According to a study published by the Center for Connected Medicine called “Top of Mind 2018 Survey of Technologies,” Healthcare organizations put a serious emphasis on cybersecurity this year. This emphasis is justified by the fact that healthcare data breaches have risen 7 of the past 8 years. From 199 data breaches in 2010 to 344 in 2017, a total of 176.4 million patient records have been impacted. This growth continued in 2018 as a total of 4.4 million records were compromised in the third quarter alone. The number of affected records has in fact climbed each quarter in 2018, including a growth rate of more than 150% between the first and second quarter. Some of the most recent 2018 attacks include the following:
- The Open Enrollment process for the Affordable Care Act this year was preceded by the discovery of some 75,000 individuals who were accessed in a breach of Healthcare.gov according to the Centers of Medicare and Medicaid Services. The breach was announced on October 22.
- The personal information of nearly 21,000 patients may have been breached due to two employees of the Minnesota Department of Human Services who fell for phishing attacks as was reported on October 12.
- The Inova Health System reported on September 15 that an unauthorized person gained the logon credentials of an Inova employee during a three-month period starting in July. The individual also accessed paper billing records. All of this culminated in the compromise of the personal information of an undisclosed number of patients.
Ransomware today plays a big part in data breaches as cybercriminals now use the encryption malware to hide their tracks after a breach. Healthcare breaches made up 37% of all ransomware attacks in 2018. Two examples this year include:
- On October 24, A Sioux City, Iowa vision surgery center reported a ransomware attack they experienced back in in August that impacted the patient records of 40,000 individuals.
- A Pennsylvania based May Eye Care Center announced on November 15 that the records of 30,000 patients had been compromised in a ransomware attack that took place on July 29.
Attack Methodologies and Preparedness
As you can see, data breaches occur by a variety of means including phishing attacks, ransomware and credential theft. According to the 2018 Protected Health Information Data Breach Report, a breakdown of the top 5 causes of data breaches within the healthcare industry are as follows:
- Human Error – 33.5% (losing a thumb drive, disposal error)
- Misuse or Privilege Abuse – 29.5% (snooping by employees)
- Physical Theft – 16% (theft of mobile devices and documents)
- Traditional Hacking – 14.8% (credential stuffing and system compromise)
- Malware – 10.8% (ransomware, keyloggers and rootkits)
According to the Top of Mind 2018 Survey of Technologies, 92% of respondents who participated in the study planned to spend more on cybersecurity in 2018 to combat data breaches and cyberattacks. A more specific breakdown is shown below:
- 67% planned on adding cybersecurity staff
- 54% planned on investing in technology solutions that will aid them to identify and detect cyber threats before they have the opportunity to conduct their damage
- 17% planned to open bitcoin wallets as part of their preparedness for ransomware attacks
Considering all of the valuable information contained within patient records such as social security numbers, birthdates and payment information, it is no wonder that healthcare organizations are prime targets for hackers. The plethora of data, combined with the exorbitant costs involved in data breaches certainly substantiate the growing escalation of cybersecurity defenses initiated by organizations within the healthcare industry. According to the Ponemon 2017 Data Breach report, healthcare data breaches cost organizations $380 per record, 2.5 times the global average of $141 per record. Now consider the costs of large breaches such as the attack on LifeBridge Health in Baltimore, MD that may have exposed the private information of 500,000 patients or the attack on UnityPoint Health Hospital in Madison, WI that involved more than 1.4 million records. With the scale and the escalating frequency of healthcare data breaches, it should be no surprise that the costs of these incidents have risen steadily for 7 years straight.
Potential Further Problems
Not only must the healthcare industry have to protect a plethora of patient health information, it must do so over a burgeoning attack surface. Healthcare clinics utilize medical devices to treat and monitor patients in ICU facilities, operating rooms and patient care networks. Until recently, these devices have primarily been portable devices that are carried or wheeled around between stations. These devices often host legacy operating systems such as Windows XP that is susceptible to the Eternal Blue exploit that has caused billions of dollars of damage over the past year. What’s more, these devices are rarely updated or patched, if they can be at all. The new trend for medical devices is IoT. Sixty percent of healthcare organizations utilize IoT devices within their facilities and that figure is supposed to increase to 87 percent next year. The IDC predicts that machine learning will become ubiquitous throughout the industry and play an essential role in the treatment of patients. Unfortunately, the security record for IoT is not good. These devices often lack any type of endpoint protection and are often plagued with outdated security protocols that hackers can easily take advantage of. Whether traditional medical devices or IoT machines, medical devices often represent the weak points within the security chain. According to research, 18 percent of medical devices were impacted by malware or ransomware in the last 18 months. While few of these incidents resulted in the direct compromise of PHI, the alarm bells are sounding.
Healthcare Executives Are Concerned
All across the healthcare community, C-Level executives are realizing that cybersecurity must become a top-down strategic initiative. Despite the challenges of having to protect so much personal data over such a large attack surface, healthcare at large has lagged most other industries in the implementation of cybersecurity. This was recently outlined in 2018 report, “A Pulse on the Healthcare Industry’s Cybersecurity Risks”. Below are some of the highlights of the report.
- The healthcare industry ranks 15th when compared to 17 other major U.S. industries
- The healthcare industry is one of the lowest performing industries in terms of endpoint security, posing a threat to patient data and potentially patient lives.
- 60 percent of the most common cybersecurity issues in the healthcare industry relate to poor patching cadence
All healthcare providers struggle with the issue of device patching. Consensus shows that 41 percent of healthcare IT professionals state that they lack sufficient budgeting for connected medical device security. All of this contributes to the fact that more than 60 percent of healthcare IT executives lack confidence that their current medical device security strategy protects patient safety. In a recent survey conducted in October 2018 that involved 150 provider organizations, an enterprise has an average of 10,000 connected medical devices and one third of them are unpatchable.
Executive leaders in the industry are starting to get a handle on these challenges and the lack of attentiveness displayed in the past. They are doing so by actively investing in technologies to help improve overall strategy and response times when it comes to cyber threats. Besides a lack of security tools, another blaring problem has been the lack of staff dedicated to cybersecurity throughout the industry. Organizations that lack the resources to fund internal staffs are now starting to invest in outside services such as monitoring services and cybersecurity assessment consultants. Because so many people within a typical clinic have access to a patient’s personal data, a strong emphasis is being placed on security policies and procedures in order to comply with HIPAA compliancy as it pertains to logon procedures and access. While HIPAA does not specifically call for encryption protection of data at rest, organizations are awaking to the reality that it is a requirement today.
How Duty of Care and CIS RAM can help strike the right balance
While more spending on cybersecurity is certainly justified in the healthcare industry, throwing lots of money at the purchase of security tools and outside personnel may not achieve the required results. Wars are won not by who have the most troops, but by one who executes the most effective strategies on the field of battle. Military strategy begins with an assessment of the situation at hand which is where a cyber security strategy begins as well. A proper risk assessment is essential in order to identify the risks inherent to your organization and the threats that have the potential to undermine those risks. A proper risk assessment allows you to gain visibility and insight into the current state of your security posture. Once the potential threats relevant to your organization at hand are identified, you can then prioritize them according to their impact and likelihood. This is important because every threat cannot be protected against. Nothing is completely safe. Should your organization undergo the traumatic experience of a data breach, you will not be judged by the mount the security you could chose to afford, only on the right amount of security justified by your situation. Obviously, the expectations for a global health provider varies from that of a small town healthcare clinic.
Information risks vary from one organization to the next, which can make the process of determining an organization’s expected “duty of care” intimidating, if not overwhelming for those who don’t practice cyber security on a professional basis. Fortunately, there is a set of guidelines available – the CIS® (Center for Internet Security) Risk Assessment Method or CIS RAM. CIS RAM provides a method for analyzing your risks and obligations for prioritizing safeguards to protect your assets from cyberattacks. CIS RAM is based on the Duty of Care Risk Analysis (DoCRA) Standard, its risk assessments meet the requirements of established information security risk assessment standards and demonstrate whether safeguards are “reasonable” and “appropriate” as regulators and judges often require.
For those unfamiliar with CIS RAM, partnering with an experienced security firm such as HALOCK Security Labs can help oversee the process of determining your acceptable risk criteria. HALOCK authored the CIS RAM in partnership with the CIS as guidance on how to implement the CIS Controls “reasonably” and “appropriately” to your specific environment. Creating a strategy using the CIS RAM defines your prioritized strategies to achieve good cybersecurity hygiene throughout your organization is the key to protecting not only your hosted data, users and devices, but the reputation of your organization as well. As a business owner or executive, you may not have to fully understand the details of cyber security, but it doesn’t have to be a mystery either. For the healthcare industry, the ability to diagnose the threats to your organization in order to ensure proper deterrents, is just as important as identifying the dangers to your patients.
Do you know reasonable?
- Take Cybercare
- Crain’s Cybersecurity Roundtable
- Foreseeable Risk Index (FRI)
- CIS RAM Workshop – Live Stream Dec. 10, 2018