Cybersecurity & the Modern Healthcare Landscape, Part 1: Data Breaches in Healthcare

by Jason Robohm, CyberOne Security Field CISO

According to a survey from privacy website PrivacyAffairs.com, data breaches in healthcare in the U.S. increased by 2,733% between 2009 and 2019, with an average of 1.4 breaches exposing at least 500 records per day.  The survey also found that there were over 3,054 data breaches of health care records over the past decade.

Although the sheer number of healthcare breaches is lower than that experienced by the construction, manufacturing, and finance industries, the difference is that, in the healthcare industry, attackers are leveraging lives to extort money. Supply chain interruptions and stolen credit card information may be a hassle, but no one dies. How did we get here, and more importantly, what can we do about it?

In this first installment of a two-part series, we’ll take a look at a few of the underlying issues affecting healthcare security posture and the devastating impact those issues can have on patient care.

Healthcare’s technology and security debt remains high.

Similar to the higher education, K-12, and city/state government markets, healthcare carries high “security debt”, deferring investments in the tech stack and adopting an “if it ain’t broke, don’t fix it” attitude. Outdated technology in hospitals is one of the biggest challenges facing healthcare data security today, and it has far-reaching—and sometimes deadly—consequences. Medical devices, such as CAT scans and X-rays, which were once standalone are now interconnected. While the equipment is functional, it is often connected to PCs with unsupported, un-patched operating systems that leave them open to vulnerabilities. The FDA defines a medical device as both the hardware and the software required to run it. Devices are FDA certified with a specific version of an operating system, application software, and hardware (including firmware and configurations.) Should one or more of those components need to be upgraded or patched, often the entire device needs to be re-certified. All too often, healthcare’s “security debt” includes these devices, and all too often maintenance contracts on those devices are allowed to lapse.

Technology adoption among patients and physicians also brings about a rise in human error. For example, if a patient accesses their electronic health record from their healthcare provider’s portal and then stores that valuable data in unencrypted folders in the cloud or emails the results to a relative or friend, they are opening the door to bad actors intent on stealing their most personal data.

Hippocrates didn’t have a clue about data security.

It is extremely rare to find a healthcare business that is focused on cybersecurity. Their top concern is (rightfully) patient care, with the mission of diagnosing and treating them. Unfortunately, the Hippocratic oath of “first, do no harm” does not apply to patient data. This is especially significant in a world where doctors increasingly rely on data as opposed to simply using physical lab results and X-rays to diagnose and treat their patients.

In addition, ransomware’s devastating effects on hospitals go far beyond patient data. Last year, a 78-year old woman in Dusseldorf, Germany died after a ransomware attack compromised the digital infrastructure of her local hospital, forcing the facility to close its accident and emergency department. The woman, who had suffered an aortic aneurysm, had to be diverted to a more distant hospital, delaying her treatment by an hour.

Compliance does not equal security.

HIPAA/HITECH compliance obligations to protect patients’ data have nothing to do with security. Health Insurance Portability and Accountability Act (HIPAA), which was enacted in 1996, is a set of practices that govern the privacy of individual health records. The Health Information Technology for Economic and Clinical Health Act (HITECH) did not come into effect until 2009, as part of an economic stimulus package to promote and expand the adoption of health information technology, specifically, the use of Electronic Health Records (EHRs) by healthcare providers. The bottom line is HIPAA protects privacy, while HITECH promotes and funds health technology. The reality is that neither piece of legislation addresses health record security; yet healthcare providers have erroneously acted as if they do.

The value of ePHI (Electronic protected health information) is greater than the value of credit card data because ePHI cannot be changed.

The persistence of healthcare data means that once a bad actor has it, unlike credit card data for example, the owner cannot make it useless by canceling their ePHI if stolen. Once ePHI security is breached, its value persists—although that value is higher to the patient than to a stranger. The Healthcare industry markets themselves as trustworthy providers of healthcare services, yet when patient data is part of a data breach, this can erode that carefully built trust with their patients.

Healthcare providers are a soft, but lucrative target for ransomware gangs.

The outdated tech stacks I mentioned above make healthcare providers a soft target for hackers. In May 2017, the WannaCry ransomware attack became a global epidemic that spread through computers using Microsoft Windows. Users’ files were held hostage, and a Bitcoin ransom was demanded for their return. The damage from this attack, which affected thousands of National Health Service (NHS) hospitals and surgery centers across the UK, was a stark warning that ePHI and the entire Healthcare industry is vulnerable to the very same ransomware and data extortion attacks as other businesses.

When targeting healthcare businesses, cybercriminal business models have evolved and now leverage three methods to get their payoff:

• Ransomware: As with the German and WannaCry attacks, these involve stealing data, making a copy for the hacker’s own purpose, and then trying to sell the data. The persistence of healthcare data makes it especially valuable. For example, unscrupulous insurance companies may buy patient data to use it to deny insurance coverage.
• Extortion: It is said that knowledge is power. Having knowledge of a famous individual’s health status can be a valuable bargaining tool. Some hackers even combine ransomware and extortion by collecting an initial ransom demand but keeping data to demand additional money.
• Encryption: After stealing the organization’s data, the hacker may encrypt the data and then ask for payment for the encryption key to regain access to the data.

Identities are high-value targets.

Stealing a patient’s data can be lucrative but stealing the identities of certain high-value individuals within a healthcare organization can be goldmine. Bad actors love to target pharmacists and pain management specialists so they can use their credentials to prescribe narcotics for fake patients.

Insider threats are a growing concern.

Not everyone in the healthcare industry is trustworthy; some have ulterior motives and can act as moles in an organization with the intention of exploiting data. They may act on behalf of someone else, for example, by copying data and selling it to a bad actor. Insiders can do same damage as outsiders when it comes to ransomware, and they are harder to catch because it is human nature to trust insiders.

The healthcare system has very nascent tools for watching insiders, but these individuals need to be monitored more carefully because the value of the data they can access is as high or higher than that accessible by an outsider.

Is there a cure?

So, we’ve looked at the symptoms of this serious illness in our healthcare system. In the next installment of this blog series, we’ll take a look at some of the steps we can take toward implementing a cure. (Hint: There is a cure—or a variety of cures; the condition does not need to be terminal.)