Report: Healthcare Industry Workers Lack Basic Cybersecurity Awareness | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Report: Healthcare Industry Workers Lack Basic Cybersecurity Awareness

November 1, 2016
by Heather Landi
| Reprints
Click To View Gallery

While it’s known that the healthcare industry is being targeted by hackers, a new report finds that the industry is lacking in basic security awareness among staff with a heightened risk of attacks through social engineering, according to an analysis by SecurityScorecard.

Essentially, healthcare employees are the "low-hanging fruit" for social engineering attacks, the report authors say.

The "2016 Healthcare Industry Cybersecurity Report” from SecurityScorecard, a security rating and continuous risk monitoring platform, highlights troubling cybersecurity vulnerabilities across the healthcare industry. What’s more, according to the analysis, security breaches in the healthcare industry pose devastating consequences because they can render an entire system or network inoperable, creating a life or death situation that needs immediate attention.

The report findings reveal that healthcare is the 5th highest in ransomware counts among all industries, and more than 77 percent of the entire healthcare industry has been infected with malware since August 2015.

From August 2015 to August 2016, SecurityScorecard analyzed the security ratings of over 700 organizations in the healthcare industry, finding the most prevalent security weaknesses among health treatment centers, insurance providers, manufacturers, and hospitals. Researchers also took a deep dive into the 27 biggest hospitals, measured by number of beds, the 10 largest health insurance providers measured by revenue and looked at common connections between 22 major publicized data breaches and ransomware infections detected in its platform.

Some key findings from the report include:

88 percent of all healthcare manufacturers have had malware infections

96 percent of all ransomware affecting the healthcare industry targeted medical treatment centers

Healthcare ranks 15th out of 18th in social engineering among all industries, suggesting a security awareness problem among personnel and staff

40 percent of breached companies had a C or lower in network security at the time of breach

63 percent of the 27 biggest U.S. hospitals have a C or lower in patching cadence, which measures an organization's ability to implement security software patches in a timely fashion

More than 50 percent of the healthcare industry has a network security score of a C or lower

Healthcare ranks 9th in overall security rating compared to all other industries

Ransomware and breaches are affecting the healthcare industry at an increasingly alarming rate with 22 major public breaches occurring since August 2015, according to the report. Earlier this year, Hollywood Presbyterian Medical Center paid $17,000 as a result of ransomware after losing access to patient records for 10 days. In March 2016, 21st Century Oncology suffered a data breach that led to a loss of 2.2 million patient records and a $57 million class-action lawsuit. Overall, breached healthcare companies still struggle with security post-breach, the report found.

The report authors noted that the healthcare industry is facing a number of security pressures from multiple side. “Hackers are shifting attack methods and specifically targeting the healthcare industry with ransomware and regulatory bodies are increasing their attention levied on these organizations. Internally, the healthcare industry, as we’ve seen, is struggling with security awareness and training and the new innovations, adopted technologies, and connected devices are only adding to the challenge of securing internal and patient data.”

However, social engineering is a factor that stuck out as being particularly low-performing within healthcare.

The report authors wrote, “While a hospital’s IT department may be up to date and proficient at security standards such as DNS health and endpoint security, employees such as medical personnel, administrative professionals, among others, within a healthcare organization may not necessarily prioritize information security. The low Social Engineering scores among a multitude of healthcare organizations show that security awareness and employee training are likely not sufficient and this poses a real risk to those organizations. Security is only as strong as the weakest link, and employees are often the lowest-hanging fruit when it comes to phishing, spear phishing, and other social engineering attacks.”

For the analysis, researchers compared low security factor scores and looked at the distribution of C’s or lower across the healthcare industry compared to all other industries. In social engineering, the healthcare industry has 182 percent as many organizations with a C or lower.

And, healthcare companies still struggle with security post-breach. The analysis also found that, in August 2016, past-breached healthcare companies still have 242 percent as many C’s or lower scores in social engineering compared to non-breached companies.

Another risk is the array of devices with wireless capabilities such as Internet of Things (IoT) devices, wireless medical devices and tablets, which have paved the way for medical advances benefiting hospitals and patients. However, their speedy delivery and implementation has resulted in subpar security setups.

“As long as these IoT devices are manufactured with poor security standards, the vulnerability doesn't only lie within the devices themselves, but they also pose a risk to any hospital, treatment center, or individual using the device. If a connected device is hacked into, the device can be forced to malfunction or it can be used as a pathway to reach an organization's primary network," Alex Heid, chief research officer at SecurityScorecard, said in a statement.

The report authors conclude that there are a number of different options a healthcare facility can take when it comes to improving security awareness across the entire organization.

“Organizations can employ security awareness training companies to come in and train staff but it’s important to note that this training needs to take into account HIPAA regulations, ethics standards, and the different departments and positions involved. Training should differ depending on whether a staff member is part of operations, a medical practitioner, a visiting professional, or if they’re interacting with patients and patient’s data,” the report authors stated. Additionally, organizations can also implement ongoing security awareness processes that can continuously provide support for existing and new employees.

The report authors summarized that healthcare’s overall weak points are on Network Security, IP reputation, and Patching Cadence, “which are all signs of a large infrastructure that isn’t keeping up with the increase in devices, connections, and applications that make up an organization’s networks.”

“For hospitals and major healthcare treatment centers, the security department should be proactive and make sure that their networks are segmented to account for IoT security and that their connected devices no longer have their default security settings in place. Major insurance companies should be properly assessing their third party security and assessing the security of any potential M&A targets,” the report authors wrote.

 

2018 Raleigh Health IT Summit

Renowned leaders in U.S. and North American healthcare gather throughout the year to present important information and share insights at the Healthcare Informatics Health IT Summits.

September 27 - 28, 2018 | Raleigh


/news-item/cybersecurity/report-healthcare-employees-are-low-hanging-fruit-social-engineering-attacks
/news-item/cybersecurity/hipaa-settlements-three-boston-hospitals-pay-1m-fines-boston-med-filming

HIPAA Settlements: Three Boston Hospitals Pay $1M in Fines for “Boston Med” Filming

September 20, 2018
by Heather Landi, Associate Editor
| Reprints

Three Boston hospitals that allowed film crews to film “Boston Med” on premises have settled with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) over potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.

According to OCR, the three hospitals—Boston Medical Center (BMC), Brigham and Women’s Hospital (BWH) and Massachusetts General Hospital (MGH)—compromised the privacy of patients’ protected health information (PHI) by inviting film crews on premises to film “Boston Med,” an ABC television network documentary series, without first obtaining authorization from patients.

OCR reached separate settlements with the three hospitals, and, collectively, the three entities paid OCR $999,000 to settle potential HIPAA violations due to the unauthorized disclosure of patients’ PHI.

“Patients in hospitals expect to encounter doctors and nurses when getting treatment, not film crews recording them at their most private and vulnerable moments,” Roger Severino, OCR director, said in a statement. “Hospitals must get authorization from patients before allowing strangers to have access to patients and their medical information.”

Of the total fines, BMC paid OCR $100,000, BWH paid $384,000, and MGH paid $515,000. Each entity will provide workforce training as part of a corrective action plan that will include OCR’s guidance on disclosures to film and media, according to OCR. Boston Medical Center's resolution agreement can be accessed here; Brigham and Women’s Hospital's resolution agreement can be found here; and Massachusetts General Hospital's agreement can be found here.

This is actually the second time a hospital has been fined by OCR as the result of allowing a film crew on premise to film a TV series, with the first HIPAA fine also involving the filming of an ABC medical documentary television series. As reported by Healthcare Informatics, In April 2016, New York Presbyterian Hospital (NYP) agreed to pay $2.2 million to settle potential HIPAA violations in association with the filming of “NY Med.”

According to OCR announcement about the settlement with NYP, the hospital, based in Manhattan, violated HIPAA rules for the “egregious disclosure of two patients’ PHI to film crews and staff during the filming of 'NY Med,' an ABC television series.” OCR also stated the NYP did not first obtain authorization from the patients. “In particular, OCR found that NYP allowed the ABC crew to film someone who was dying and another person in significant distress, even after a medical professional urged the crew to stop.”

The OCR director at the time, Jocelyn Samuels, said in a statement, “This case sends an important message that OCR will not permit covered entities to compromise their patients’ privacy by allowing news or television crews to film the patients without their authorization. We take seriously all complaints filed by individuals, and will seek the necessary remedies to ensure that patients’ privacy is fully protected.” 

OCR’s guidance on disclosures to film and media can be found here.

More From Healthcare Informatics

/news-item/cybersecurity/independence-blue-cross-notifies-17k-patients-breach

Independence Blue Cross Notifies 17K Patients of Breach

September 19, 2018
by Rajiv Leventhal, Managing Editor
| Reprints

The Philadelphia-based health insurer Independence Blue Cross is notifying about 17,000 of its members that some of their protected health information (PHI) has been exposed online and has potentially been accessed by unauthorized individuals.

According to an article in HIPAA Journal, Independence Blue Cross said that its privacy office was informed about the exposed information on July 19 and then immediately launched an investigation.

The insurer said that an employee had uploaded a file containing plan members’ protected health information to a public-facing website on April 23. The file remained accessible until July 20 when it was removed from the website.

According to the report, the information contained in the file was limited, and no financial information or Social Security numbers were exposed. Affected plan members only had their name, diagnosis codes, provider information, date of birth, and information used for processing claims exposed, HIPAA Journal reported.

The investigators were not able to determine whether any unauthorized individuals accessed the file during the time it was on the website, and no reports have been received to date to suggest any protected health information has been misused.

A statement from the health insurer noted that the breach affects certain Independence Blue Cross members and members of its subsidiaries AmeriHealth HMO and AmeriHealth Insurance Co. of New Jersey. Fewer than 1 percent of total plan members were affected by the breach.

Related Insights For: Cybersecurity

/news-item/cybersecurity/report-healthcare-lags-other-industries-phishing-resiliency

Report: Healthcare Lags Other Industries in Phishing Resiliency

September 19, 2018
by Heather Landi, Associate Editor
| Reprints
Click To View Gallery

It’s no secret that the healthcare industry continues to be a target for cyber criminals and healthcare organization leaders face constantly evolving cyber threats. It's widely konwn that phishing attacks are a serious problem in the healthcare industry, yet the industry continue to lag behind other industries in its resiliency to phishing attacks, according to a recent report.

In 2017, there were 477 healthcare breaches reported to the U.S. Department of Health and Human Services (HHS) which affected a total of 5.579 million patient records. A Verizon 2018 Data Breach Investigations Report (DBIR) released in April found that the human factor continues to be a key weakness in data breaches. Financial pretexting and phishing represent 98 percent of social incidents and 93 percent of all breaches investigated—with email continuing to be the main entry point (96 percent of cases). And, that report found that while, on average, 78 percent of people did not fail a phishing test last year, 4 percent of people do for any given phishing campaign. A cybercriminal only needs one victim to get access into an organization.

In a recently released report, Cofense, a security software services company, specifically examined phishing attacks in healthcare. Cofense’s analysis is based on more than 160 sample healthcare clients over the last year (September 2017-2018) and the report explores how phishing endangers healthcare providers and provides steps organizations should be taking to boost their resiliency rate.

The report researchers examined healthcare’ resiliency to phishing attacks. Resiliency is the ratio between users who report a phish versus those who fall susceptible, according to the report. While resiliency in healthcare has improved in the past three years—from a rate of 1.05 in 2015 to a rate of 1.49 in 2018, so far—but it doesn’t mark dramatic improvement.

Based on a resiliency analysis across industries of the last 12 months, the healthcare industry clearly trails behind other industries in its phishing attack resiliency rate, as the average resiliency score for all industries was 1.79, according to the report.

The energy industry had a resiliency rate of 4.01, the financial services industry had a rate of 2.52, and the insurance industry had a rate of 3.03. The report’s researches surmise that one possible reason resiliency is higher in insurance versus healthcare is that insurance is tied to financial services, which is frequently attacked as well as heavily regulated.

“The healthcare industry knows better than most that phishing is a serious problem. But the industry is still playing catch-up in phishing resiliency,” the report authors wrote.

One factor that surely inhibits the industry’s resiliency is high turnover, according to the report. “With physicians, registered nurses, and administrative staff constantly churning, it’s hard to gain traction in the fight against phishing,” the report states.

Cofense builds and tracks phishing simulations for its customers in which users receive simulated phishes. Based on the company’s analysis of these phishing exercises, the top five phishing scenarios that healthcare workers most frequently clicked on, based on the email subject line, were requested invoice, manager evaluation, package delivery, Halloween eCard alert and beneficiary change.

The next five were Holiday eCard alert, HSA customer service email, employee raffle, file from scanner and Halloween costume guidelines.

“These wide-ranging scenarios show that vulnerability is spread across business and social contexts,” the report authors wrote. The analysis indicates low scores in Requested Invoice and e-Card simulations alike. “While some would argue that an e-Card would never evade their secure email gateways, remember the gaps created by BYOD (bring your own device). Not everyone is on the corporate network and protected by its email systems. When personal devices are exposed, a breach can easily ensue,” the report authors wrote.

The Cofense report also notes that phishing attackers are masters at pulling emotional levers, as “Requested Invoice” plays on urgency, and “Manager Evaluation” taps into urgency too, tinged with fear. What’s more, “Employee Raffle” is purely about the desire for reward. “These are scenarios any healthcare company will want to use in conditioning employees to be careful and not take the bait.

In previous years, Cofense reported that fear, urgency, and curiosity were the top emotional motivators behind successful attacks. Now they’re closer to the bottom, replaced by entertainment, social media, and reward/recognition,” the report authors wrote.

The trend shows that as Internet behavior changes, so do phishing attacks, according to the report authors. And the report authors note that any active threats that a company faces is fodder for training. Security professionals who manage phishing awareness programs should ask their incident responders or threat intelligence analysts which active phishing threats should be simulated, according to the report.

“To guard against the phishing onslaught, healthcare providers would be smart to create an end-to-end defense, following the lead of the company featured in the case study. A collaborative defense, built with technology and skilled humans, both users and security professionals, is the best way to lower risk,” the report authors wrote.

See more on Cybersecurity