Security concerns are growing exponentially in healthcare, as hospitals become the most financially lucrative targets for cyber-attackers. In 2015, one in three Americans had their health records breached and this number is predicted to continue to increase as the number of data entry points to a patient’s medical record grows. For every opportunity for automation, there is also an increased security risk. Over the past year, there have been several types of visible cyber-attacks on health systems in the United States and federal agencies are taking notice. The main reason for the increase in cyber-criminals targeting the healthcare industry is for the ease with which hackers can pull vast amounts of personal data from aged systems that lack necessary security features.
Stolen Financial Data
Notable Example: Anthem
The first category of visible attacks on hospitals in the United States is stolen financial data. In 2015, hackers accessed personal information for 80 million customers and employees and stole tens of millions of records. It was recorded as one of largest data breaches of healthcare information discovered in history.
Most experts believe that Anthem was targeted specifically by elite criminal groups because healthcare databases contain all the relevant data points to also steal financial data. It is not uncommon in the healthcare industry for a patient’s health information to contain the Social Security number, address, and insurance IDs. This level of information is so highly sought after that it often can be sold for 10 times the dollar amount that stolen credit card or Social Security numbers alone would be sold on the black market.
The data breach was discovered when an employee (a systems administrator) noticed that a query attached to his name was running in a database that he had not initiated. Upon further inspection, it was clear that Anthem’s systems had been infiltrated by an attack that quietly blended into the background. Ultimately, millions of names, addresses, phone numbers, emails, birthdays and Social Security numbers were exposed. All data was copied to a web service built to store the massive amount of data. Although this service was immediately frozen to prevent further exposure, there was no way to know if data had already been copied to another more secure location.
In situations like this, criminals will work over a large period of time to engineer and deploy an attack where the goal is to quietly penetrate the network. This will often be completed by copying existing users’ normal activity in a way that allows them to pull data slowly over a period of time. Because the attack mocks normal activity, it can steal data for months or years before security programs or IT teams realize what is happening. Although cyber-attackers are pulling down all patient data, they usually do not need it or want it. Because they need to remain quiet in the background, complex queries will not be used. The simplicity of the attack does not allow differentiation between patient information and financial data points.
Because of the financial payoff of being able to access concentration of data, large providers, insurers, or vendors will continue to be at risk for an attack. Because of the risk, organizations should be looking into the latest security options like deception technology. It places decoys throughout a network, intermingled with the live technology resources. To an outsider, it looks like any other piece of technology that a provider is using. As soon as one of the decoys is touched, the security team is alerted that a breach is taking place and remediation activities can automatically be kicked off. This will prevent scenarios like Anthem where data was exposed for months before it was discovered.
Notable Example: Community Health Systems
The second category of visible attacks on hospitals in the US comes from cyber-criminals targeting personal data in order to participate in insurance fraud. Patient data like diagnosis codes, billing information, policy numbers, and birth dates is all that is necessary to file fake claims with an insurer, resulting in reimbursement for services never provided. It may also be used to make false IDs that can be used to buy illegal drugs for personal use or medical equipment that will be resold.
Often, the victim will discover that their personal information has been used frequently to receive health services. The bill will not be paid and eventually is received by a debt collection agency. The third party will approach the victim to collect payment only to discover that the individual never received care. Because of how long it can take for a patient to discover that their information has been stolen, the credentials can be used for months before it is shut down which makes it more valuable than a stolen credit card which is usually discovered quickly.
In 2014, Community Health Systems reported that Chinese hackers had stolen patient data from 4.5 million individuals. Sophisticated criminal groups from China target health systems like CHS with the sole intent of taking patient data and selling it at a premium price to outside parties who could use it to commit insurance fraud. Sophisticated malware software, which probably took advantage of a test server lacking the proper security features in place for internet connectivity, was used to copy patient data of any patient that had received services or been referred for services. Because the appropriate security measures were not in place, hackers were able to locate VPN credentials found within the test server and then log into CHS’s infrastructure. Many believe that complacency is ultimately to blame for the security breach and that it was completely avoidable with appropriate policy and procedures as well as frequent audits to evaluate risks.
In order to avoid situations like this from happening in the future, implementing the deception technology previously mentioned is recommended. Additional measures that allow for infected resources to be automatically isolated when discovered would prevent malware from spreading. This is important because of the way a system is connected through EHR applications and medical devices to the main network.
Understanding the importance of implementing programs that automatically identify and isolate potential attacks can be an expensive endeavor, so it is critical that healthcare organizations begin proactively investing in the necessary technology instead of making it an afterthought in budget planning. There is a significant cost to an organization when a breach occurs, but hospitals continue to spend a low percentage of their annual budget on cybersecurity. This has to shift in order to prevent incidents from occurring.
Notable Example: Presbyterian Medical Center
One of the more common types of attack occurring in 2016 has been ransomware. When this occurs, a hacker infiltrates the network and accesses data. It is then copied over and encrypted. Once encryption is complete, the original data will be deleted and data will be inaccessible until a ransom is paid. This usually results in an inability to access the EHR while the application is locked down; any communication has to be completed via telephone calls or faxes, resulting in an overall delay in patient care.
This recently occurred at Hollywood Presbyterian Medical Center in February 2016. Hackers used malware to infect the computers at the facility and stopped communication between devices. They demanded a ransom of $17,000 to restore their applications back to fully functional. Physicians were unable to access medical records for more than a week and they were forced to utilize paper record keeping until the facility ultimately paid the requested amount. While Hollywood Presbyterian stated that patient care was not impacted, patient history could not be viewed and test results could not be shared from lab work, X-rays, and more. It is believed that this occurred because an employee opened an infected email or downloaded the malware from a pop-up ad which brought the virus onto the network. A few weeks later, a group of Turkish hackers claimed responsibility for the attack which may mean that the motivation of the attack was not to steal patient data for financial means but as a political statement.
Currently, there ransomware has two different modes. The first is through a program named Locky. Locky utilizes spam email campaigns where an email is sent across the system that contains infected MS Word documents. If the user opens the document, macros will install on the host computer and begin infecting the network. The second is through the Samas program, which attacks web servers directly. Cyber-criminals look for vulnerabilities in security, which most commonly happens at points of entry such as integration with medical devices.
In order to prepare, hospitals should begin to think about planning for a cyber-attack just as they would prepare for a natural disaster. Events like Hurricane Katrina force health care systems to plan for how to manage in a world where they are unable to access patient records, how to appropriately back up patient data, and what communication methods to use if electronic communication is unavailable. Just as it is important for a natural disaster, it is equally critical to patient safety in a scenario where applications cannot be accessed due to exploits such as ransomware.
Notable Example: University of Washington Medicine
Social engineering has become a common method of deploying malware to infect systems. Hackers target companies that publically display their employees’ contact information. Individuals are then sent phishing emails containing links or attachments that appear to be innocent in nature. But, when the link is accessed, it will immediately infect the users’ computers and begin to spread throughout the rest of the health system.
In 2013, nearly 90,000 patients at University of Washington Medicine had their personal information compromised as a result of phishing techniques. A hospital employee was sent an email that had a malicious link embedded into the content. The link was accessed in order to view an attachment. When opened, malware took over the computer and accessed the employee’s computer, which contained files needed for billing patients. While it was quickly discovered and contained the following day, patient data such as names, addresses, phone numbers, Social Security numbers, and birth dates were already exposed.
The best protection from phishing attacks is to educate users on how to appropriately manage communication in a secure manner, prohibit access to personal email, and teach end users to be suspicious of any hyperlink buried in electronic communication. This training should be something that happens repeatedly so that it is on the forefront of every team member. In addition, internal phishing audits should be conducted by sending suspicious emails to team members to lure them into clicking the included email. If a team member clicks the provided link, a follow-up can be provided to teach them how to recognize potential threats in the future.
If these best practices had been practiced, the University of Washington may have been able to avoid their $750,000 fine. In addition, they are required to develop an in-depth risk analysis as part of their two-year corrective action plan. This risk analysis should allow UWM to address any other security risks that they may vulnerable to experiencing.
Notable Example: UCLA Health
MEDJACK is one of the latest methods of accessing a health system’s network. This method will target medical devices that integrate with applications, often through methods that are not highly protected against. This allows backdoors to be created across an enterprise system, giving access to cyber-criminals for months before detected. Since it appears that nothing abnormal is occurring, data can be easily stolen.
A recent victim of MEDJACK was UCLA Health, which led to the exposure of personal data for 4.5 million patients for more than a year. The personal data included names, birth dates, Medicare numbers, and health plan numbers. This was easily done, as the patient data was not encrypted when it passed from medical devices to the electronic health record, which is one of the first essential steps to data security. The investigation began in October of 2014, when suspicious activity was noticed. UCLA Health confirmed in May of 2015 that hackers had begun accessing patient data as early as September 2014. Following the announcement, the facility was subject to multiple lawsuits from patients that called for auditors to become involved to help put appropriate security measures in place.
One of the reasons that medical devices cause such a security risk is that their internal software cannot be accessed by a facility’s security team. Since these devices manage patient care, there are regulations in place (mostly created by the FDA) when the device is being manufactured that block external access. The reasoning for the restrictions is because of the potential for the software to adversely change the core programming, causing a patient safety issue.
In order to prevent this from occurring, different governing groups have to work together to determine how to safely and securely integrate items like medical devices. In addition, implementing decoys and automation to isolate breaches would help to prevent breaches from spreading. Finally, focusing additional attention on areas where data is integrated across multiple platforms to build security methods would also be beneficial.
While there have been many different types of public attacks on hospitals, they all result in similar negative consequences. Besides the monetary implications for both patients and the health system, the biggest problem is patients losing trust in providing their personal information. When individuals begin to believe that their data will be compromised, it increases the likelihood that sensitive information will be withheld. By not providing details about substance abuse or mental health, the plan of care could be severely compromised. It is important that patients feel comfortable enough to be open about their medical history. In addition, in order for patient data to be shared across the entire health system (which is a requirement for clinicians to plan for the entire life cycle of patient care), all parties have to be confident that sharing patient data electronically can occur securely.
Security concerns will continue to loom in the healthcare industry as long as there is a substantial financial incentive for cyber-attackers. While five of the most visible attacks on hospitals were discussed, there have been hundreds of smaller incidents that have occurred over the same period of time. Federal agencies are beginning to pass down penalties, but those are levied only after data has already been exposed. In order to prevent similar attacks from occurring, a few simple steps can be taken to protect a facility. First, complete a thorough risk analysis and put in immediate mitigation steps. This risk analysis should be carried out multiple times throughout the year. Second, invest money in data security software and infrastructure. Do not make security an afterthought when involved in budget planning. Finally, implement a training plan for employees (including security awareness training augmented by simulated phishing campaigns) that consistently reminds them of risks and how to limit unnecessary exposure. While these basic steps will not prevent you or your organization from being targeted, it will make it more difficult for criminals to be successful in their efforts.