Over the last 10 years, the healthcare industry has embraced the Meaningful Use initiative, spending over $20 billion converting paper files to Electronic Health Records (EHR) and adopting computer systems for managing and processing sensitive data in a bid to advance patient care and become more efficient. The goal and logic of the program are sound – by democratizing data, providers, researchers, pharmacies, insurance companies and so on, can work together to improve outcomes for patients. EHRs and Meaningful Use have been catalysts for innovation and an influx of technology that has revolutionized an industry in its bid to extract value from data.
Consider the vast amounts of electronic records that have been amassed for all patients in the US and then consider all the sensitive data generated daily by the Internet of Things (IoT), edge devices and wearables for health care; these are combined in Health Information Exchanges (HIE’s) creating extremely large datasets of Private Health Information (PHI), ripe for analysis in-house and by third parties, on-premise and in the cloud for the benefit of all.
With good, however, comes bad. Mobile and cloud technologies have blurred the enterprise perimeter and the health care industry now faces the perfect storm as bad actors also seek to take advantage of the wealth of electronic medical records, claims files, data from medical devices stored in large repositories and distributed throughout complex healthcare ecosystems.
PHI has a black-market value of up to 50 times the going rate for better-protected, harder to reach Payment Card Industry (PCI) information, making it 50 times more desirable to hackers who are working hard to leverage vulnerabilities in healthcare business networks and workforces to gain unauthorized access to data. As a result, health care companies need to understand their challenges better as a form of defense.
Climate Change
HIPAA and HITECH and their associated Privacy and Security Rules govern the privacy rights of patients and define how these rights need to be protected.
The Office of Civil Rights (OCR) HIPAA ‘Wall of Shame’ chronicling healthcare breaches have for years been populated with lost or stolen laptops, mobile and USB devices and data stores containing sensitive information and PHI. Now it shows a dramatic change in threats, with many different motivations including national security, hacktivism, terrorism and espionage that have escalated into coordinated PHI attacks.
The most recent of these trends and potentially one of the most devastating is Ransomware. Hackers infiltrate systems, often via phishing attacks, and use malware to appropriate credentials that allow them to go wherever they need to find unprotected sensitive and PHI data which they hold hostage using encryption before demanding money in exchange for restoration of access.
This is happening with alarming frequency and companies in 2016 so far have paid eight times more for hostage data than in all of 2015. Ransom demands vary but Hollywood Presbyterian Medical Center was recently reported to have paid $17,000 after negotiations during which nearly 1,000 patients had to be relocated to other hospitals. Other healthcare providers have been able to limit damage and restore systems but not without facing “significant disruptions”.
Storm Defenses
These new threats especially leave those in the healthcare industry perched between a rock and a hard place as they struggle to balance limited IT resources and teams relatively new to the sophisticated skills required to securely democratize data, with the need to keep data accessible to the users who require it. Organizations are seeking an approach flexible enough to enable critical access without making themselves an easy target for bad actors but this requires a culture change and an adherence to best practices from those working in the industry.
Along with an increase in Ransomware occurrences, 2016 offers HIPAA’s second phase of auditing (with a maximum penalty of $1.5 million per year for violations) as a benchmark for practitioners of PHI security to engage with security as part of a bigger picture about privacy and regulation, loyalty and reputation. The audit’s reach extends to ‘business associates’ in financial services and other verticals well versed with data regulations and protections, and ‘covered entities’ can benefit much from their ecosystem’s skills and experiences with technology and security and the best practices that have evolved as a result.
Ironically HIPAA encourages the use of encryption for data protection and while some organizations take this even further, utilizing tokenization or other de-identification technologies to keep data safe in use and at rest, sadly these approaches offer little defense where Ransomware is concerned. Only good security hygiene and training for all employees that highlights the security hazards most associated with their roles – like legacy passwords or unsolicited macro-enabled attachments in emails – will help avoid the devastation of such attacks.
Privileged users, such as DBAs and system administrators should be prevented from unnecessarily accessing data with the enforcement of available Least Privilege Rules; offering maximum threat awareness with the least amount of information required to both employees and patients minimizes the both risk and scope of the threat.
Similarly, making full and frequent off-site systems backups and verifying that online applications are secure and free of the most common and dangerous attack vectors as malware often leverages known bugs is crucial to avoiding compromise and its impact. Monitoring “normal” network activity allows organizations to identify anomalous behavior and whitelisting permissible applications and declaring anything else vetoed can work for some organizations although many may find the administration and practical limitations too onerous.
Calm after the Storm
Other steps security professionals in the healthcare industry can take are more general and help to avoid reputational and financial damage that a data breach can cause.
As data flows throughout an organization in support of business processes and functions, identifying where sensitive data is located, where it’s going and who in an organization is ultimately accountable for its' security is a must-have exercise. By preventing gaps that a traditional, silo-based approach can overlook, end users can be more effective with data and adopt innovations to enhance business processes and functions.
The job of protecting private information, medical records, and other sensitive PHI data is difficult and complex at best. Regardless of a rogue employee or the most recent Ransomware, healthcare data security practitioners in data-driven organizations need to proactively support and encourage a culture of data-awareness while securing it at rest and to understanding users in order to enable them within context, with the right data, in the right place and at the right time.
The value of holding data hostage is just as profitable for criminals as trading it on the dark web and these latest threats should serve as a warning beacon to medical facilities to evaluate the systems, equipment, and processes they employ to protect sensitive information in the face of the data security threats we face today.
The vulnerabilities and threat vectors faced by hospitals and other medical facilities are growing exponentially and everybody should be aware of the value of data and the need to protect it. Without the proactive support of everybody, no security practice can be consistently successful, data security requires the proactive support of everybody touching the data and centralized devolution of enterprise-wide policies and their consistent enforcement keeps data protected, wherever it is stored, sent or used.
About the Author:
Suni Munshani joined Protegrity as CEO in May of 2011 to accelerate growth and execute strategies to extend Protegrity’s leadership position in the enterprise data security market. He brings more than 25 years of broad and diverse global business experience to Protegrity. Prior to joining Protegrity, Suni was the CEO of Novitaz, a customized data provider for the retail and hospitality sectors. Prior to Novitaz, he served as a managing partner at Persephone Investments, a venture capital firm focused on early-stage investments. While at Persephone, Suni led the firm’s investment in Synetics, Inc. and eventually assumed the role of CEO and led Synetics’ acquisition to Affiliated Computer Services, a NASDAQ listed company that was later acquired by Lockheed Martin. Prior to that, he founded several successful software and services companies, including Paradigm Systems Corporation of America (acquired by Platinum Technology/ Computer Associates) and Trirex Systems.
