When health insurer announced last month that it was the target of a sophisticated cyber security attack, putting 80 million users at risk for potential data theft, the news exposed more than health records; it shined a spotlight on the industry's data vulnerabilities and the growing threat of cyberattacks.
From electronic medical records to wearable devices and telemedicine, the healthcare industry is undergoing a digital transformation. But these innovations also carry greater security risks if organizations lag in their ability to protect data wherever it's stored or used, for medical records contain valuable personal information such as social security numbers, birth dates, medical histories, and billing information, making them a gold mine for hackers.
In fact, about 43 percent of all data breaches reported in 2014 occurred in the healthcare industry, according to the Identity Theft Resource Center Breach Report. And according to a study by the Ponemon Institute, 90 percent of healthcare organizations reported at least one data breach between 2012 and 2014. More than one-third-38 percent-reported more than five.
Why healthcare data is being targeted
The rise in medical identity theft is a case of supply and demand, experts say. Compared to credit card numbers, medical identity theft is much more lucrative. Stolen credit card numbers can be quickly cancelled by banks, whereas medical fraud is more difficult to detect, notes Greg Porter, founder of Allegheny Digital, an information security consultancy.
"The spectrum of medical fraud-based opportunities are only limited by the criminal's creativity," Porter says. "And this is reflected in the black market where credit card numbers sell for pennies but patient medical records can go for thousands of dollars or more."
The Anthem breach where records containing Social Security numbers, names, employment information, birth dates, and more were hacked, and last year's attack at hospital operator Community Health Systems (CHS), which compromised about 4.5 million records, have been described by cybersecurity experts as sophisticated attacks.
In both caes hackers looked for vulnerabilities such as the Heartbleed computer bug (associated with CHS) and they also used employee credentials to access networks and upload malware that was undetected, among other tactics. Healthcare organizations are hardly blameless though in a data breach.
There are numerous holes and employee practices that organizations must address, says Barbara Filkins, senior analyst and healthcare specialist at SANS Institute, a company that specializes ininformation securityandcybersecuritytraining.
"The healthcare industry is still faced with a lot of legacy problems like making sure you're not using default passwords and that's before we even get to multiuser authentication," Filkins comments.
In a study sponsored by cybersecurity firm Norse, Filkins analyzed the cybersecurity threats of medical organizations including clearinghouses, health plans, and pharmaceutical companies. The study found the largest categories of risk were security devices themselves and connected devices that were categorized as part of the Internet-of-Things (IoT).
"Connected medical devices, applications, and software usedby healthcare organizations providing everything from online health monitoringto radiology devices to video-oriented services are fast becoming targets ofchoice for nefarious hackers taking advantage of the IoT to carry out all manner ofillicit transactions, data theft, and attacks," Filkins writes. "This is especially true because securingcommon devices, such as network-attached printers, faxes, and surveillancecameras, is often overlooked. The devices themselves are not thought of as beingavailable attack surfaces by healthcare organizations that are focused on theirmore prominent information systems."
Balancing Security with Innovation
IT and security professionals working within healthcare organizations are increasingly tasked with providing data protection without impeding healthcare professionals' and patients' ability to access information on demand and other digital innovations.
"Clearly it's a challenge to strike a balance between sharing with our customers the information they need to help them improve their health, wellbeing, and sense of security and at the same time protect that information from the bad guys," comments Cigna Director of Public Relations Joe Mondy. Mondy declined to provide details about the health insurer's data protection efforts beyond a statement that the company released soon after the Anthem breach.
In the statement, Cigna says it "conducts regular assessments both in-house and with respected third party assessors. We track all identified medium and high risk vulnerabilities through to closure by the vulnerability management team. Cigna has also been CyberTrust certified for the last 12 years, a third party validation consisting of multiple tests, policy reviews, and physical data center audits. We have multiple system products that detect, log, and alert us to suspicious traffic. And Cigna computers have security software installed, and can only connect to our network when they're running the latest anti-virus software and definitions."
Cigna and other healthcare organizations must also adhere to regulations designed to safeguard patients' health information under the Health Insurance Portability and Accountability Act (HIPAA) but the federal rules should not be an end point.
"HIPAA compliance isn't something companies should be aspiring to-that's the bare minimum of security levels that companies should be offering," maintains Sam Masiello, chief information security officer at TeleTech. Indeed, experts are calling for stricter HIPAA regulations. Insurers, for example, are not required to encrypt members' data, an omission that was called out in the Anthem breach.
Mark Ford, life sciences and health carecyber risk servicesleader forDeloitte & Touche, agrees that satisfying HIPAA regulations is a good first step in protecting member data but it's not enough. Data protection strategies should be designed as a multi-tiered approach focused on "security, vigilance, and resilience," Ford says. "Companies need a thorough understanding of the security measures that are already in place and their risk tolerance in terms of the value of the data."
Healthcare leaders, Ford adds, should make data protection a priority and enable security professionals to identify and prevent new vulnerabilities. "Hackers are probing for vulnerabilities every day, which is why it's critical for companies to consistently monitor for changes and have a plan for quickly responding to an attack."
Making sure that proper security procedures are being followed is important, but companies should also attempt to think like hackers and identify potential holes in their systems, says Mike Garvin, senior manager of product management at Symantec's cybersecurity services division.
As an example, Garvin points to the company's internal Cyber War Games where employees are invited to participate in simulated environments, like a hospital, and "sabotage" the hospital's network to get a better understanding of the threats clients are facing. "Our intent was to educate our employees on security issues and spark ideas for additional solutions," Garvin explains. The training program has been so popular that the company is considering licensing it to customers.
Additionally, healthcare organizations should reduce the amount of sensitive data that they're collecting, notes Scott Walters, security director at iNetU, a cloud hosting company with clients in the healthcare, financial services, and retail industries. "A common rule in data security is only keep necessary data," Walters says. "Healthcare companies can reduce their risk of being hacked by not keeping so much valuable information like social security numbers."
Insurance companies like Aetna are in fact trying to reduce their data footprints. In a statement released about two weeks after the Anthem breach, Aetna outlined some of its data protection efforts, including removing social security numbers from reports and/or masking them.
Security experts agree though, that is impossible to completely eradicate security risks. While the digitization of healthcare is necessary for many reasons, it is also a double-edged sword. The takeaway from the recent data breaches is that healthcare organizations must prepare for an increase in cyber attacks and make data protection a priority.