Cyber Attacks Increase as IT Security Budgeting Remains Static, Report Finds | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Cyber Attacks Increase as IT Security Budgeting Remains Static, Report Finds

May 14, 2018
by Rajiv Leventhal
| Reprints

More than 90 percent of healthcare organizations have experienced a data breach since the third quarter of 2016, and nearly 50 percent have had more than five data breaches during the same timeframe, according to a recent report from Black Book Research.

And not only has the number of attacks increased, but more than 180 million records have also been stolen since 2015, affecting about one in every 12 healthcare consumers.

Black Book surveyed more than 2,400 security professionals from 680 provider organizations to identify gaps, vulnerabilities and deficiencies that persist in keeping hospitals and physicians proverbial sitting ducks for data breaches and cyber attacks.  The research revealed that 96 percent of IT professionals agreed with the sentiments that data attackers are outpacing their medical enterprises, holding providers at a disadvantage in responding to vulnerabilities.

According to the researchers, budget constraints have encumbered the practice of replacing legacy software and devices, leaving enterprises more susceptible to an attack. "It is becoming increasingly difficult for hospitals to find the dollars to invest in an area that does not produce revenue," said Doug Brown, founder of Black Book. According to 88 percent of hospital representatives surveyed, IT security budgets have remained level since 2016. As a percentage of IT organizational budgets, cybersecurity has decreased to about three percent of the total annual IT spend.

Despite the lack of earmarked funds by U.S. buyers, Black Book projects the global healthcare cybersecurity spend to exceed $65 billion cumulatively over the next five years.

The report found that about one-third of hospital executives that purchased cybersecurity solutions between 2016 and 2018 said they did so blindly without much vision or discernment.  Ninety-two percent of the data security product or service decisions since 2016 were made at the C-suite level and failed to include any users or affected department managers in the cybersecurity purchasing decision. Only four percent of organizations had a steering committee to evaluate the impact of the cybersecurity investment.

"The dilemma with cybersecurity budgeting and forecasting is the lack of reliable historical data," said Brown. "Cybersecurity is a newer line item for hospitals and physician enterprises and budgets have not evolved to cover the true scope of human capital and technology requirements yet."

What’s more, last year's Black Book cybersecurity survey revealed 84 percent of hospitals were operating without a dedicated security executive. As a solution to unsuccessfully recruiting a qualified healthcare chief information security officer (CISO), 21 percent of organizations opted for security outsourcing to partners and consultants or selected security-as-a-service options as a stop-gap measure.

Indeed, Black Book researchers attest that the shortage of healthcare cybersecurity professionals is forcing a rush to acquire services and outsourcing at a pace five times more than cybersecurity products and software solutions. And cybersecurity companies are responding to the labor crunch by offering healthcare providers and hospitals with a growing portfolio of services.

"The key place to start when choosing a cybersecurity vendor is to understand your threat landscape, understanding the type of services vendors offer and comparing that to your organization's risk framework to select your best-suited vendor," said Brown. "Healthcare organizations are also more prone to attacks than other industries because they persist at managing through breaches reactively."

Nonetheless, 60 percent of healthcare enterprises have not formally identified specific security objectives and requirements in a strategic and tactical plan. Meanwhile, 83 percent of healthcare organizations have not had a cybersecurity drill with an incident response process, despite the skyrocketing cases of data breaches in the healthcare industry.

And, just 12 percent of hospitals and 9 percent of physician organizations believe that a Q2 2019 assessment of their cybersecurity will show improvement. Twenty-three percent of provider organizations believe their cybersecurity position will worsen, as compared to three percent in other industries, according to the research.

The Health IT Summits gather 250+ healthcare leaders in cities across the U.S. to present important new insights, collaborate on ideas, and to have a little fun - Find a Summit Near You!


/news-item/cybersecurity/cyber-attacks-increase-it-security-budgeting-remains-static-report-finds
/news-item/cybersecurity/twelve-states-file-first-multistate-healthcare-data-breach-lawsuit

Twelve States File First Multistate Healthcare Data Breach Lawsuit

December 5, 2018
by Heather Landi, Associate Editor
| Reprints

State Attorneys General from a dozen states filed a lawsuit Monday against several health IT companies, and their subsidiaries, alleging that poor security practices led to theft of protected health information (PHI) of 3.9 million individuals during a data security incident in 2015.

The 66-page complaint, filed in the U.S. District Court for the Northern District of Indiana, names four companies or subsidiaries, including Fort Wayne, Ind.-based Medical Informatics Engineering and NoMoreClipboard LLC. In the lawsuit, the state AGs allege that the companies failed to take “adequate and reasonable measures” to ensure their computer systems were protected.

Over several weeks in May, hackers infiltrated and accessed the “inadequately protected computer systems” of the companies and were able to access and exfiltrate the electronic PHI of 3.9 million individuals, whose PHI was contained in an electronic medical record stores in the companies’ computer systems. The personal information obtained by the hackers included names, addresses and Social Security numbers, as well health information such as lab results, health insurance policy information, diagnosis and medical conditions.

The lawsuit marks the first time state Attorneys General have joined together to pursue a HIPAA-related (Health Insurance Portability and Accountability Act) multistate data breach case in federal court, according to the Arizona Attorney General’s office. The lawsuit was filed by attorneys general from Arizona, Arkansas, Florida, Indiana, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina and Wisconsin.

According to a media report from azcentral.com, Arizonians were among those affected when hackers infiltrated WebChart, a web application operated by Indiana-based Medical Informatics Engineering Inc. and NoMoreClipboard (collectively known as MIE).

The 12 state AGs allege that the companies “failed to take reasonably available steps to prevent the breaches,” and “failed to disclose material facts regarding the inadequacy of their computer systems and security procedures to properly safeguard patients’ PHI, failed to honor their promises and representations that patients’ PHI would be protected, and failed to provide timely and adequate notice of the incident, which caused significant harm to consumers across the U.S,” according to the complaint.

Further, the companies’ actions resulted in the violation of the state consumer protection, data breach, personal information protection laws and federal Health Insurance Portability and Accountability Act (HIPAA) statutes, the lawsuit states.

In July 2015, MIE issued a statement acknowledging the data breach, classifying it as a “data security compromise that has affected the security of some personal and protected health information relating to certain clients and individuals who have used a Medical Informatics Engineering electronic health record.” The company also referred to it as a “sophisticated cyber attack.”

The company said that on May 26, 2015 it discovered suspicious activity in one of its servers. “We immediately began an investigation to identify and remediate any identified security vulnerability. Our first priority was to safeguard the security of personal and protected health information, and we have been working with a team of third-party experts to investigate the attack and enhance data security and protection. This investigation is ongoing. On May 26, 2015, we also reported this incident to law enforcement including the FBI Cyber Squad. Law enforcement is actively investigating this matter, and we are cooperating fully with law enforcement's investigation. The investigation indicates this is a sophisticated cyber attack. Our forensic investigation indicates the unauthorized access to our network began on May 7, 2015. Our monitoring systems helped us detect this unauthorized access, and we were able to shut down the attackers as they attempted to access client data,” the company said in a statement three years ago.

At the time, the company said it was continuing to take steps to remediate and enhance the security of its systems. “Remedial efforts include removing the capabilities used by the intruder to gain unauthorized access to the affected systems, enhancing and strengthening password rules and storage mechanisms, increased active monitoring of the affected systems, and intelligence exchange with law enforcement. We have also instituted a universal password reset,” the company said.

In a statement, Arizona Attorney General Mark Brnovich said the 12 AGs allege MIE is liable because, among other things, “it failed to implement basic industry-accepted data-security measures to protect ePHI from unauthorized access; did not have appropriate security safeguards or controls in place to prevent exploitation of vulnerabilities within its system; had an inadequate and ineffective response to the breach; and failed to encrypt the sensitive personal information and ePHI within its computer systems, despite representations to the contrary in its privacy policy.”

Minnesota Attorney General Lori Swanson said in a news release, “Patients expect health companies to protect the privacy of their electronic health records. This company did not do so.”

The lawsuit says the states are seeking unspecified statutory damages and civil penalties.

More From Healthcare Informatics

/article/cybersecurity/top-three-2019-healthcare-cybersecurity-trends

Top Three 2019 Healthcare Cybersecurity Trends

December 3, 2018
by Christian Aboujaoude, Industry Voice, Senior Director Enterprise Architecture, Scripps Health
| Reprints
There are non-complex strategies that can be easily implemented that can help keep data secure

In recent months, the healthcare industry has been the number one target of cyberattacks, exposing tens of millions of customers’ identities around the world, costing more than $1 billion USD in losses.

Executives from the National Association of County and City Health Officials say that healthcare breaches can cost up to $400 a patient, and yet, only 33 percent of the industry has taken the preventative measure of protecting themselves properly.  With billions of people across the world entrusting healthcare organizations to protect their identities, and these same organizations relying on their critical infrastructure to secure it all, it becomes crucial to not just have the right cybersecurity solution in place to stop an attack before it has a catastrophic impact, but to ensure they are able to prevent future ones from ever happening.

My provider organization— the San Diego-based Scripps Health—takes cybersecurity seriously, and has for many years. In 2013, we determined to take an identity-first approach to protect both internal and external data, and engaged with firms such as SecureAuth to pioneer an identity solution that would protect both internal and external data according to our unique needs. Today, we continue to evolve our solution to keep up emerging threats, and to stay ahead of threat trends and attackers.

Below are some of the biggest cybersecurity threat trends facing the healthcare industry for 2019, and some recommendations to combat them.

The growing trend of blurring lines between personal and business activities online

Webinar

Components of Strong Cybersecurity Program - A Closer Look at Endpoint Security Best Practices

Endpoint protection remains a core security challenge for many healthcare organizations and it is more important than ever for healthcare organizations to actively manage their full range of...

We are starting to see a kind of “blurring-of-the-lines” between personal activity on the Internet, and the activities that are done from a business perspective. For example, people often use their work email address for personal things, and/or they don’t know how to disable certain device tracking settings, such as cookies, that track their every move. Unfortunately, they don’t believe that it’s actually a problem, when indeed, it is. It’s like leaving the door open for people with malintent to send phishing emails so targeted that it’s often hard to decipher what’s real.  

Even more sophisticated, very targeted phishing attacks

According to one 2018 study, mobile device phishing attacks are up 85 percent, year-over-year, since 2011, and the reason has to do with the increasing amount of data collected by every site and app visited on your mobile device.

The easiest thing to do is go on your phone, do a search on the Internet, and within a couple of hours, you go onto Facebook or Instagram, for example, and you’ll notice that all of a sudden, you have targeted marketing in your feed based on your previous search.  That data from your search is also sent to other organizations, which means many things people do online is no longer private, leaving you open for a very targeted phishing attack.

To try to prevent these emails from getting through, we're constantly improving the environment by adding triggers that identify whether our users should trust or not.

The continual rapid rise of identity theft

2017 saw an unprecedented amount of identities stolen, to the tune of 158 million social security numbers and 16.5 million credit card numbers—and 27 percent of those thefts belonged to the healthcare industry, according to Experian’s latest identity theft statistics. It’s the continual rise of these thefts that has prompted us to think outside of the box, and into the future, on how to protect patients and employees.

We need to create an external identity and an internal identity, and what I mean by that is, we need the external world to see us one way (our presence on the Internet), and then the internal systems need to have a mask of sorts, like a VPN, to prevent attackers from being able to monitor activity.  From a cloud perspective, it’s imperative to use a service proxy from an identity provider to authenticate back and forth.

We use biometrics to ensure that the right user is supposed to be taking the action they are trying to take. We also lock down access to certain websites to be from an internal IP range, versus having the open Internet all the time.  Taking these measures reduces the amount of exposure that attackers have from an outside perspective.

What’s more, here are some things that are easily implemented that can help keep data secure:

Continuous education

At Scripps Health, we implemented a mandatory, continuous education program for employees that helps them to understand how their personal actions on business devices, emails, and so forth, can have a detrimental effect on the organization.

It all starts with humans, and whether intentional or unintentional, we all make mistakes.  Thus, we are working to reduce these behaviors while avoiding the creation of a negative and overly complex experience for our employees.  From a user perspective, security is attached to everything we do. We aren’t always aware of that, and we need to be.  From an IT perspective, it’s around understanding business process in order to build the right cybersecurity framework.

Continuous evolution

While education is a significant preventative measure, the evolution of the environment to account for future new kinds of attacks is even greater.

Most people have not spent a lot of time thinking about how they change their environment, how they change their actions, and leverage a Security Operations Center (SOC), and in my opinion, that needs to change significantly.  I really like to implement processes that we can leverage and expand on. It’s vital to the health of our infrastructure.

Having the right tools in place

To continue to protect the environment, we have made a significant investment in the tools we use to keep our infrastructure safe.

We believe that having the right tools in place reduces negativity and complexity in our environment.  In fact, I don’t subscribe to the opinion of needing to have complexity to have security. The more complex your infrastructure is, the more exposed you are.


Related Insights For: Cybersecurity

/news-item/cybersecurity/atrium-health-s-billing-vendor-hacked-265m-patients-affected

Atrium Health’s Billing Vendor Hacked, 2.65M Patients Affected

November 28, 2018
by Rajiv Leventhal, Managing Editor
| Reprints

The personal health data of more than 2 million Atrium Health patients has been compromised following a hack on the organization’s third-party billing vendor, AccuDoc.

According to a joint news release from Atrium Health, formerly Carolinas HealthCare System headquartered in Charlotte, and the billing vendor AccuDoc, an unauthorized third party gained access to AccuDoc’s databases sometime between September 22 and September 29. Importantly, noted officials, forensic investigations indicated that the information was not removed from AccuDoc’s systems.

According to officials, the databases accessed by the unauthorized third party contained information provided in connection with payment for healthcare services at an Atrium Health location, and at locations managed by Atrium Health, including Blue Ridge HealthCare System, Columbus Regional Health Network, NHRMC (New Hanover Regional Medical Center) Physician Group, Scotland Physicians Network and St. Luke’s Physician Network.

Information that may have been accessed includes certain personal information about patients and guarantors, such as first and last name, home address, date of birth, insurance policy information, medical record number, invoice number, account balance, dates of service and, in some instances, Social Security numbers.

Officials did note that since Atrium Health’s core systems and those of its managed locations are separate from AccuDoc’s systems and were not involved in this incident, personal clinical and medical records were not involved, nor was financial account information, such as bank account numbers or credit card or debit card information.

According to an Atrium Health spokesperson, “The exact number [of affected records] is hard to pinpoint, but based on our investigation it looks like the unauthorized user gained access to databases that had about 2.65 million records. Of the 2.65 million, it appears around 700,000 included Social Security numbers. It is very important to understand that the data was accessed but not downloaded in this incident. Our forensics reports indicate they were not able to actually download or remove the files.”

However, according to a report in the Charlotte Observer, AccuDoc general counsel Kenneth Perkins did not rule out that more patients might be affected than the number disclosed, adding that “it’s highly unlikely the number will grow. That’s because the current figures are based on entire databases of patients out of an abundance of caution,” he said, according to that report. The story also noted that one other AccuDoc client, Baylor Medical Center at Frisco in Texas, was affected by the hack. Data for about 40,000 people were impacted at that hospital.

Atrium Health operates 44 hospitals across North Carolina, South Carolina and Georgia, and is the largest healthcare provider and employer in Charlotte. AccuDoc is a Morrisville, N.C.-based company that provides billing and other services for healthcare providers.

Currently, AccuDoc and Atrium Health are contacting patients and guarantors whose information was in the affected databases “out of an abundance of caution,” officials said.

See more on Cybersecurity

betebet sohbet hattı betebet bahis siteleringsbahis