A data breach in the healthcare industry not only has financial and reputational effects on the company targeted by the threat actors, but the effects could be dramatic for the patients due to the nature of the data disclosed. Individuals’ identity could be stolen directly from hospitals, healthcare insurance companies, and from any system that manages medical records. The cybersecurity company Redspin has published the report “BREACH REPORT 2013” which states that nearly 30 million Americans have had their personal health information breached or accidentally disclosed since 2009. In 2013, the number of major data breaches of medical records, also called protected health information (PHI), was 804, affecting over 29.2 million patient records. The figures are not surprising if we consider the migration process from paper-based files to electronic health records (EHR) that has occurred in recent years. A growing number of healthcare institutions have adopted health records systems, a move encouraged by the government and made attractive by several advantages for the adoption of such systems. The number of EHR systems has more than tripled in the last 5 years, but the growth of electronic health records systems was not supported by a similar evolution under the cyber security perspective. According to the study “Ponemon Report on Patient Privacy & Data Security” published in March 2014 by the Ponemon Institute, cybercriminal attacks on healthcare organizations have doubled in the past three years. According to the experts, medical identities are precious commodities on the black market, more valuable than financial identities. “A financial identity can be worth $5 to $10 if you have all the info. A medical identity can be five to 10 times that amount just because how easy it is to monetize that information once the bad guys get it,” revealed Robert Gregg, chief executive of ID Experts, a cybersecurity firm that sponsored the Ponemon Institute survey.
Figure 1 – Redspin – “BREACH REPORT 2013” Key findings
Major healthcare data breaches in 2013
Analyzing the results of the investigations conducted on healthcare data breaches during 2013, it is possible to note that the most common cause of incidents has been the theft or loss of unencrypted portable computing devices (e.g. laptops), mobile devices, and digital media containing PHI.
Figure 2 – Redspin – “BREACH REPORT 2013” PHI Data Breaches by Type Mobile devices in the workplaces and their casual use, often not regulated, has increased the surface of attack for the healthcare industry, exacerbating security risks. In the US in 2013, there occurred 199 major healthcare data breaches, exposing over 7 million PHI records. The total amount of records increased by 137% compared to 2012. The five largest healthcare data breaches in 2013 covered 85.4% of the exposed records reported for the year. The top three were caused by theft of desktop and laptop computers. Going into the details of the incident, we can verify that the greatest incident occurred at Advocate Health and Hospitals (dba Advocate Medical Group), where four desktops containing over 4 million records were stolen from an office. In the case of the Horizon Healthcare Services (dba Horizon Blue Cross Blue Shield of New Jersey), two unencrypted laptops were stolen from the company’s offices. The devices contained a huge quantity of unprotected personal data, potentially including social security numbers. At AHMC Healthcare, two password-protected but unencrypted laptops were stolen from their offices, exposing data of about 729,000 patients.
Figure 3 – Redspin – “BREACH REPORT 2013” Largest PHI Breaches Cyber thieves appear mainly interested in billing and insurance records because they usually contain valuable data, including personal information like Social Security numbers and addresses and credit card info. But cyber criminals aren’t unique threat actors interested in electronic health records. In many cases, insiders were responsible for the data breach. For this reason, it is crucial that organizations establish effective policies and implement controls and technical safeguards to prevent incidents.
The FBI is warning the healthcare industry
Law enforcement is aware of the increase of the number of attacks targeting the healthcare industry, and investigators believe that trend will continue in the next years due to the lack of security of the majority of medical systems. The FBI has recently released a warning to the companies and organizations operating in the healthcare industry. The Bureau is alerting on potential cyber attacks after the data breach of the U.S. hospital group Community Health Systems Inc that caused the theft of millions of patient records. “The FBI has observed malicious actors targeting healthcare related systems, perhaps for the purpose of obtaining Protected Healthcare Information (PHI) and/or Personally Identifiable Information (PII),” “These actors have also been seen targeting multiple companies in the healthcare and medical device industry typically targeting valuable intellectual property, such as medical device and equipment development data,” stated the FBI in a document obtained by Reuters agency. Community Health is the second U.S. publicly traded hospital operator. In August, the company announced that a major cyber attack hit its systems. Threat actors stole data including patient names, Social Security numbers, addresses and birth dates. Although the company hasn’t provided details on the attack, rumors says that hackers exploited a piece of networking equipment hosted on its network and that had not been patched to fix the “Heartbleed” vulnerability. If confirmed, the attack is the first major case officially disclosed in which bad actors exploited the Heartbleed flaw. According to David Kennedy, chief executive of TrustedSec LLC, the attackers have exploited a bug in a piece of Juniper Networks Inc equipment to obtain employee credentials and access the company’s network. Recent data in the investigation shows that the hospital operator’s network had been plagued by malware infections for months. Of the 12,500 IP addresses associated with the CHS network, 10 were linked to malicious bots, such as Kelihos, Asprox, Gameover Zeus and Conficker, as explained by Jason Lewis, chief intelligence and collections officer at Lookingglass, in a blog post. But patches for Conficker were available since 2008, indicating that CHS machines wereunpatched. The bots performed SQL injection attacks, data exfiltration, click fraud and banking credential theft from targeted PCs. The alert issued by the FBI to the healthcare industry doesn’t provide the names of the businesses targeted by cyber attacks and the law enforcement hasn’t released any further comment on the document. The FBI and Department of Homeland Security have already issued similar alerts to the businesses operating in the healthcare industry. In April 2014 it issued another warning on the low level of security offered by solutions used by the companies in the sector. Security experts believe that many other similar cases could be observed in the next few months. The alert issued by the authorities must be seriously considered in order to avoid dangerous consequences.
The case: Community Health says Chinese hackers behind the attack
The attack against Common Health is the largest theft of electronic health records since a US Department of Health and Human Services website started monitoring data breaches in 2009. The results of the first investigation on the attack reveals that the hacking group responsible for the data theft is operating from China and may be linked the Chinese government. As revealed by experts at FireEye, the group “APT 18” already targeted companies in different industries, including aerospace and defense, construction and engineering, technology, and financial services. “They have fairly advanced techniques for breaking into organizations as well as maintaining access for fairly long periods of times without getting detected,” said Charles Carmakal, managing director with FireEye Inc’s – Mandiant forensics unit, which led the investigation of the attack on Community Health in April and June. The data stolen from Community Health includes patient names, addresses, birth dates, telephone numbers and Social Security numbers of patients of medical staff affiliated with the hospital group in the last five years. The information doesn’t include medical or clinical information, nor credit card data. This is the first time security experts had seen a Chinese ATP group targeting healthcare industry. The “APT 18” has been tracked by experts at Mandiant during the last four years. Meanwhile FireEye hasn’t confirmed the link between ATP 18 and the Chinese government. Cybersecurity firm CrowdStrike, which has also been monitoring “APT 18”, revealed it believes the group is state-sponsored. “They are of above average skill” among Chinese hackers, said CrowdStrike Chief Technology Officer Dmitri Alperovitch. Community Health announced that it has removed malware which infected its systems and the company is now notifying patients and regulatory agencies.
Healthcare industry still too vulnerable, IoT and mobile
The greatest threat to the security of the healthcare industry is the total lack of awareness of principal cyber threats. The sector discovered itself vulnerable after a series of clamorous data breaches and today, with a worrying frequency, the experts observed attacks against the companies operating in the healthcare industry. Earlier this year, the SANS Institute released a report that analyzed the weaknesses of the healthcare industry, revealing that it is “poorly protected and ill-equipped” to mitigate the latest cybersecurity threats. SANS analyzed almost 50,000 events captured between September 2012 and October 2013. The report was filled with data collected by the organization through the Norse threat intelligence infrastructure, which is a global network of sensors and honeypots that process and analyze over 100 terabytes of traffic daily. The data collected included:
49,917 unique malicious events 723 unique malicious source IP addresses 375 US-based compromised health care-related organizations
Nearly a third of the victims represents small providers, while the rest includes pharmaceutical companies, clearinghouses and health plans. The most alarming discovery is that many of the organizations were compromised, resulting in benig out of compliance for months. In this period the IT staff of the affected companies has never detected any evidence of attacks on their systems. Analyzing the malicious IP traffic that originated from them, it is possible to classify it in the following categories:
Health care providers—72.0% of malicious traffic Health care business associates—9.9% of malicious traffic Health plans—6.1% of malicious traffic Health care clearinghouses—0.5% of malicious traffic Pharmaceutical—2.9% of malicious traffic Other related health care entities—8.5% of malicious traffic
The introduction of the Internet of things in the healthcare industry has revolutionized the sector, improving the efficiency of the medical science, but the lack of security by design has contributed in a significant way to expose the sector to cyber threats. According to SANS, medical devices and applications were the principal cause for emitting malevolent traffic. The experts discovered that devices responsible to the surge of malicious traffic belong mainly in one of the following categories:
Connected medical endpoints, including radiology imaging software, video conferencing systems, and digital video systems used for consults and remote procedures. Internet-facing personal health data. Web-based call center website, backed by a VoIP PBX and personal health record (PHR) systems were the architecture most impacted. “In a PHR system, consumers’ personal health records are not necessarily tethered to an electronic health record (EHR) system and, therefore, are neither certified under the U.S. standards nor regulated under HIPAA/HITECH legislation,” reported the SANS institute. Security systems and edge devices, including VPN applications and devices, firewalls and enterprise network controllers (ENCs). The attacks that originated malicious traffic were mainly malware-based. Attackers used malicious codes to compromise the targeted systems and hit other resources within the same victimized organization or outside.
According to SANS, the hackers took advantage of misconfigurations. In many cases, the medical devices presented the default configuration used by their vendor that can be discovered easily through an Internet search. In these cases, the adoption of proper configuration control and monitoring for signs of compromise and malicious communications could reduce the exposure of both data and infrastructure to the attacks of ill-intentioned.
Figure 4 – Medical Endpoints Detected –(SANS Institute report)
Economic impact of health care data breaches
To provide an evaluation of the economic impact of data breaches for the healthcare industry, it is necessary to assess the type patient data lost or stolen. According to the study published by the Ponemon Institute, consistent with the previous three annual studies, the incidents are most likely to involve healthcare records containing sensitive and valuable information for identity thieves. Billing and insurance records, medical files, and payment details were the main target of the attacks because they are precious commodities in the underground market. This data is usually managed by criminals gangs to arrange scams on a large scale. According to the data provided by the Ponemon Institute in its study, health care organizations suffered a cost that ranges from less than $10,000 to more than $1 million over a two-year period. Meanwhile, the average economic impact of data breaches over the past two years for the health care entities has been estimated at $1,973,895. The average number of lost or stolen records per breach was 2,150. Last year, it was observed for the healthcare industry an average number of 3,000 records, and according to the Ponemon Institute, the average cost per one lost or stolen record is $188.
Figure 5 -Economic impact of data breach incidents experienced over the past two years (Ponemon Institute)
Mobile device, the hidden risks
The diffusion of mobile devices in the healthcare industry poses other security risks, as confirmed by a recent study conducted by the Ponemon Institute. Forty percent of those surveyed by the Ponemon Institute confirmed that devices rely on the cloud for services such as backup, storage and file sharing with obvious consequences under the security perspective. More than half 51% of physicians use tablets for professional purposes, and 74% use smartphones at work. According to Transparency Market Research, mobile monitoring and diagnostic medical devices market will reach $8.03 billion by 2019, a significant growth in respect to $0.65 billion registered in 2013. A growing number of patients will access their records electronically. Medical staff will access several services available through mobile platforms. Recent attacks on healthcare systems have certainly reinforced the need for a new approach to cyber security. According to the Ponemon Institute, the BYOD usage continues to rise despite the concerns about employee negligence and the lack of security for mobile devices. Nearly 88 percent of organizations permit medical staff to use their own mobile devices to access their organization’s networks and services like email. The most worrying aspect is that nearly 50 percent of organizations are not aware of the risks related to BYOD, and only a limited portion of organizations require their employees to adopt proper countermeasures like anti-malware.
Figure 6 – Employees permitted to use personal mobile devices to connect to networks (Ponemon Institute) I consider it useful to share the list of the principal mobile management best practices:
Enabling remote lock and wipe, to easily remove unauthorized users from the enterprise system or to erase content of the device in case of theft. Enforcement data encryption. Enforcement of device-level passwords. Monitoring the operating system’s integrity to avoid jailbreack and rooting procedures. Secure email and attachments to prevent malware being spread from personal accounts. Prevent installation of untrusted apps. Log devices and actions for audit.
Clouds on the healthcare industry
Another paradigm largely adopted in the healthcare industry is the cloud computing, but according to security experts, there are different security issues still unsolved. According to cloud security vendor Skyhigh Networks, more than 13% of cloud services used in the healthcare industry are considered high‒risk; 77% are at medium risk. The estimation was based on the analysis of 54 different security attributes, including adoption of multi-factor authentication and data encryption. Although providers offer different security features to protect the user’s data in the cloud, in many cases, wrong habits on the consumer side are the principal cause of incidents. Cloud services can offer advanced technical solutions for a reasonable price compared to on-premise hardware and software, but security and privacy issues for the implementation of such paradigms are not underestimable.
Figure 7 – Cloud usage in the healthcare industry (Skyhigh) The healthcare industry today can’t afford the resources necessary to ensure an advanced security, but anyway, it needs an innovative and layered approach in terms of security to mitigate cyber threats. “Cloud technology is a logical imperative for healthcare because it offers compelling IT value across a wide range of services and solutions, but it also poses new security challenges and threats,.” said Rajiv Gupta, Founder and CEO of Skyhigh Networks. It is easy for the above consideration to predict a heavy usage of cloud services, but according to a study conducted by the Ponemon Institute, only one-third of organizations surveyed are very confident or confident that information in a public cloud environment is secure. The study confirms that despite the risk, 40 percent of organizations confirm they adopted cloud infrastructure heavily, an increase from 32 percent last year. Taking a look at the most used cloud services, it is possible to ascertain that backup and storage, file-sharing applications, business applications and document sharing and collaboration are largely adopted in the healthcare industry. Email applications, productivity applications, accounting information and employee information are the types of information most processed and/or stored in the cloud. Fortunately, the majority of organizations consider patient medical records and billing information too sensitive to be stored in a public cloud environment.
Conclusions
Security experts have no doubt that the PHI breach will continue in the next few months, representing a clarion call to the healthcare industry. The diffusion of mobile and cloud paradigms in the healthcare industry will continue to enlarge the surface of attack advantaging bad actors. Companies must be aware of the increased volume of PHI data on more portable devices used by an employee with a low perception of the cyber threats. Under these premises, it is normal to expect that there will be more data breaches. Mitigating that risk is a must for the operators of the healthcare industry. We must be conscious that compliance does not equal security in the actual context of the continuous evolution of cyber threats. Considering that the overall costs of failed compliance or compromises are increasing, it is time to seriously consider investing in security for the healthcare industry.
References
http://www.ecnmag.com/blogs/2014/08/experts-90-medical-records-are-vulnerable-hackers http://www.cnbc.com/id/101535352#. http://www.redspin.com/docs/Redspin-2013-Breach-Report-Protected-Health-Information-PHI.pdf http://www.ponemon.org/blog/fourth-annual-benchmark-study-on-patient-privacy-and-data-security http://www.cnbc.com/id/101030634 http://www.informationweek.com/healthcare/security-and-privacy/securing-mobile-healthcare-devices-best-practices/d/d-id/1269357 http://www.informationweek.com/healthcare/security-and-privacy/securing-mobile-healthcare-devices-best-practices/d/d-id/1269357 http://www.velocitymsi.com/blog/medical-data-why-the-fbi-says-hackers-are-targeting-ehrs-now/ http://www.emrandhipaa.com/emr-and-hipaa/2014/08/18/chinese-hackers-reportedly-access-4-5-million-medical-records/ http://www.forbes.com/sites/danmunro/2014/09/01/over-90-of-cloud-services-used-in-healthcare-pose-medium-to-high-security-risk/ http://www.reuters.com/article/2014/08/20/us-cybersecurity-healthcare-fbi-idUSKBN0GK24U20140820 http://www.reuters.com/article/2014/08/18/us-community-health-cybersecurity-idUSKBN0GI16N20140818 http://www.scmagazine.com/altamed-health-services-notifies-3000-individuals-of-possible-breach/article/370447/ http://pages.norse-corp.com/rs/norse/images/Norse-SANS-Healthcare-Cyberthreat-Report2014.pdf http://www.sans.org/reading-room/whitepapers/analyst/inaugural-health-care-survey-34855