Published by in Becker’s Hospital Review – May 17, 2017
If Ed Snowden worked at your hospital, would you know it?
That’s a half-serious question with a dead serious answer. While cybersecurity is one of the gravest threats faced by all business sectors, hospitals are especially vulnerable and attractive targets. According to InfoSec Institute, “Criminal attacks in healthcare are up 125 percent since 2010 and the likelihood to occur in this particular industry is greater than any other sector in the economy.” Ponemon reported in 2015 that 90 percent of healthcare companies had been hacked, which led to exposing millions of patients’ medical records. Bloomberg Business calculates that criminal acts against healthcare industry cost up to $6 billion a year.
Why target healthcare?
The main reason today’s cyberthieves target healthcare is for the same reason the infamous bank robber gave for holding up banks: “That’s where the money is.” In our hyper-connected world, stolen healthcare records are worth a fortune. The going rate for a stolen credit card number with CVV is about $1. For a username and password on Amazon or Uber it’s $2 to $4. For a stolen medical record? $20 to $50, according to a 2017 report from Aite Group / Trend Micro. Premium prices for premium value.
Consider the lucrative opportunities latent in the stolen file of an accident victim who ends up hospitalized. There is the potential for identity theft from the patient’s personal information and the opportunity to fraudulently obtain medical services and prescription drugs. But the real cash cow in healthcare records theft is insurance payments fraud. Clearly identified in that file are dozens of people who deal with that patient – and will be entitled to payment (some very large) from the insurance company or other payor: EMTs, ambulance drivers, all the emergency room personnel, the operating room personnel, the attending physician, the floor nurse and the anesthetist.
All told, there could easily be 50 different people in that one medical “supply chain” – 50 different points for cyberthieves to make money. They bide their time, knowing when to enter the payment stream, then impersonate that individual, claim payment, receive payment and go on to the next person and next record. The thieves have learned that along with current claims, like a normal hospitalization, there are additional earning opportunities in ongoing claims for long-term ailments.
Rushed into the digital age
That’s not the only reason for targeting the healthcare industry. Not to tar a whole industry that is dealing with wrenching change in chaotic times, but it’s an unfortunate fact that most healthcare institutions remain lax or lagging in their cybersecurity. Unlike, say, the financial industry, which has always made security a priority, including the need for cybersecurity as the industry went online – or unlike online retailers, which built security into their digital solutions from the start, the healthcare industry has not had the same security culture to draw on as they were thrust into the age of the internet.
In 2008, according to US News, “Only 9.4 percent of hospitals used a basic electronic record system.” Six years later, almost all of them (96.6 percent) had made the leap. US News again: “Health care entities could not have the organizational readiness for adopting information technologies over such short period of time. Many of the small- or medium-sized health care organizations do not view IT as an integral part of medical care but rather consider it as a mandate that was forced on them by larger hospitals or the federal government. Precisely due to this reason, health care organizations do not prioritize IT and security technologies in their investments.”
In other words, when healthcare entities made their digital advance, they crossed the chasm, but in two leaps! Today, it is rare to find a healthcare organization that is not scrambling to reach a higher level of cybersecurity maturity. But many remain focused on the lesser priority – the external threats – those massive, wholesale breaches that garner the headline.
“He’s calling from inside your house.”
But the greater threat is internal breaches, where trusted employees have broad access to a vast amount of private and valuable data. Like Ed Snowden smuggling out classified NSA documents on a thumb drive, they can exploit their access for nefarious purposes. The money to be made from stolen records can turn once-honest employees into thieves, either by stealing records at the behest of cyberfences or coughing up access credentials to permit direct access. It encourages dishonest individuals to become employees or contractors.
And while the hospital’s cybersecurity experts are busy building up the security perimeter and securing the networks against external hackers, under their nose these trusted employees and contractors can operate undetected, doing untold harm. Just like in the horror movies, “He’s calling from inside your house!”
At least three priorities should drive next cybersecurity steps for healthcare.
Hytrust claims, “The most important and fundamental control to protect privileged accounts is strong authentication, which means two-factor authentication so that borrowing or stealing a password isn’t enough to gain access to privileged accounts.” Yet according to Healthcare Information and Management Systems Society, only 60 percent of US healthcare organizations have implemented two-factor authentication.
Too many healthcare executives who thought they were protecting the enterprise have been dismayed to discover that their investments only gave them the dangerous illusion of security, when they suffer a breach. Sometimes it’s because they purchased good but one-off components that let cyberthieves exploit the gaps between the components. But increasingly it’s because the market is flooded with “solutions” of dubious quality. As a sudden downpour in a big city floods the sidewalks with vendors of shoddy umbrellas, so has the cybersecurity field attracted newcomers who might have been developing social apps or games until the cybersecurity demand attracted them, as opposed to experts with cybersecurity and healthcare experience.
To avoid wasting investments and suffering intrusions, healthcare institutions need to look for the Health Information Trust “seal of approval.” The HITRUST Alliance, a non-profit, offers the independent standard for assessing how well security solutions in fact protect sensitive information. Its healthcare module is particularly robust, certifying systems for compliance with the mountain of state and national healthcare security and privacy regulations.
By far the most important protection against internal cybertheft is behavioral analytics. Hospitals need a systematic way of learning employees’ behavioral patterns, setting parameters accordingly, monitoring them in real time, getting alerts about unusual activity or deviations and slamming the door on access if judged appropriate. Instead of focusing on breach and crisis control, behavioral analytics provides the intuitive ability to circumvent a breach before harm is done. Such a system learns fast and steadily produces better information and fewer false alerts. Has an employee begun accessing systems he didn’t use before? Is he logging on at odd hours? Has he begun printing documents he used to download? Or saving them to a thumb drive? Behavioral analytics would have nailed Ed Snowden red-handed.
Now that your healthcare institution is vulnerable to his ilk and those who would profit while ruining your reputation and exposing your patients to harm, are you prepared to defend against them? Attacks on healthcare institutions will only increase unless protection is strengthened. And future attacks might not just be costly but matters of life and death. Virtually the entire British healthcare system widespread was disrupted by the recent WannaCry cyberattack. As more and more of your tools become smart devices connected to the internet, it is no longer difficult to imagine cyberthieves hacking in at any point and demanding ransom before you can treat your patients.
About the authors
Bill Long, Managing Partner, Waypoint Consulting Services
Bill Long’s management consulting experience is in leading large-scale, complex, highly integrated IT/business transformation, including Waypoint Consulting Services’ cybersecurity practice. For more than 20 years, he has worked closely with clients’ top management to align technology and business strategy.
Alf Poor, Chief Operating Officer, Global Data Sentinel
Alf Poor has founded and led technology-based companies to success for more than 15 years, guiding them to meet the needs of their clients with technology innovations. His knowledge of the healthcare field has informed Global Data Sentinel’s security solutions for the healthcare sector.