KEY CYBER SECURITY RISKS FOR HEALTHCARE PROFESSIONALS
The environment in which healthcare professionals work is fraught with cyber security risks. This creates a very challenging workplace to protect. Let’s look at the risks.
Large attack surface
Medical care is no longer the domain of the generalist, but rather a complex collaboration between multiple medical specialists working for different organizations and interacting using disparate IT systems. Healthcare organizations have multiple geographical locations once different hospitals and outpatient clinics are accounted for. A modern hospital can have thousands of workstations, specialist medical devices running embedded operating systems, specialist medical software, mobile devices, and both on-premises and cloud-based services. Shared workstations are used by an ever-changing roster of healthcare professionals, and the urgency of the work means that generic user credentials are often used rather than individual user accounts. This means that systems are left wide open. With the push to interoperable electronic health records, sensitive patient data is continually flowing in-and-out of healthcare systems. These factors add up to an increased risk of being compromised, hacked, or breached.
Phishing and Spearphishing
Phishing and spearphishing are very common ways of distributing malicious email attachments and Web links. The banality of the subject matter for phishing, and the assumed-validity of spearphishing can make it difficult for time-pressed and stressed workers to identify when something isn't quite right. When the infection is an advanced persistent threat that lingers undetected for many weeks or months, the damage from these threats is significant.
CEO Fraud, BEC, Whaling
Carefully crafted emails that target the C-suite with spoofed addresses and calls for confidentiality can lead to a CFO transferring money to a criminal's account without being aware of the misdeed until it's too late. If the infection is a persistent threat on the other hand, given the generally wide access rights to data and systems held by senior executives, the threat of data breaches of health information, loss of corporate secrets, and being held up for extortion is high.
Ransomware is a significant threat to the data and systems of all organizations, but especially threatening to healthcare organizations due to the life-and-death consequences of not being able to run a hospital or other facility. With modern forms of ransomware able to not only infect the first machine but also automatically sniff out other vulnerable targets across the network, healthcare professionals can't afford to be the one person who gets it wrong. While medical records are among the most valuable data for sale on the black market, ransomware gets criminals an immediate payoff without having to sell anything.
Healthcare records contain all of the data points on an individual that are needed for identity theft, in addition to financial, tax, insurance and medical fraud. The healthcare industry has an abysmal track record in protecting patient data, with tens of millions of healthcare records breached in 2016 alone.
Malware and viruses
While ransomware currently gets all the attention as the weapon of choice by cybercriminals against healthcare, other forms of malware and viruses are just as pernicious. The widespread use of older operating systems that are unpatched due to their use within medical devices, vulnerable software plug-ins that have not been updated in a while, and medical devices that have not been security tested let alone hardened, provide an attractive target for infection. Even if the threat is not immediately triggered, a malware infection that lies dormant pending a future date or event should be ringing warning bells across the industry.
Data breaches and loss of patient data
Not everyone working for your organization is an honest and upright healthcare professional, dedicated to patient health and furthering the impact of the organization: some are hiding nefarious intent. These malicious insiders know where the juicy data is being stored, and may have elevated access privileges to the same systems leading to data breaches and loss of patient data. But it isn't just malicious insiders that are dangerous, however; it is more often simple carelessness of well-intentioned workers who leave laptops logged in but physically unguarded, fail to lock a file cabinet when no-one is around, email a spreadsheet with PHI to the wrong party, or leave paper-based records spread out for others to see and steal. Endemic attributes of the industry are also to blame, such as failing to use encryption, not using unique usernames and passwords, failing to enforce logout, and not limiting concurrent user sessions.
Insider threats and the need for employee vigilance
With healthcare professionals covering a diverse range of specialist fields and having specialist IT system requirements, it can be difficult to identify the bad actor in the mix. When someone saves healthcare records to a different location on the network, for example, is that for a valid healthcare reason or because the person is in collusion with criminal outsiders for data exfiltration? When professionals don't follow healthcare industry requirements around user credential security, is that just a convenient way of getting work done faster, or carelessness that leads to unauthorized access of sensitive information and the next great data breach on the front page of the newspaper?
Users are a weak link in the security infrastructure
Healthcare workers have hectic schedules, work in life-and-death situations, and face significant change in systems and industry regulations. They are also, as with most other industries, the leading cause of all security breaches at the workplace. Current approaches to security training are not adequate—it is not frequent enough, it is divorced from day-to-day practice, and it doesn't register as being a sufficiently important part of healthcare practice. Healthcare professionals don't believe a ransomware infection or data breach will happen on their watch, and too often believe the best of others rather than being sufficiently skeptical to smell the proverbial rat. Healthcare organizations tolerate lax security standards, such as not enforcing strong passwords and automatic logout, and the general lack of investment in security over many years does nothing to create an environment where user-focused security is important.
Difficulties in managing healthcare systems
While every large organization faces challenges with keeping IT systems up-to-date, there are several factors at play in healthcare organizations that make it an especially difficult task. Medical devices, for example, are expensive to purchase, require re-certification after being updated, and are likely to break when updates and patches are applied. Likewise, specialist systems can be rendered inoperable when patches are installed, leading to a lower desire to fiddle with something that's actually working. Equally, the industry push to EHRs has consumed much of the discretionary IT staff resources and IT budget, leaving fewer staff available to develop the required expertise for cyber security. Despite these mega-risks, various research efforts have shown that even the basic things aren't being done, such as failing to remove inactive user accounts, not using encryption, and leaving default passwords active on databases that hold sensitive patient data.
Cyber criminals are focused on stealing healthcare records
Healthcare records are a particularly attractive target for cybercriminals, since they hold almost all of the information required for identity theft, social engineering, financial fraud, tax fraud, insurance fraud, and medical fraud. IBM's X-Force Cyber Security research stated that some 100 million patient records globally were breached in 2015 [i], and the number of reported data breaches within the sector continues to rise. Research by the Ponemon Institute pegs the value of healthcare records at US$402 per leaked record,[ii] which is more than 10x the price of other breached data records on the black market. In the same vein, Dell Secure Works says that health records are 10-20x more valuable than credit card data; [iii] while credit cards can be easily changed when fraud and unusual transactions are identified, the immutability of many of the sensitive data attributes in a healthcare record offer no such recourse. That is, you can't change your birth date or birth city, two data attributes that are used for all sorts of transactions.
Third parties can be compromised
Despite the best efforts of any one healthcare organization, the entire industry is at risk. With EHRs connecting organizations and the government across the entire healthcare delivery chain, if third parties have not sufficiently protected their systems, data you are responsible for may be compromised regardless of the precautions you have taken directly. While HIPAA and subsequent updates puts the burden of responsibility on the covered entity to ensure business associates and their subcontractors have adequate protections in place, it's an even more complex environment when multiple covered entities and various government agencies have intertwined data sharing mandates.
Staffing models can create security and data management problems
Volunteers and rotating staff members can create security and data management problems in healthcare organizations. For example, the "helpful person" from the community who is not adequately trained on IT security but uses a hospital computer during their lunch break to check their web-based email may inadvertently be the source of a ransomware infection.
Mergers and acquisitions create security risks
Healthcare organizations are not static entities, with mergers and acquisitions offering the promise of growth and financial reward. Bringing together healthcare providers with disparate environments causes security issues, including new cross-system vulnerabilities, outdated medical devices, and different models of access control. Organizations may find themselves managing multiple Active Directory forests and email services, which over time becomes complicated as the two organizations merge daily operations and cross-organization access control rights are necessary. While consolidation is critical to IT efficiency, application availability, data security and regulatory compliance, these initiatives are often delayed due to lack of budget and resourcing.
Best Practices For Cyber Security Defenses