Protecting Data in the Healthcare Industry
TRENDS FOR HEALTHCARE PROFESSIONALS THAT HAVE INCREASED THE THREATS
An analysis of the healthcare industry highlights a significant number of trends that are converging to increase data privacy and security threats. Let's review those trends briefly.
HEALTHCARE PROFESSIONALS ARE INCREASINGLY USING CLOUD SOLUTIONS
As with the rest of the world, healthcare organizations are shifting various workloads to cloud services. As a consequence, healthcare professionals are using cloud-based file-storage and sharing services, cloud-based electronic health records services, and various cloud-based services for exchanging healthcare information between providers and other players in the industry. MarketsAndMarkets forecasted a tripling of cloud expenditure within the healthcare industry from 2015 to 2020,[i] while HIMSS Analytics have tracked significant uptake for many types of cloud services by healthcare,[ii] with health information exchange and back office solutions the leading current workload in the most recent survey. The use of cloud services introduces a shared responsibility security model, the demand for new ways of securing sensitive information, and many new potential points of failure in security processes.
PHISHING AND RANSOMWARE ARE BECOMING MORE PREVALENT
The impacts of phishing and ransomware cyber attacks are getting worse across the world, and are having significant negative impacts specifically in the healthcare industry – Verizon has found that the healthcare industry is the second biggest target for ransomware [iii]. SonicWALL reported that ransomware attacks grew from 3.8 million in 2015 to 638 million in 2016, a growth of 167 times in one year [iv]. Symantec tracked 4,000 ransomware attacks per day in the first quarter of 2016, a 300 percent increase year-on-year [v]. Malwarebytes noted the increased use of ransomware in various malicious forms, with the share of malicious payload growing from 20 percent at the beginning of 2016 to 67 percent by November [vi]. It has also been estimated that there are up to 1,000 new variants of ransomware being released to market, creating an incredibly challenging environment for organizations of all kinds. When ransomware affects healthcare organizations, lives are at immediate risk.
In terms of the healthcare industry specifically, consider the following:
- Verizon found that 72 percent of malware incidents in the healthcare industry are actually ransomware incidents [vii].
- IBM X-Force Cyber Security found that healthcare was the most attacked industry during all of 2016. [viii]
- Cyber security Ventures said attacks in the industry were up 35 percent from 2015 to 2016. [ix]
- NTT Security reported that 88 percent of all ransomware attacks from April to June 2016 were focused on healthcare organizations. [x]
- NTT Security reported in May 2017 that healthcare was the third most likely industry to be targeted by ransomware, with business and professional services in first place and government and government agencies in second. [xi]
- The WannaCry ransomware attack in May 2017 was a broad-based attack across the world that infected more than 200,000 computers in more than 100 countries, but had headline-grabbing implications for hospitals across the United Kingdom, with 61 NHS organizations affected. Affected healthcare organizations had to divert inbound ambulances to other facilities, cancel surgeries, and re-schedule diagnostic tests and routine operations. A leading cancer hospital in Indonesia was also affected by WannaCry, causing healthcare professionals to revert to manual forms and workflows.
- There have been some suggestions that ransomware is becoming more insidious too, with the ability to increase the ransom payment depending on the type of information stored on the infected device. For example, the ransom can increase significantly if medical records software is identified prior to the encryption process beginning.
Finally, with reports that ransomware is now available "as a service," with proceeds from the criminal undertaking being shared with the ransomware developer, it is no surprise that the threat is greatly elevated. And, as various healthcare organizations have discovered to their detriment, it takes only one employee to mistakenly download a malicious document.
As an example of ransomware-as-a-service, a hospital that serves patients in southwest Washington and Oregon fell victim to a spearphishing email that included a shortened URL. Clicking on the link redirects the user to a cloud-based storage site that allows them to download a well-crafted and realistic-looking malicious .docx file. Clicking on any of three icons in the document triggers a JavaScript that executes a variant of the Philadelphia ransomware, available for just a few hundred dollars [xii]. It takes only a single employee to mistakenly download the document and potentially infect an entire healthcare system.
Phishing, spearphishing, and CEO Fraud – all variants on the theme of delivering a malicious payload via email – are becoming more common and damaging.
- A basic phishing attack casts a wide net hoping to ensnare as many people as possible using forged emails and malicious attachments that most people expect to receive, such as shipping notifications, password change notifications, account notifications (such as PayPal or Amazon), and friend requests.
- Spearphishing is a more targeted attack on a specific group of people, with attached malicious documents or embedded malicious links that are carefully crafted to look valid to the recipient; the GoldenEye spearphishing campaign, for example, targets German speaking people in HR departments with a malicious Excel spreadsheet. With the many social networking services available today, such as LinkedIn and Facebook, a cybercriminal can piece together connections between people, and craft a very believable message with a valid sounding document attached to catch the unwary or distracted.
- CEO Fraud (also commonly called whaling or Business Email Compromise [BEC]), is a phishing variant that goes after the "big fish," or those with the access rights to confidential data or financial authorizations to transfer funds. A common approach is a forged email from the CEO to the CFO, requesting a confidential transfer of funds to a specified bank account, in light of a new venture, acquisition, or other initiative. The email will often be specifically crafted to replicate the writing style and tone of the CEO, along with a demand for absolute secrecy.
DATA BREACHES ARE BECOMING TOO COMMON
Despite all of the regulatory requirements around data privacy, security, and preventing data breaches of personally identifiable health information, they have become all too common across the industry. For example, the survey conducted for this white paper found that 17 percent of the organizations surveyed have suffered a breach of healthcare-related data during the previous 12 months.
The 2015 data breach at Anthem saw the theft of medical records for more than 80 million people [xiii], while the breach at Premera, from 2014-2015, resulted in medical records for some 11 million customers being stolen [xiv]. One analysis of the US Health and Human Services data breach database found an increase from 268 data breaches in 2015 to 328 separate breaches in 2016, with more than 16 million health records of American citizens being affected [xv].
HEALTHCARE DEALS WITH LIFE-AND-DEATH SITUATIONS, AND CAN'T AFFORD THE DISRUPTIONS
Ransomware, phishing, and data breaches all compromise core healthcare systems, which immediately undermines the ability of the healthcare organization to deliver standard and emergency care to patients. It can be a matter of life-and-death when doctors can't access a patient's healthcare record, a hospital has to turn away patients onboard an ambulance, nurses have to revert to manual processes they haven't been trained to use, the pharmacy can't get timely alerts for new prescriptions, and medical devices are locked and inoperable. These are all life-critical situations, and patients, their families, and regulators expect near-perfect uptime and availability.
DISRUPTIONS UNDERMINE THE REPUTATION AND VALUE OF THE AFFECTED ORGANIZATION
For hospitals that have been compromised by ransomware, there are ongoing reputational damage and brand risks. For example, the Hollywood Presbyterian Medical Center was infected with ransomware in early 2016, and ultimately paid nearly $17,000 in Bitcoin to regain access to its own systems. The hospital was effectively out of action for 10 days, costing lost revenue. The longer term reputational impacts linger, however; for example, a Google search for the hospital puts the ransomware episode as four of the first 10 search results, leading potential patients and others to contemplate whether its health care performance is better than its competence in IT. Likewise, regardless of the great work done at the California-based health system, the impact of its recent $2.14 million fine for HIPAA security and privacy violations and the $28 million settlement of a class action suit will stay around for a long time.
With mandatory data breach notification requirements in an increasing number of jurisdictions, healthcare organizations have no choice but to tell the world when their security systems are inadequate. Data breaches and ransomware infections affect the value of the brand, and can have negative goodwill implications in a merger or acquisition situation. While not a healthcare example, consider the $350 million discount Verizon received on purchasing Yahoo! after the disclosure of two massive data breaches at Yahoo! over many years [xvi]. Perhaps it is no surprise that, according to Bitdefender last year, a majority of US organizations would rather pay a hidden penalty fee than have the details of a data breach go public. [xvii]
THE HEALTHCARE INDUSTRY HAS SYSTEMATICALLY UNDER-INVESTED IN SECURITY
Security controls across the healthcare industry have received insufficient funding over many years. In England, for example, the government has appropriated capital funding set aside for buildings and new equipment to pay for day-to-day services, such as Accident & Emergency departments [xviii]. This has made it more difficult for NHS organizations to deploy the necessary preventative measures. In the United States, HIMSS Analytics and Symantec report that 80 percent of healthcare providers spend less than six percent of their overall IT budget on security, and 50 percent spend less than three percent [xix]. This is in comparison to 16 percent for the US Federal Government. Other research studies have highlighted that security is an afterthought for many healthcare organizations, with some hospitals failing to deploy even basic security measures such as intrusion detection, security assessments of current infrastructure, and the ability to remotely wipe lost or stolen devices. The US Health and Human Services department called out the general lack of encryption across the industry, stating that some 60 percent of healthcare data breaches since 2009 could have been avoided if the data had been properly encrypted [xx]. It's a sad state of affairs.
The survey conducted for this white paper found that most organizations either do not use encryption/tokenization of healthcare-related data at-rest, or they do not do so for all of their systems and applications.
WORKERS FACE A GROWING ARRAY OF COMMUNICATION AND COLLABORATION TOOLS
The final trend of note is the growing number and complexity of communication and collaboration tools being used across the sector. As with other industries, workers face an onslaught of interaction requests and demands through email, social media, new enterprise collaboration systems, texts, and mobile device apps. Workers on the front line of delivering healthcare trust that these systems are secure and reliable, but that is untrue and these tools are often used for malicious purposes masquerading as valid ones.
