By Kevin Jones
In August 2014, patients of Community Health Systems went to their mailboxes and found letters informing them that their personal data had been compromised. This news was delivered to patients at 20 of these Community Health Systems locations across Pennsylvania. The breach was reportedly achieved by exploiting the dreaded Heartbleed bug, putting the personal information of more than 4 million U.S. patients at risk. A network of China-based hackers may be the culprit. Not surprisingly, a patient of one of these Pennsylvania hospitals has already filed legal action against Community Health Systems, claiming in her Lackawanna County suit that the breach violates the Pennsylvania Unfair Trade Practices and Consumer Protection Law.
Not far away, right around the same time, patients of the New Jersey Medical Center received a similar letter. In this case, an undisclosed number of patients learned that their data was exposed because a healthcare worker lost an unencrypted CD storing countless names, birthdates, social security numbers, addresses and health insurance information.
These are not isolated incidents. They’re part of a growing and disturbing trend. Based on a report by the U.S. Department of Health and Human Services, the number of data breaches involving the exposure of patient information rose 138 percent in 2013. That number is expected to be even higher by the end of this year. These data leaks are costing hospitals dearly: a recent Ponemon Research study revealed that U.S. healthcare facilities are spending almost $7 billion annually in fines due to HIPAA violations. We’re clearly at the point where healthcare has no choice but to play IT security catch-up.
In this modern technology era of “connected everything,” patients are demanding answers. They’re asking, why are healthcare facilities still using unsafe, outmoded technology like CDs? Why are hospitals failing to follow best security practices, such as encryption and two-factor authentication? Patients and healthcare leaders alike are wondering, how many fines need to be issued, lawsuits filed, and reputations tarnished before patient data security becomes a top priority across the industry?
Prime Target: Why the “Bad Guys” Like Healthcare Systems
Healthcare facilities have been moving towards electronic records and technology-based data systems for decades. This is a necessity to reign in costs and encourage real-time doctor-patient collaboration and communication. One of the major goals of the Affordable Care Act is to invest federal money into the modernization of health information technology to improve care and cut administrative expenses. In the last year, the ACA has issued more than $18 million in grants to facilities across the U.S. Many industries are realizing true savings and gains from transforming to this model. Industrial and manufacturing are seeing an economic revival by moving to Internet and cloud-based systems. But just like any other industry, moving data to an electronic model presents its own subset of risks. The difference is, with a healthcare facility, that data belongs to the most vulnerable of assets – its patients.
As more infrastructure and databases are migrating to more modern models, it’s clear that the vast majority of healthcare facilities are not adept at keeping up with the constantly shifting threat landscape. Technology moves too slowly in this industry to keep up with current attack vectors. It’s not enough to invest in the latest infrastructure. Staff (including IT), administrators and healthcare workers must understand how to use the technology safely and appropriately – and also be aware of the many ways cybercriminals and internal staff can exploit this technology for personal gain.
Hackers recognize the lag in healthcare IT systems and are reaping the rewards. While a majority of hackers are motivated by simple thrill-seeking, some are looking to inflict damage in order to make money off the information they steal. They’re also well aware of the treasure trove waiting for them in any healthcare network: so-called personally identifiable information (PII), such as social security numbers, dates of birth and banking/payment data that can be sold to the highest bidder for use in elaborate identity fraud scams. In fact, victims of the Community Health Systems breach are already seeing their data pop up on underground hacker forums for sale – sometimes in bulk.
Security Check-Up: Honesty Required
Fixing healthcare data security won’t be an easy task, but management and IT teams need to come together and start making it a priority. Here are four key remedies that must be part of any security improvement plan.
Get Real about Risks. It’s hard to believe, but the national website for the ACA healthcare exchanges, Healthcare.gov, still lacks several basic cybersecurity controls — including strong passwords and consistent security patching — nearly a year after its launch. This is clearly a top-down problem and should be a wake-up call to all healthcare IT administrators. As the recent Apple iCloud hack demonstrated, it doesn’t take much effort for hackers to help themselves to private information, even in the hands of a trusted vendor. If your facility hasn’t implemented the most basic best practices, such as password protection, encryption of data and two-factor authentication to systems and accounts, it’s time to get real about risk. Encryption is no longer a luxury for larger companies – it’s a necessity for any organization in healthcare. While encryption tends to be associated with laptops and desktop computers, it shouldn’t end there. Any device on which data is shared must be part of your encryption strategy. Internal data and data traveling between computers, on tablets or smartphones or even in the cloud, should also be encrypted. Further, password protection tactics such as two-factor authentication ensure that the right person is accessing the right data from the approved device.
Educate Staff…And Verify. While the Community Health Systems breach is being attributed to insidious Chinese hackers looking to steal and sell personally identifiable information on the black market, most data breaches have a much less exciting origin: user error. It might seem as though every rogue nation-state across the globe is launching some kind of retaliatory hacking campaign, but healthcare facilities have far more to fear from their own staff- both current and former. For example, Massachusetts Eye & Ear Infirmary paid a whopping $1.5 million in fines after an employee’s unencrypted laptop containing patient data was stolen. Meanwhile, a disgruntled employee at UMass Medical Center misused information on up to four patients, including their names, dates of birth and social security numbers. That employee is now an ex-employee – however, the hospital is still on the hook for HIPAA violations. The bottom line: Your staff – including your IT administration team – is your first line of defense against both intentional and accidental insider threats. In an age when health information is stored and transported on portable devices, education is the key. Your workers at all levels must understand the risks of leaving devices unattended, or sharing data with unauthorized personnel. Further, regular rotation and maintenance of passwords is crucial – especially when an employee leaves or changes roles.
Invest in Enterprise-Grade Tools. There is no single, “magic bullet” tool or platform that will magically make data security a cakewalk, but there are some key attributes that should be on your list when evaluating security vendors for your organization’s needs. For example, will the tool create audit trails that monitor each staff member’s access to specific information on the network? Is access to patient and corporate data permission-based and tied to each user’s role within the company? Will all sensitive information be securely protected and properly encrypted in the event of a laptop theft or attempted breach? Will the tool provide the same security levels for remote workers?
Keep it Simple. Implementing layers of protection to keep patient and company data safe sounds like a lengthy, expensive endeavor to most IT leaders. But the biggest barrier to entry isn’t the cost or lead time – it’s the complexity of the solution. Take the time to evaluate your solution’s user interface. Does it require extensive, up-front training? Will your staff need to give up valuable work time just to learn how to properly operate it? Will using it add extra steps to their workflow, or slow down the process of information-sharing? If a security platform is too difficult to use, it won’t be long before staff start finding their own little work-arounds to avoid using it. And that is the moment that a hacker is waiting for.
Above all, healthcare IT staff must realize that data security isn’t always foolproof. It’s important to remain flexible to new ideas and technologies. A common-sense approach to the basic best practices will always serve as your foundation for protecting the patients you serve. It starts with a realistic, thorough assessment of the ways your data is at risk right now and then making improvements along the way. Educating healthcare workers about these risks is also a vital part of any security policy.
About the author
Kevin Jones is the senior information security architect for Thycotic, a Washington, D.C.-based provider of password security management solutions for organizations. A Microsoft MVP, Kevin has been a featured presenter at numerous IT and security events including IANS Forums, ISSA, ISACA and software development clinics.