Information Security Expert Predicts that the “Enron of Data Breaches” is Coming | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Information Security Expert Predicts that the “Enron of Data Breaches” is Coming

July 31, 2017
by Rajiv Leventhal
| Reprints
Although there are steps that can be taken to improve healthcare cybersecurity, one consultant fears that the worst is yet to come
Click To View Gallery

Recent major cyber attacks on the healthcare community, such as Petya and WannaCry, have created unprecedented levels of fear on IT security professionals. In fact, a cybersecurity report from HIMSS last month noted that these two vulnerabilities in particular continue to affect various industries around the world, only adding to the growing concern. And while much of the focus has been how these attacks have impacted larger organizations in recent months, there hasn’t been a whole lot of discussion on how their small-practice brethren could be affected.

Indeed, small physician practices can fall victim to ransomware and many other types of cyber attacks, as they don’t often have the budget for proper protection to fend off hackers. But experts in the field do attest that there are some low-cost ways they can combat an attack without breaking the bank.

Helping smaller practices in this regard is Jorge Rey, director of information security and compliance at advisory firm Kaufman Rossin. Rey is primarily responsible for the firm’s compliance with federal and state cyber security and privacy information laws and regulations. Recently, Rey spoke with Healthcare Informatics about steps smaller physician practices can take to better protect their data in addition to broader cybersecurity trends he is seeing. Below are excerpts of that discussion.

What are the main things you are working on these days as it relates to healthcare cybersecurity?

We’re an accounting firm, and I work in the consulting division where I specialize on HIPAA [the Health Insurance Portability and Accountability Act] and HITECH [the Health Information Technology for Economic and Clinical Health] consulting. Under those areas, we focus on small and large practices, hospitals and business associates (BAs). We assist clients with their HIPAA compliance requirements, whether it is doing risk assessments, policy and procedures implementation, penetration testing, vulnerability assessments, or technical assessments, so we are helping them translate the requirements of the rules into actionable items that they can use in their operations while still complying. 


How to Assess IT Risk in a Healthcare Environment

In this webinar, Community Health System’s CISO Scott Breece and Lockpath's Sam Abadir will discuss the unique IT landscape of the healthcare industry and the challenges this presents for IT risk...

How ready and prepared are most of your clients?

A lot of the organizations have at least something in place, so it’s not like they’re all starting from scratch. It is now about looking at what they have in place and figuring out how they can improve upon that. For example, everyone has a computer with some type of anti-virus, and by doing that you are at least accomplishing being effective with one of the requirements. Depending on how big the organization is might depend on how sophisticated its firewalls are, but everyone pretty much has some type of firewall. They are already backing up their data, too. But when you specialize into different departments, that’s where you start to identify the gaps. 

What’s most concerning for your clients today?

We do have small physician practices who are completely unaware of the requirements. In their minds HIPAA is still a privacy issue, so when you talk to them they think they are HIPAA-compliant because they have a form at the front of the medical office [for patients]. But what they don’t understand is that even after that form, you need to keep the information secure, too. A lot of physician practices are ignorant on the rules and requirements, and that creates concerns. So we spend time trying to educate the doctors or office administrators on the requirements and what they need to do, and that could become overwhelming for them.

As far as the bigger companies, they have more employees and an IT department, so educating the board and senior management about why you need to spend money is probably the biggest issue. So in both cases it is about education.

We are constantly reading about hackers, laptops being stolen, and ransomware, and all of these are huge issues, but not everyone deals with the same threats. It depends on their environment. A lot of people have a false sense of security—they think they are compliant because their laptop is encrypted, but they don’t have the BA agreements and don’t even know that they need them.   

Looking beyond HIPAA and other requirements, true defense is much more than that, right?

Compliance doesn’t necessarily mean security; you could be in compliance with the rules, but that doesn’t mean your information is completely secure. You can have the policies in place, everyone trained, and have all of the things that might pass an audit, but you can still be exposed.

One of the rules requirements is that you need to perform a risk analysis of your health information, be it electronic or paper. Sometimes, and perhaps often, you don’t do a good assessment of that risk analysis, so you fill out the forms and you move on. We often identify that the risk assessment [that was performed] did not truly identify the threat, so you did not truly look at the controls you had in place or should have had in place.

One of the biggest issues we’re seeing out there is phishing—it’s the way ransomware is getting downloaded and the way we are getting hacked. We still see that people don’t have phishing training at all. We know what the biggest threat we have as an industry is, but we are not educating the people who click those links. And then you go back to the board and tell them that they need to spend money on training, and they look at you and ask why they need to spend on that since everyone already knows not to click [bad links]. That’s where the biggest disconnect is.

When you talk about smaller practices, how can they combat attackers without the resources that larger organizations have?

There is no better way to understand the risks than training. The physicians really need to understand what the risks are, and sometimes you need a consultant to help identify that. There have been a few times when we have gone to a physician office and the practice has one server where it keeps all of the sensitive data, and that data is being backed up externally to a different drive. But that’s it.

We understand that they can’t spend thousands of dollars to have the server outside of the office somewhere, but how about we at least lock that server so it can’t be stolen? If we are backing up to another source, are we making sure that information is at least being encrypted? These questions can be asked by someone who has the right expertise and who can give them the [best] advice. So I think going that route, hiring someone who understands security to help them, is the best solution. I will often see physicians spending money on XYZ firewall because their IT guy recommended it, but most of the time you don’t need that—you need to encrypt your backups instead.

In the wake of WannaCry, what impact could a global cyber attack of this nature have on U.S. healthcare organizations?

One of the biggest issues we see in healthcare is that we have old legacy systems from a Windows perspective. We still see medical devices using Windows XP. WannaCry is exploiting old configurations of old servers with old Windows software.

You hear all the time that cybersecurity will get worse before it gets better in healthcare. Do you agree with this?

We have not seen the biggest attack yet, even though we have seen a few really big ones in the last year. I think eventually we will see the Enron of data breaches in which you will see a systemic catastrophic impact on not just an industry, but an entire nation. And at that moment a different approach to cybersecurity will develop. We see oversight right now with people getting fined, and it’s a whole legal battle with consultants and lawyers, but we have not seen something that has created a systemic issue across a nation.




The Health IT Summits gather 250+ healthcare leaders in cities across the U.S. to present important new insights, collaborate on ideas, and to have a little fun - Find a Summit Near You!


Six Lessons From Boston Children’s ‘Hacktivist’ Attack

October 17, 2018
by David Raths, Contributing Editor
| Reprints
CIO Daniel Nigrin, M.D., says hospitals must prepare for DDoS and ransomware

Most health system CIOs have heard about the 2014 attack on Boston Children’s Hospital by a member or members of the activist hacker group Anonymous. The hospital was forced to deal with a distributed denial of service (DDoS) attack as well as a spear phishing campaign. Yesterday, as part of the Harvard Medical School Clinical Informatics Lecture Series, the hospital’s senior vice president and CIO Daniel Nigrin, M.D., discussed six lessons learned from the attack.

Although the cyber-attack took place four years ago, there have been some recent developments. The attack was undertaken to protest the treatment of a teenager, Justina Pelletier, in a dispute over her diagnosis and custody between her parents and the hospital. In August 2018 Martin Gottesfeld, 32, was convicted of one count of conspiracy to damage protected computers and one count of damaging protected computers. U.S. District Court Judge Nathaniel Gorton scheduled sentencing for Nov. 14, 2018. Gottesfeld was charged in February 2016. 

 According the U.S. Department of Justice, Gottesfeld launched a massive DDOS attack against the computer network of the Boston Children’s Hospital. He customized malicious software that he installed on 40,000 network routers that he was then able to control from his home computer. After spending more than a week preparing his methods, on April 19, 2014, he unleashed a DDOS attack that directed so much hostile traffic at the Children’s Hospital computer network that he temporarily knocked Boston Children’s Hospital off the Internet. 

 In his Oct. 17 talk, Nigrin said cyber criminals still see healthcare as a soft target compared to other industries. “The bottom line is that in healthcare, we have not paid attention to cybersecurity,” he said. “In the years since this attack, we have seen ransomware attacks that have brought hospital systems to their knees. We have to pay more attention and invest more in terms of dollars and technical people, but it really does extend to entire organizations — educating people about what a phishing attack is, what a social engineering attack is. These need to be made a priority.”

He offered six lessons learned from Boston Children’s experience:  


How to Assess IT Risk in a Healthcare Environment

In this webinar, Community Health System’s CISO Scott Breece and Lockpath's Sam Abadir will discuss the unique IT landscape of the healthcare industry and the challenges this presents for IT risk...

1. DDoS countermeasures are critical. No longer can healthcare organizations assume that a DDoS attacks are things that only occur against corporate entities, he said. “Prior to this event, I had never thought about the need to protect our organization against a DDoS attack,” he said. “I will submit that the vast majority of my CIO colleagues were in the same boat. And that was wrong. I think now we have gotten this understanding.”

2.  Know what depends on the internet. Having a really detailed understanding of what systems and processes in your organization depend on internet access is critical, Nigrin stressed. You also mush have good mitigation strategies in place to know what to do if you lose internet access — whether it is because you have a network outage due to a technical issue or a malicious issue. “As healthcare has become more automated and dependent on technology, these things are crippling events. You have got to know how you are going to deal with it ahead of time. Figuring it out on the fly is not going to work.”

3. Recognize the importance of email. Email may be seen as old-school, Nigrin noted, but it is still the primary method to communicate, so you have to think about how you can communicate and get the word out in scenarios where you don’t have email or lose voice communication. “In our case, we were super-lucky because we had just deployed a secure texting platform, so we could do HIPAA-compliant texting, and when our email was down, that was how we communicated, and it was very effective,” he explained.

4. Push through security initiatives – no excuses anymore.  Because he is a doctor himself, Nigrin feels OK picking on doctors about security. Historically they have always pushed back on security measures such as dual-factor authentication. He paraphrases them saying “Come on, Dan, that is an extra 10 seconds; I have to carry a secure ID, or you have to send me a text message on my phone. It is a pain. I don’t want to do it. I am the highest-paid employee in your organization and that is time better spend on something else.” But Nigrin argues that we can’t afford to think like that anymore. He used the Anonymous attack as an opportunity to push through four or five security initiatives within the next two to three months when he had everyone’s attention. “The platform was burning, and the board of trustees was willing to expend the money to pay for it all. They all of a sudden recognized the risk.”

5. Securing audio- and teleconference meetings. Nigrin said this topic wouldn’t have occurred to Boston Children’s until they were warned by the FBI. “The FBI told us about an attack that affected them when they were dealing with Anonymous. When Anonymous was attacking the FBI, the FBI convened internal conference calls on how to deal with it. Anonymous had already breached their messaging platform and intercepted the calendar invites that invited everyone to dial in. Anonymous basically was called into the meeting. Within 30 minutes of one of those meetings, the entire audio transcript of the conference call was posted to YouTube. “So we took heed of that and made sure that when we had conference calls, we sent out PINs over our secure texting platform,” he said.

6. Separating signal from noise. During the attack, Boston Children’s set up a command center and told employees: if you see something, say something. “We didn’t know what attack was coming next. We were flying blind,” Nigrin said. “We started to get lots of calls into our command center with reports of things that seemed somewhat suspicious,” he remembers. People got calls on their cell phone with a recorded message saying your bank account has been compromised. Press 1 to talk to someone to deal with it. “Today we would recognize this as some type of phishing scam and hang up,” he said, “but at the time it was sort of new. People started calling us and we didn’t know if this was Anonymous trying to get into the bank accounts of our senior clinicians. Was it part of the attack? It was tough for us to detect signal from noise.”

In the Q&A after his presentation, listeners were curious about how much the incident cost the hospital. Nigrin said there two big costs incurred: One was the technology it had to deploy in an emergent way to do DDOS protection and penetration testing. The other was revenue lost from philanthropic donations. Together they were close to $1 million.

Another person asked if the hospital had cyber insurance. Nigrin said they did, but when they read the fine print it said they were covered only if they were breached and technically they were never breached, so the insurance company was reluctant to pay. Although they eventually got compensated for a good share of it, the hospital also made sure to update its policy.

Still another attendee asked Nigrin if ransomware attacks were still targeting hospitals. He said they definitely were. “Think about community hospitals just squeaking by on their budgets,” he said. “They don’t have millions to spend, yet their data is valuable on the black market. Attackers recognize we are dead in the water as entities if we don't have these systems. We have important data and will do anything to get our systems back up and running.”

Nigrin said even large health systems can be vulnerable because some technology they deploy is run by third-party vendors who haven’t upgraded their systems. An example, he said, might be technology to record videos in the operating room setting. Some vendors, he said, are not accustomed to thinking about security. They are unable to update their software so it works on more modern operating systems. That leaves CIOs with a tough choice. “We can shut off the functionality or take the risk of continuing to use outdated and unpatched operating systems. Those vendors now have woken up and realize they have to pay more attention.”



More From Healthcare Informatics


Anthem Agrees to Record Payment—$16M—for Largest U.S. Health Data Breach

October 16, 2018
by Heather Landi, Associate Editor
| Reprints

Anthem, Inc., the second largest health insurance company in the U.S., has agreed to pay $16 million to the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) to settle potential Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules violations in the largest U.S. health data breach in history.

In early 2015, Anthem, based in Indianapolis, was hit with a series of cyberattacks that led to an unprecedented health data breach that exposed the electronic protected health information (PHI) of almost 79 million people.

The $16 million settlement is a record HIPAA settlement that eclipses the previous high of $5.55 million paid to OCR in 2016, according to a press release from OCR. As part of the settlement, Anthem also agreed to take substantial corrective action.

Anthem is an independent licensee of the Blue Cross and Blue Shield Association operating throughout the United States and is one of the nation’s largest health benefits companies, providing medical care coverage to one in eight Americans through its affiliated health plans.  This breach affected electronic protected health information (ePHI) that Anthem, Inc. maintained for its affiliated health plans and any other covered entity health plans.

As reported by Healthcare Informatics Feb. 5, 2015, the payer announced details of the breach late Wednesday (Feb. 4) in a letter from President and CEO, Joseph R. Swedish. He said that Anthem was the target of a “very sophisticated external cyber attack.” The hackers gained access to current and former members’ names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, and income data. Anthem says that credit card and medical information, such as claims, test codes, and diagnostic codes were not compromised.”

On March 13, 2015, Anthem filed a breach report with the HHS Office for Civil Rights detailing that, on January 29, 2015, they discovered cyber-attackers had gained access to their IT system via an undetected continuous and targeted cyberattack for the apparent purpose of extracting data, otherwise known as an advanced persistent threat attack.  After filing their breach report, Anthem discovered cyber-attackers had infiltrated their system through spear phishing emails sent to an Anthem subsidiary after at least one employee responded to the malicious email and opened the door to further attacks.

According to OCR, the agency’s investigation revealed that between December 2, 2014 and January 27, 2015, the cyber-attackers stole the ePHI of almost 79 million individuals, including names, social security numbers, medical identification numbers, addresses, dates of birth, email addresses, and employment information.

“In addition to the impermissible disclosure of ePHI, OCR’s investigation revealed that Anthem failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the cyber-attackers from accessing sensitive ePHI, beginning as early as February 18, 2014,” according to the OCR press release.

In the Healthcare Informatics story at the time of the breach, reported by Gabriel Perna, Anthem faced criticism from industry observers for its lack of encryption. Trent Telford, CEO of Reston, Va.-based Covata and a member of Anthem, said, at the time, that the company was irresponsible for not protecting the data.

“We do not know what they were after and we do not know what they plan to do with the data—what we do know is that they were after the data itself and it was left exposed and unsecured. The data was not encrypted making it a valuable target for thieves,” he said in a statement that was quoted in the story. “It is irresponsible for businesses not to encrypt the data. We have to assume the thieves are either in the house or are going to break in—they will always build a taller ladder to climb over your perimeter security - we must protect the data itself.

In addition to the $16 million settlement, Anthem will undertake a robust corrective action plan to comply with the HIPAA Rules.  The resolution agreement and corrective action plan can be accessed here.


Related Insights For: Cybersecurity


Minnesota DHS Acknowledges Increase in Targeted Phishing Attacks

October 15, 2018
by Rajiv Leventhal, Managing Editor
| Reprints

Two phishing attacks on employees at the Minnesota Department of Human Services (DHS) resulted in the possible leakage of about 21,000 Minnesotans’ personal information.

The state health agency issued a notice last week that explained over the last several months, several phishing campaigns have targeted Minnesota’s executive agencies, including DHS. Two of these attacks were deemed “successful,” in that hackers—once in June and another time in July—were able to gain access to the state email accounts of two DHS employees, using these accounts to send out spam emails. The agency’s IT department didn’t find out about the attacks until August, officials said.

According to DHS, the two email accounts contained information about some people who have interacted with DHS, including the Minnesota citizens who were notified. Examples of the type of information found in the email accounts at the time they were compromised include: first and last names, dates of birth, Social Security numbers, addresses, telephone numbers, medical information, educational records, employment records, and/or financial information, officials noted.

The agency did add in its notice, “We currently have no evidence that this information was actually viewed, downloaded, or misused.”

According to a report in the Minnesota Star Tribune, this is just the latest cyberattack on Minnesota’s state agencies, “which fend off about 3 million hacking attempts daily, state officials have said. In fact, attacks are increasing, said Aaron Call, the chief information security officer for Minnesota IT Services, which provides technology services to state executive agencies,” according to that report.

In fact, in just the past nine months, “more than 700 security incidents have been reported affecting state agencies, Call said, adding that the attacks are becoming ‘more pervasive and more sophisticated,’” according to the Star Tribune report.

See more on Cybersecurity