The healthcare data security war can be won, but it will require action and commitment from the industry.
With Halloween upon us, the usual spate of horror movies will intrigue audiences across the U.S., replete with slashers running amuck in the corridors of all-too-easily accessible hospitals. They grab a hospital gown and the zombies fit right in. While this is just a movie you can turn off, the real horror of patient data theft can follow you.
Unfortunately, this horror movie scenario is similar to how data thefts often occur at medical facilities. In 2015, the healthcare industry was one of the top three industries hit hardest by serious data breaches and major attacks—along with government and manufacturers. Packed with a wealth of exploitable information such as credit card data, email addresses, Social Security numbers, employment information and medical history records, much of this information will remain valid for years—if not, decades—and fetch a high price on the black market.
Having been the victim of a data theft, myself, I know how terrible this type of crime can be. Hackers stole my deceased father’s medical files and ran up more than $300,000 in false charges. I am still disputing ongoing bills that have been accruing for the last 15 years.
Who Are the Hackers?
It is commonly believed that attacks are from outside intruders looking to steal valuable patient data, and 45% of the hacks are external. However, “phantom” hackers are also often your colleagues, employees and business associates who are unwittingly careless in their use of passwords or lured by phishing schemes. The problem impacts not only the high-tech world, but also the low-tech one—requiring that providers across the continuum simply become smarter about data protection and privacy issues. Medical facilities are finding that they must teach the medical staff not to click on suspicious links.
To thwart accidental and purposeful hackers, organizations should implement physical security procedures to secure network hardware and storage media by maintaining a visitor log and installing security cameras. Limiting physical access to server rooms and restricting the ability to remove devices from secure areas should also be a priority.
A Growing Nightmare
Medical data theft is becoming a national nightmare. IDC’s Health Insights group predicted that one in three healthcare recipients will be the victim of a medical data breach in 2016. Other surveys found that, in the last two years, 89% of healthcare organizations reported at least one data breach—with 79% reporting two or more. The most commonly compromised data types are medical records, followed by billing and insurance records. The average cost of a healthcare data breach is about $2.2 million.
At health insurer Anthem Inc., foreign hackers stole up to 80 million records using social engineering to dig their way into the company’s network using the credentials of five tech workers. The hackers stole names, Social Security numbers and other sensitive information, but were thwarted when a company computer system administrator discovered outsiders were using his own security credentials to log into the company system and hack databases.
Investigators believe the hackers somehow compromised the tech worker’s security through a phishing scheme that tricked the employee into unknowingly revealing a password or downloading malicious software. Using this login information, they were able to access the company’s database and steal files.
Hacks Spread Mayhem in Diabolical Ways
Not only is current patient data security an issue, but thieves can also drain the electronic economic blood from hospitals’ jugular vein—its IT systems. Hospitals increasingly rely on cloud delivery of big enterprise data from startups such as iCare that can predict epidemics, cure disease and avoid preventable deaths. They also add personal health record apps to the system from fitness apps like FitBit and Jawbone.
Banner Health had to notify millions of individuals that their data was exposed. The breach began when hackers gained access to payment card processing systems at some of its food and beverage outlets. That apparently also opened the door to the attackers accessing a variety of healthcare-related information.
According to Banner Health, its breach began with an attack on payment systems. This differentiates from other recent hacker breaches. While payment system attacks have plagued the retail sector, they are almost unheard of in healthcare entities.
What also makes this breach more concerning is the question of how hackers accessed healthcare systems after breaching payment systems at food or beverage facilities, when these networks should be completely separated from one another? Healthcare system networks are very complex and become more complicated as other business functions are added to the infrastructure—even those that don’t necessarily have anything to do with systems handling and protecting health information.
Who hasn’t heard of “ransomeware?” The first reported attack of this kind was Hollywood Presbyterian Medical Center, which had its electronic health records (EHRs) and clinical information systems shut down for more than a week. The systems were restored after the hospital paid $17,000 in Bitcoin.
Will Data Thieves Also Rob Us of Advances in Healthcare Technology?
Is the data theft at MedStar Health in the Washington, D.C. region a foreboding sign that an industry racing to digitize and interoperate EHRs is facing a new kind of security threat that it’s ill-equipped to handle? Hospitals are focused on keeping patient data from falling into the wrong hands, but attacks at MedStar and other hospitals highlight an even more frightening downside of security breaches. As hospitals strive for IT interoperability, is this goal now a concern?
Hospitals increasingly depend on EHRs and other IT systems to coordinate care, communicate critical health data and avoid medication errors. They could also be risking patients’ well-being when hackers strike. While chasing the latest medical innovations, healthcare facilities are rapidly learning that caring for patients also means protecting their medical records against theft and privacy violations.
“We continue the struggle to integrate EHR systems,” said anesthesiologist Donald M. Voltz, MD, medical director of the main operating room at Aultman Hospital in Canton, Ohio, and an advocate and expert on EHR interoperability. “We can’t allow patient data theft and privacy violations to become an insurmountable problem and curtail the critical technology initiative of resolving health system interoperability. Billions have been pumped into this initiative and it can’t be risked.”
Taking Healthcare Security Seriously
Healthcare is an easy target. Its security systems tend to be less mature than those of the finance and tech industries, and its staff depends on data to perform time-sensitive and life-saving work.
Where a financial services firm might spend a third of its budget on information technology (IT), hospitals spend only about 2-3%. Healthcare providers are averaging less than 6% of their IT budget expenditures on security, according to a recent Healthcare Information and Management Systems Society (HIMSS) news brief. In contrast, the federal government spends 16% of its IT budget on security, while financial and banking institutions spend 12-15%.
Meanwhile, the number of healthcare attacks over the last five years has increased 125%, as the industry has become an easy target. Personal health information is 50 times more valuable on the black market than financial information. Stolen patient health records can fetch as much as $363 per record.
“If you’re a hacker… would you go to Fidelity or an underfunded hospital?” said John Halamka, the chief information officer of Beth Israel Deaconess Medical Center in Boston. “You’re going to go where the money is and the safe is the easiest to open.”
Many healthcare executives believe that the healthcare industry is at greater risk of breaches than other industries. Despite these concerns, many organizations have either decreased their cyber security budgets or kept them the same. While the healthcare industry has traditionally spent a small fraction of its budget on cyber defense, it has also not shored up its technical systems against hackers.
Disrupting the Healthcare Security Industry with Behavior Analysis
Common defenses in efforts to keep patient data safe have included firewalls and keeping the organization’s operating systems, software, anti-virus packages and other protective solutions up to date. This task of constantly updating and patching security gaps or holes is ongoing and will invariably be less than 100% functional at any given time. However, with only about 10% of healthcare organizations not having experienced a data breach, sophisticated hackers are clearly penetrating through these perimeter defenses and winning the healthcare data security war.
Many organizations employ network surveillance tactics to prevent the misuse of login credentials. These involve the use of behavior analysis, a technique that the financial industry uses to detect credit card fraud. By adding some leading innovation, behavior analysis can offer C-suite healthcare executives a cutting-edge, game-changing innovation.
The technique relies on the proven power of cloud technology to combine artificial intelligence (AI) with machine learning algorithms to create and deploy “digital fingerprints,” using ambient cognitive cyber surveillance to cast a net over EHRs and other hospital data sanctuaries. It exposes user behavior deviations, while accessing EHRs and other applications with protected health information (PHI) that humans would miss. Not only can this augment current defenses against outside hackers and malicious insiders, but it can also flag problem employees who continually violate cyber security policy.
“Hospitals have been hit hard by data theft,” said Doug Brown, CEO of Black Book Research. “It is time for them to consider new IT security initiatives. Harnessing machine learning artificial intelligence is a smart way to sort through large amounts of data. When you unleash that technology collaboration, combined with existing cloud resources, the security parameters you build for detecting user pattern anomalies will be difficult to defeat.”
While the technology is advanced, the concept is simple. A pattern of user behavior is established and any actions that deviate from that behavior—such as logging in from a new location or accessing a part of the system the user normally doesn’t access—are flagged. Depending on the deviation, the user may be required to provide further authentication to continue or may be forbidden from proceeding until a system administrator can investigate the issue.
Some of those leading this effort deliver ambient cognitive cyber surveillance to protect healthcare information assets against cyber security threats, data breaches and privacy violations. One Houston-based firm provides a virtual intelligent eye that combines artificial intelligence with advanced machine learning algorithms to provide real-time behavior analysis and anomalous user access monitoring.
The virtual intelligent eye works by generating a digital “fingerprint,” based on behavior for every single login by every single user in every single application and database across the organization.
This information is a recording of the “who, what, when, where, why and how” data is being accessed within an organization. Once a baseline for behavior is established, the system can easily identify anomalies in user activity and send out the appropriate alerts immediately when there are deviations from normal behavior.
The cost of this technology will be positively impacted by the continuing decline in the cost of storage and processing power—from cloud computing giants like Amazon, Microsoft and Alphabet.
The healthcare data security war can be won, but it will require action and commitment from the industry. In addition to allocating adequate human and monetary resources to information security and training employees on best practices, the industry would do well to implement network surveillance that includes behavior analysis. It is the single best technological defense against the misuse of medical facility systems, and the most powerful weapon the healthcare industry has in its war against cyber criminals.