On August 4th this year, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) fined Advocate Health Care Network $5.5 million for breaches of 4 million individuals’ electronic Protected Health Information (ePHI). OCR pointed out that Advocate had failed in fundamentals like security policies and awareness. In July this year, the biggest healthcare hack of 2016 occurred at Banner Health which owns 29 acute care hospitals. The breach has compromised the Protected Health Information (PHI) of at least 3.7 million people. No doubt OCR will have their legal team working on an investigation and fine soon.

The healthcare industry was reportedly the biggest target of cybercrime in 2015, which has become known as the year of the healthcare hack. According to IBM’s X-Force, five out of eight of the biggest healthcare breaches occurred in 2015, with over 100 million medical records lost. Moreover, the Institute for Critical Infrastructure Technology (ICIT) estimates that around 47% of U.S. citizens have had some part of their PHI compromised in 2015. With breaches like Banner Health, 2016 looks likely to smash that record out of the water. One of the big issues we are seeing in the 2016 healthcare threats is ransomware. This is a type of malware that works to extort money from an organization. In a survey done earlier this year by HIMSS Analytics, they found that a staggering 75% of respondents from U.S. based hospitals had been victims of ransomware. It seems that healthcare has become the poster child for cyber attacks.

The natural question to ask in all of this is, why hospitals? It used to be that healthcare was pretty low on the hit list of cybercriminals. In the Data Breach Investigation Report of 2011 (DBIR), healthcare only accounted for around 1% of all data breaches. In DBIR 2016, healthcare is one of the top industries under threat of cyber attacks. One of the reasons for this cyber security onslaught is that PHI is an attractive proposition for cybercriminals due to its value. The data within a PHI record is multi-tasking. It can be used to commit identity theft as well as insurance fraud. We are also seeing secondary attacks, like the IRS 2015 breach, where stolen PHI was used to carry out fraudulent tax claims.

The value of PHI to a cybercriminal is enhanced by the fact that hospital staff must be some of the busiest people in any industry. Being busy means that you have to focus on the job at hand, and when that job impacts people’s lives, that focus is even more important. This leaves a gap in security awareness. A gap that cybercriminals can take advantage of, or where simple mistakes, like the accidental loss of a laptop or the clicking on a phishing link, without thinking, can result in the loss of millions of patients’ PHI.

Becoming security aware, as well as building an ethos of security into the everyday working lives of hospitals and their staff, is much needed in an industry under such severe and relentless threat. Each area of the organization needs to take this on-board as part of their remit. In this article, we will look at the responsibilities across some of the key areas of the hospital.

IT Staff Responsibilities to Protect PHI

Digitization is being embraced by the healthcare industry to the point where we have seen a growth in Electronic Health Records in U.S. hospitals from 14% in 2008 to almost 76% in 2014. This puts IT staff on the front line of security. They have a responsibility to ensure that both systems and people are security aware. IT staff are also part of the team that has to abide by the requirements of the compliance acts, HIPAA and HITECH. Both acts cover the security measures needed to secure Protected Health Information (PHI).

In the case of HITECH, this act has allowed HIPPA to become more enforceable, with the effect of:

  • Adding extensions to cover associated companies outside the hospital environment;
  • Covering situations where a patient can request that their ePHI be digitally communicated to a third party from an Electronic Health Record (EHR) system in a secure manner;
  • Extending compliance requirements so that IT staff, and specifically staff involved in security and compliance, need to have a strategic and all-encompassing approach to protecting PHI;
  • Requiring IT staff to look after immediate PHI protection concerns as well as extended touch points into the system through associated bodies; and
  • Ensuring that security policies are adopted across the supply chain and with all associated parties.

IT staff can apply their security awareness knowledge and training to ensuring that IT systems are at the forefront of security mitigation techniques. Areas that challenge the IT department’s security effectiveness include:

  • Cloud computing
  • Use of personal devices (BYOD)
  • Shadow IT

Cloud computing: Security awareness can give you an insight into IT choices. For example, you may be looking to migrate PHI to an Amazon Web Services Cloud environment like many in the industry are currently doing. Choosing a cloud system to store PHI requires a close look at the effectiveness of security measures such as access control, authentication, encryption, and secure communication protocols.

BYOD: In terms of personal devices, such as smartphones, the Bring Your Own Device (BYOD) revolution is hitting the healthcare industry. In a recent medical study based in the UK, it was found that around 92% of doctors and 53% of nurses said that their smart devices helped them in their clinical duties. In a 2012 Manhattan Research/Physician Channel Adoption Study, it was found that 87% of doctors used mobile devices in the workplace. Phishing is also a major problem in hospitals, as phishers use whatever brings in cash, from specialist payroll phishing scams to credential phishing which gives them the keys to the database storing patient ePHI.

Shadow IT: The cross-system, multi-vector nature of modern cybercrime makes the responsibility of IT for security threats a challenging job. It requires full knowledge and understanding of who is using what and where. IT staff need to have full awareness of the extended nature of their network and the residence of ePHI. Coupled with this, they need to understand the nature of modern cyber threats on that PHI. Without this understanding, they will struggle to protect PHI data.

IT Security Staff and Security Awareness Training

Security awareness is not a static state. The underlying knowledge about cyber threats and the security landscape changes as the cybercrime game itself changes. The first rule of thumb for IT staff in healthcare is to keep on top of cybercrime trends. Security awareness training is an ongoing process and one that starts with the IT security staff. These individuals are best placed to know the threat landscape and be up to date with key issues. They should ensure that staff on the front lines are trained in issues that will impact the organization as a whole. Understanding the threat landscape will allow IT professionals, and in particular IT security staff in a healthcare environment like a hospital, to help in developing security awareness training packages for staff across the establishment. This is likely to include education around topics such as being able to recognize phishing attempts. It can also include understanding the importance of simple best practices such as not writing a password on a post-it note or leaving laptops and mobile devices used in the workplace unattended outside.

Help Desk Responsibilities to Protect PHI

Help desks have a special role in the overall security landscape of healthcare. Like any part of an IT system that has direct human touch points, social engineering is a major threat. Help desk operatives are well-known for being a security attack point. In the DBIR for 2015, help desk operatives were in the top ten insider threats, with healthcare being in the top three industries suffering from these types of threats. A help desk has a number of areas that present attack weaknesses. Depending on the role of the help desk, these can range from credential recovery attacks, to direct leakage of PHI. Typical areas of concern over help desk security include:

Social engineering: A help desk that is configured to recover lost credentials, for example, has the potential for the operator to divulge usernames and passwords to callers. To prevent this, stringent anti-phishing checks need to be incorporated into the design of the credential recovery methods used in the help desk. Even with those checks and measures in place, help desk phishing can still happen, and the only way to have a 360 degree management of help desk phishing is through phishing awareness training offered to help desk operatives and administrators.

Accidental disclosure of PHI: This can happen in help desk systems that do not have robust identity checking of callers. However, the identity checking process carried out by an operator to find a user in the system can also leak data, especially over time. Help desk operators need to ensure that PHI is not divulged this way.

Rogue help desk operators: It is possible for a help desk operator with malicious intent to build up a profile of a user. This is especially true if certain types of security questions are asked during identity checking. Getting the balance right between revealing too much identity data to an operator, and not enough to get a match, is tricky. Microsoft research into security questions is quite revealing, showing that 13% of answers could be easily guessed by anyone.

Ultimately, help desk operators are in a prime position for potential PHI access, and as such need to be fully aware of the security implications of their actions and of the outcome of phishing attempts. In addition, their use of a help desk, even a well-designed one, should always be monitored.

Leadership Responsibilities to Protect PHI

Security should be a top down, bottom up process. It impacts everyone. However, hospital leaders have special responsibilities and, by definition, can have a higher impact on cultural changes like security awareness within an organization – healthcare or otherwise. In a 2016 Ponemon study into risk management, they described a process of cultural change coming from a positive ‘tone at the top’. In other words, a top down approach to communicating core values of security and risk management is more effective, with 41% of respondents expecting this change to come from C-level. In the case of hospital staff, this includes medical directors and heads of department. Leadership, across all parts of the organization, is vital in getting everyone on-board with a culture of security. Because the security of PHI impacts not just patients, but the hospital and staff as a whole, medical directors and chief nursing officers must make room in their busy schedule to encourage positive security attitudes amongst their staff.

General Medical Staff

All of the staff working within the hospital are potential security weak points. Individuals are targeted in ransomware and other phishing attacks, and as such require security awareness training as part of their general, on the job, training commitments. The top down approach to applying training procedures, coupled with a highly aware IT staff, can be used to create highly effective and integrated training programs. These should not impact the normal working conditions of the staff, but instead become a seamless part of their everyday role and tasks. Security awareness needs to be inherent, almost an afterthought, something that you are aware of yet does not need deep thought. Good security awareness training will become second nature for hospital staff so it is naturally incorporated into their daily tasks, allowing the protection of PHI as a default position.

Keeping PHI Healthy

It used to be that the main objective of healthcare staff, like doctors and nurses, was to protect our lives. That is still true, of course. However, today they also have to be aware enough to protect our personal data. Cybercriminals are looking for any opportunity to get under our skin. They have recognized that hospitals are a weak link. Busy staff and lack of IT resources make for the perfect storm as far as cybercrime is concerned. The massive onslaught of ransomware attacks and the breaches of PHI, most often initiated through social engineering channels like phishing, show that hospitals are well and truly in the sights of the hacker. To manage this situation, hospital staff have to work together in a symbiotic ecosystem, building a culture of security through security awareness training.  Only through education and vigilance can we prevent the level of attacks against PHI currently being felt across our healthcare system.

Be Safe

Section Guide

Ryan
Fahey

View more articles from Ryan

SecurityIQ has published a number of videos on social engineering and phishing. You can sign up for a free account to browse their resources and test how phishing savvy you really are.

Section Guide

Ryan
Fahey

View more articles from Ryan
[i]
[i]