, you just can’t state that you’re doing your job from a HIPAA perspective.”
Alerts allow his department to quickly investigate and act if an intrusion occurs. Winn estimates that a warning fires every other day. “Most of the things we investigate turn out to be nothing, but we look at every alert that pops up and try to make sure there is no deeper issue,” he says.
An essential part of network security is knowing where all the data are. Patient data could be on a number of information systems, on hard drives, laptops and phones. “If you don’t know where the jewels that you’re trying to protect are, it’s very difficult to protect them,” Kuhn says. “It’s a matter of getting granular visibility into the network.”
Controls on access to information based on user need also protect patient and financial information in the case of a breach, Halamka notes. A criminal who successfully scams a hospital maintenance worker, for example, still won’t have access to patient data if strong user controls are in place.
User privilege controls, called for under HIPAA, are especially important because criminals have started targeting hospital executives in sophisticated phishing schemes, a practice known as whaling. At Beth Israel Deaconess, the CEO doesn’t have access to clinical data, so a phishing scam directed at him won’t net patient medical records. Similarly, the chief medical officer doesn’t have access to the financial systems. “We do everything we can to segregate access to data based on role,” Halamka says.
Learning to see through a scam
No matter how good a hospital’s technology is, it can’t prevent bad emails from slipping through on occasion. So, employee education is an essential part of hospitals’ information security efforts. “We have 7,500 people with mailboxes, and one of them making a mistake one time winds up being a lot of work to address,” Winn says.
In December 2015, an employee fell for a phishing email. The victim’s account sent out 600,000 spam emails, and Munson temporarily was put on email blacklists. No patient information was compromised, Winn says, and Munson increased its internal communication to heighten awareness.
Regular training is essential for staff. “It’s not just education of the type that is one time and that says, ‘don’t open suspicious emails,’” says AHA Assistant General Counsel Lawrence Hughes. “It really goes beyond that and helps people understand and identify potential phishing emails, and understand what to do if you were to receive one.”
Teaching email users to report suspicious emails to the IT team enables the team to trace the problem and build in protections for the whole organization, Hughes adds.
A big goal of the training is to get email users to take the time to check for signs that messages might be phishing schemes. “We all get hundreds of emails a day, and we’re all very busy and running a million miles per hour,” says Sheryl Rose, vice president and chief information security officer for Catholic Health Initiatives. “What we continually reinforce to our user base is to slow down, to be cautious and look, even if it may seem like a benign item coming from a senior executive. If you really look, you’ll find something.”
Information security education should include anyone who has an email account. Don’t overlook interns and volunteers, Kim cautions. Training should start at onboarding and continue with regular refreshers.
Kim recommends that education include tips that people can integrate into their daily workflow, as well as real examples of phishing emails.
Beth Israel Deaconess over the past two years has developed an education program called Keep It Private. It involves more than 100 coaches whose job it is to communicate, educate and lead by example. “It’s an army of those who educate our entire workforce about the dangers of phishing, spear phishing, social engineering, and the things you should never do, like respond to an email with your password, give out your credentials over the phone, or download games onto your iPhone and then use it to access patient-identified information,” Halamka says. “Technology, policy and education provide the layers of defense.”
Some hospitals conduct mock phishing exercises to reinforce lessons and keep users engaged. Beth Israel Deaconess uses a third-party firm for its exercises. Start with a good test, but one that isn’t too tough, Halamka recommends, perhaps an email with a spelling error or two, a grammatical error or two, and a URL with some identifiable problems.
“If the email is crafted beautifully, you’re basically trapping people, as opposed to teaching them,” he says.
When a staffer falls for the fake email, he gets more education. As exercises continue, the mock phishing emails get more sophisticated to sharpen users’ skills.
Mock phishing doesn’t just heighten vigilance among email users, it also helps hospitals to track whether training is working. “Security awareness training is great, but when you put it into action, that’s where the proof is in the pudding,” Rose says.
If bad things happen anyhow
Unfortunately,the best technology and education doesn’t guarantee that a criminal will never be able to breach a hospital’s defenses. Hospitals need to have response plans in place to deal with incidents as quickly and efficiently as possible. “You need a team that can do triage, figure out what’s going on, stop the data bleed, rectify the damage, mitigate the loss and get back to normal,” Kim says.
At Munson, the formalized data breach response plan allows for some interpretation on the front end, depending on how big the incident is and what data the criminals are targeting. The 15-member team of responders — from IT, legal, safety, administration and other departments — runs breach drills twice a year. The goal is “to make sure we’ve got the right people in the right places doing the right things,” Winn says.
The health system also has cyber liability insurance in case it has a major incident. The insurance helps to cover expenses associated with a breach, estimated to reach as high as $363 per health record by Ponemon Institute, an IT research firm. The liability insurer also provides a variety of resources, Winn says.
Response to a big breach could require quickly setting up a call center; disclosing the incident to patients, government and the media; and bringing in extra legal expertise and digital forensics experts. “Those are not things that most health care systems have in house, especially one that’s Munson-sized,” Winn says. “Cyber liability insurance is one of the things that helps me sleep a little better at night, knowing that if something really bad were to happen, I’ve got resources to work through it.”
In 2014, Franciscan Health System, based in Tacoma, Wash., fell prey to a phishing scam. A small group of employees responded to emails they mistook for legitimate requests from the system’s parent company, CHI. Information on more than 8,000 patients was exposed.
Rose declined to discuss any changes CHI made in response to the Franciscan breach. But, she says: “The No. 1 important thing is to learn from a particular event and enhance and implement what you need to for that event. Don’t go too macro — be very particular about what you enhance or implement from a control perspective.”
Cyber criminals go to work every day, just like the hospital workers who are trying to protect their institutions from them. “You feel like you’re constantly playing catch-up or chase,” Rose says.
Winn expresses a similar sentiment. “It never stops,” he says. “It’s exhausting to watch all of these activities going on constantly.”
Geri Aston is a contributing writer for Trustee.
Cybersecurity questions for hospital trustees to ask:
- Does the hospital have a plan in place that covers all aspects of cybersecurity, not just those associated with personal health information? If so, generally, what is that plan?
- Who in executive leadership is responsible for cybersecurity? Is the same person in charge of responding to cyber incidents?
- When will the board be notified about cybersecurity intrusions or breaches? Who will be notified?
- Is there a board committee that is responsible for cybersecurity? How often will it be briefed on cybersecurity matters? How often will the full board be briefed?
- Does the hospital’s insurance cover cybersecurity incidents? If so, is the coverage sufficient? If not, is cybersecurity insurance warranted?
- Has hospital leadership considered whether to implement the National Institute of Standards and Technology’s Cybersecurity Framework and what it would mean for the hospital and its approach to risk management?
Source: “Cybersecurity and Hospitals: What Hospital Trustees Need to Know About Managing Cybersecurity Risk and Response,” American Hospital Association, August 2014
What is phishing? An electronic communication from what looks like a trustworthy source that seeks to obtain victims’ sensitive information — computer username and password, or credit card, Social Security or bank account numbers — for malicious intent.
What is spear phishing? Phishing targeted at specific individuals. Attackers first gather intelligence about the target to make the deception more believable and increase the likelihood of success. The criminal might connect with the victim on social media to glean information and foster trust.
What is whaling? Spear phishing targeting a high-profile person, such as a hospital executive.
What are phishing’s telltale signs? Although phishing emails have become more sophisticated, some criminals still make spelling and grammar mistakes. More subtle clues are URLs with spelling errors or the wrong domain — .com versus .org, for example.
Medical record theft: Cybercriminals steal patients’ medical records to sell them on the black market.
Medical identify theft: Criminals use patients’ stolen medical record information to gain personal access to medical treatment, to acquire prescription drugs for personal use or sale, or to make false claims against patients’ insurers.
Identity theft: Criminals sell or personally use employees’ or patients’ credit cards, bank and/or Social Security numbers to open and max out credit cards, clean out bank accounts, and commit tax fraud.
Industrial espionage: Criminals steal a hospital’s intellectual property in areas such as medical technology innovation, clinical research and business practices.