WikiLeaks; The Hacker’s Hacker

You would have to be living entirely off the grid to be unfamiliar with WikiLeaks, the multi-national media organization founded by Julian Assange.  WikiLeaks has elevated itself as the most well-known name in hacking, exposing classified, censored or otherwise restricted official materials involving war, spying, and corruption.  The organization is despised for uncovering secrets that were not meant for public consumption and applauded by millions who believe that the world’s most persecuted documents should be available to everyone.  Who would have thought that hacking could land someone on the cover of TIME Magazine as the coveted Person of the Year?  Mr. Assange held that distinction in 2010.

The Ransomware Epidemic

One reason hospitals may be particularly vulnerable to ransomware is the multitude of systems and devices in use.  There are many more entry and axis points for cybercriminals to exploit.  Recent innovations in the hacker community make it difficult to guard against new strains of ransomware.  Once patient data is infected, hospitals and clinics are locked-out of their system.  Unlike other industries where access to data is not as time critical, not having access to patient data could mean the difference between life and death.

Ransomware breaches represent a big payoff for criminals, and it’s quite clear why healthcare is the primary target.  According to the 2016 IBM X-Force Cyber Security Intelligence Index, a stolen medical record is worth more than 10 times that of a stolen credit card.

In a prepared statement, Jocelyn Samuels, director of the U.S. Department of Health and Human Services Office for Civil Rights, said, “One of the biggest current threats to health information privacy is the serious compromise of the integrity and availability of data caused by malicious cyberattacks on electronic health information systems, such as through ransomware.”

In a ransomware attack, how do cyber criminals attack the healthcare infrastructure?  Typically, the standard method is malicious email attachments with the most common being Microsoft Word documents, Adobe files, and JavaScript.  Other schemes include links to booby-trapped and compromised websites, malicious web advertisements, malware links in social media posts and unpatched versions of Microsoft Office and Adobe Reader or Flash.  Once an organization is infected, cybercriminals exchange a decryption key to regaining access and in return receive an untraceable Bitcoin payment.

Medical Data Hacking on the Rise

According to X-Force research, healthcare record theft is up 1,100 percent in 2016, with more than 140 million medical records compromised worldwide.  Out of the 249 incidents submitted to the Office for Civil Rights (OCR) through October 26, 2016, 83 were caused by hacking or IT incident.  While hacking incidences garner the most attention, there were 104 unauthorized access or disclosure breaches, 46 cases of theft, 12 incidents involving loss and four caused by improper disposal.

The top five unauthorized breaches in 2016 were Banner Health, Newkirk Products, 21st Century Oncology, Valley Anesthesiology and Pain Consultants and Hollywood Presbyterian Medical Center.  Banner, a large Arizona-based health system discovered an incident on July 7, 2016, that affected approximately 3.6 million patients, members and beneficiaries, providers and food and beverage outlet customers.  Newkirk Products, a New York-based service provider that issues healthcare ID cards for health insurance plans announced in August 2016 that it experienced a data breach potentially compromising approximately 3.4 million plan members.  21st Century Oncology notified the OCR of a data breach in March 2016 that may have affected an estimated 2.2 million individuals and Valley Anesthesiology and Pain Consultants announced in August 2016 that 882,590 patients might have had their information exposed when an unauthorized party inappropriately accessed one of its computer systems.

The highest profile medical data breach in 2016 happened to Hollywood Presbyterian Medical Center in California.  In March, the hospital was locked-out of its Electronic Health Records system for over a week.  During that time, providers reverted to operating via pen and paper until they made a decision to pay the hackers $17,000.

The advent of medical data hacking appears to have no end in sight.  No one is immune to having his or her medical records compromised.  It is troubling to think that even with best security protocols in place, one out of every three people had a healthcare record compromised in 2015.

Medical Devices Also Pose a Security Threat

Most people do not realize that medical devices are often mini-computers linked to a corporate network.  Without having an embedded encryption capability, hackers are easily able to gain access to the core network or other networks throughout the organization, including the electronic health records.

Hackers have one of two motives for what they do, says Stephanie Domas, an ethical hacker and lead medical device security engineer at Battelle, a research, and development firm.  She hacks organization and is paid for it.  Some devices hold a sizable amount of hackable data that others don’t contain much data but are a gateway to the network for hackers.  Medical devices can include fetal monitors and other monitoring machines, ventilators, anesthesia machines, bypass machines, electrocardiographs, lasers, gamma cameras, medical apps, diagnostic imaging systems, powered wheelchairs, and implantable defibrillators and pacemakers, and much more.

Derek Jones, a senior security advisor at the consulting firm Impact Advisors offers his advice how to protect medical device data.  In an article published by Health Data Management, he said, “Many hospitals only use a perimeter firewall to provide protection for moving in and out of the core network, with no other firewalls protecting internal systems.  Multiple firewalls across the organization—to the greatest extent possible, given available resources—represents a good start toward improving device security.”

“Layered security is important because we can’t trust the Internet” he explains.  “All these devices that get plugged into the network, like security cameras, cash registers, and biomedical devices are a risk to data security.  Network access makes it easier to use the devices, but we often forget they are mini-computers and must be protected.”

Too often, Jones adds, the built-in firewall that comes with Microsoft Windows and it is viewed as adequate, and as a result, more advanced software with better scanning and reporting features is not deployed.  A more sophisticated firewall will remove the Windows firewall, which does not have the capacity that enables a network administrator to know that malware has infected a computer or a device.

New and old medical devices alike can be a security threat.  Both require the addition of embedded security, which includes the encryption of data at all access points.  The U.S. Food and Drug Administration have provided guidance for manufacturers to follow to reduce medical device hacking risks. However, there are no penalties for non-compliance.

The Human Element in Medical Data Security

The biggest threat to healthcare IT security is the human element.  According to the 2016 HIMSS Cybersecurity Survey, the two primary healthcare IT security concerns from healthcare organizations (hospitals and physician practices) are phishing attacks (a concern for 77 percent of respondents) and viruses/malware (67 percent).  Both events require human interaction for hackers to access patient data.

Training clinicians and staff one time is not enough to guard against attacks.  Continuing education is the key.  A study by Wombat Security Technologies and the Aberdeen Group suggests that upgrading employee mindfulness can lessen security risk by anywhere from 45 to 70 percent.  There is no such thing as a 100 percent secure IT system if people use it.  It certainly makes no sense to make significant investments securing a technology if system users are not trained properly.

Steps for Prevention and Protection

The number one rule in securing medical data is to never assume you are completed protected.  There is no “one size fits all” protections against security breaches.  When implementing an effective prevention and protection strategy, you should consider these 12 points:

1. Initially, train users about the risk;
2. Implement consistent high-frequency data backups;
3. Block all executable attachments that do not pass your security software assessment;
4. Keep systems patched (especially J-Boss web servers, which are common in healthcare); and
5. Maintain updated antivirus solutions;
6. Maintaining strong passwords;
7. Ensure that active accounts connect to a current staff member;
8. Make sure departing staff members return laptops and other mobile technology;
9. Allow only the minimum necessary access to sensitive information;
10. Secure medical devices by encrypting data and securing access points;
11. Audit the system regularly; and
12. Provide consistent ongoing security training for every staff member.

Summary

Leveraging robust user training, including an investment in preparedness, and implementing key security controls and protocols will go a long way in securing an organization’s medical data. It doesn’t end there.  Health Enterprises must also ensure that they have an all-encompassing backup and recovery process that allows them to get back to business as usual quickly after a breach or attack.

________________

Phil C. Solomon is the publisher of Revenue Cycle News, a healthcare business information blog and serves as the Vice President of Global Services for MiraMed, a healthcare revenue cycle outsourcing company.  As an executive leader, he is responsible for creating and executing sales and marketing strategies which drive new business development and client engagement. Phil has over 25 years’ experience consulting on a broad range of healthcare initiatives for clinical and revenue cycle performance improvement.  He has worked with industry’s largest health systems developing executable strategies for revenue enhancement, expense reduction, and clinical transformation. He can be reached at [email protected]

The post WikiLeaks, Hacking and Cybercriminals Keep Healthcare IT Stakeholders Up at Night appeared first on REVENUE CYCLE NEWS.