Industry experts are agreed: most of the issues that have risen to the top of the list when it comes to IT security threats facing U.S. patient care organizations in the past year or so haven’t really changed; they’ve only intensified.
To illustrate just how difficult and confounding things have become, Healthcare Informatics reported in June that, according to a June 26 article posted by the news site DeepDotWeb, “A hacker claims to have 655,000 patient records allegedly obtained by hacking into three separate healthcare databases, and is attempting to sell those patient records on the dark web marketplace. According to the DeepDotWeb article… the hacker communicated with the site’s writers via an encrypted conversation,” Healthcare Informatics Assistant Editor Heather Landi noted in an article published online on June 28. “While it has not been verified whether any healthcare organizations have actually been hacked, the hacker provided the media site with images of the database hack from their internal network. The screenshot photos show healthcare databases that expose sensitive patient information, including full names, addresses, date of birth, social security numbers and other information…” What’s more, “The hacker claims to have three separate healthcare databases from healthcare organizations in Farmington, Missouri, an undisclosed location in Central/Midwest U.S. and one in Georgia, and is allegedly selling the databases on a dark web marketplace.”
Such developments can only add to the accelerating level of concern among healthcare IT leaders and industry experts, as ransomware, all types of malware, and other threats are posing a constant menace to patient care organizations and to patient data. Recent surveys on data security continue to affirm what everyone in U.S. healthcare already knows—patient care organizations are under assault as never before from cyber-criminals, with cyber-criminality having risen in the past few years to an unprecedented level of crescendo, overshadowing all other types of data and IT security threats.
Those with the title of chief information security officer (CISO) in patient care organizations are well aware of the scope of the threats. For example, when asked what the top data and IT security threats he faces are, Howard Haile, vice president and CISO at SCL Health, a multi-hospital health system based in Denver, says, “For me, the two things we’ve been dealing with the most are outsider threats attacking our users, gaining access to our network and data; and the other is the risks related to old legacy systems, such as medical devices that reside on the network. And there are a lot of them; there are way too many legacy devices and other systems dependent on older systems.”
And Fernando Blanco Dopazo, vice president and CISO at the 60-hospital CHRISTUS Health, based in Irving, Tex., says, “I see three major issues right now. The first one is reducing risks of external threats. That involves the basic blocking and tackling of protecting the organization. This is something that in my opinion the healthcare industry hasn’t done well in the past, and is something we’re working on now. The second thing is related to compliance. We have different initiatives we need to comply with, including HIPAA, and including external audits, which are increasing. And the third one is what we call building the resilient organization. It’s not ‘if’ you get compromised, but when. So it’s preparing for incidents. That’s a very important third pillar that we’re working on.”
Fernando Blanco Dopazo
Industry experts concur. Certainly, ransomware is "one of the top issues,” says John Peterson, a manager in The Chartis Group, a Chicago-based consulting firm. “And in terms of what CIOs and CISOs should be concerned about, the core topic isn't the data breach; it’s about securing their environment,” says the Albany, N.Y.-based Peterson. “Because it’s not if they’ll experience a data breach, it’s when,” he says, echoing Blanco’s statement. “You think of huge companies like Sony Pictures or Target, that shouldn’t be breached, but are. There are internal threats, and external threats. And Experian, the credit agency, puts out a report periodically; and in a recent report, the Experian people identified that 81 percent of all security events in 2014 were caused by employee negligence,” most commonly loss of user credentials—ID and passwords.
The issues are definitely multi-dimensional, and “They break down into different categories,” adds Mac McMillan, CEO of the Austin, Tex.-based CynergisTek consulting firm. “One of the biggest concerns I hear CIOs express is that they’re deathly afraid of that cyberattack that either ends up being a massive breach of millions of records, or takes their hospital offline, where they are publicly embarrassed because they can’t provide services,” McMillan says. “I’ve had CIOs say to me, I’ve worked really hard to build my career as a CIO; I don’t want a cyber-attack to destroy my career. So I think it’s that bit cyber-attack that they all know is possible, and they don’t know that they’re ready for.”
Levels of Vulnerability
Given all these threats, what are the levels of vulnerability that CIOs, CISOs and other healthcare IT leaders need to consider right now?
“When we talk about a data protection perspective, there are two issues intrinsically involved,” says CynergisTek’s McMillan. “Number one, do I have the right architecture and technology in my environment to help protect me? And number two, am I capable of doing the things that I need to do, to make my environment more resilient? When you know that 90 percent of the breaches that have occurred, have occurred not because of some sophisticated attack, but because of something that wasn’t fixed, like a patch that wasn’t done, you realize that you have to ask, why is it that we’re not patching as frequently as we need to or not hardening systems as much as we should?”
In other words, McMillan says, those responsible for data security in patient care organizations are “off-tempo: they’ve got so many demands on them. It’s like, when you’re really busy in your life, how often do you clean your house? And you walk in one way and the sun is shining on your coffee table, and you say, oh, shoot, I need to dust. And we all know we need to dust regularly. And that’s the same thing with the network: we all know that we need to patch, need to harden, need to test, on a regular basis. But when we’re so busy, it’s hard to do that.”
Related to all this is the “very big issue” of resources, McMillan continues. “It’s not just the resources to maintain the proper hygiene in the environment, but the fact that this industry is desperate for qualitied IT security people. That’s an issue they’re facing. So when you break that protection piece down, there are two issues: one is having the time and resources to manage the environment; and the other is making the investment in the security technologies today. Do we have intrusion detection systems, advanced malware detection? The list goes on and on. But the point is, have we invested in the technologies that we need today to fight the cyber battle from a protection perspective” Our architecture in our IT system needs to be as resilient as it possibly can be. In short,” he says, “we must make investment in technology, and in the resources and time to handle the hygiene issue.”
There is another element here, though, that is often overlooked, McMillan says. “The next phase of this challenge is really the detection phase, knowing when I’m being attacked: do I have the right level of visibility into what’s going on in my environment? And a lot of CIOs acknowledge that they don’t know what’s going on in their environment. Someone gets in there and is in there for three months, six months, nine months, before they’re detected. And a lot of our hospitals are now beginning to wake up and realize that they don’t have the capability or the expertise, or the people, to really monitor what’s going on their environment in a proactive fashion.”
Auditing, Backup Seen as Very Important
The Chartis Group’s Peterson agrees that auditing of data patterns, and behavioral monitoring, can be helpful. “Absolutely they can be,” he says. “I’m working with an organization where we’re implementing this, in terms of behavioral patterns in the EMR, and we produced a report, and created alerts per the criteria. It also turned out to be a very valuable tool for doing not only regular auditing, but also for any investigations that may come up.” Meanwhile, regular backup remains extremely important, too. In that regard, Peterson says, “As far as backup is concerned, there are different ways to do it. Organizations can do backups daily. Sometimes, they’re incremental backups, sometimes full backups, depending on how much data they have, and how much storage they have. And where they put those backups—sometimes in ransomware situations, it turns out that the backup files have become encrypted as well. So it’s best practice not to keep your backup files on the same network as your live files. And whether that’s in cloud. The key thing is not to keep that in the same location. And also with regard to the credentials of who has access to this. You don’t want a lot of users have access to all that data; it has to be limited.”
In the end, what everyone interviewed for this article agrees on is that the data security threats are only going to continue to intensify, and that CIOs, CISOs and other healthcare IT leaders can never expect a letup. It’s a new world now, says George McCulloch, executive vice president for membership and professional development at the Ann Arbor, Mich.-based College of Healthcare Information Management Executives (CHIME), and “What keeps everyone awake at night is the constant threats and intrusions that occur.” Patient care organizations “are getting hammered thousands and thousands of times a day,” he emphasizes. “It’s continuous, it’s worldwide, and the threats keep on changing. And so it’s just a constant drumbeat of, OK, something else is going to happen today, somebody else is after me. That’s what worries everybody is, I could be the next victim. And what haven’t I protected that I’ve could protect? It’s like being at war every hour of the day; there’s no break.”