Published on August 6th, 2015 | by admin
Cyber Security Risks Series: Healthcare
In recent articles, we’ve explored how cyber security has become an even more prevalent problem with increasing sophisticated attacks and a changing landscape. These conditions have in turn made security strategy an evolving process and has heralded in a new era of security intelligence and tools.
In a series of articles over the coming weeks, we’re going to explore the security risks associated with a number of different industry sectors. In the final article, we’ll sum up the findings and compare and contrast the industry risks.
Healthcare is our first exploration.
The complexity of the healthcare eco-system
The major threat to the healthcare industry is loss of data. Later, however, we will look at how the Internet of Things (IoT) may have a growing impact on the security of certain sectors of this industry as well.
The healthcare industry deals with an abundance of highly sensitive data. Medical records, as well as personally identifying information (PII), are the cornerstone of the industry. This data, by definition, often needs to be shared between many other actors within the complex eco-system that makes up our healthcare provision. This complexity is intensified by the increasing use of mobile devices: from patient use of health apps on their device to physicians’ use of mobile devices to record and access medical records. In fact, there has been a reported 62% increase in healthcare apps during 2014 and the FDA is now planning to regulate these types of apps.
Control of information flow and access to data is more and more challenging as the healthcare eco-system evolves and grows in complexity. Moreover, with the system being made up of many actors,’ there are more links in the chains that can be broken.
How healthcare data is lost
Medical records are valuable. The Ponemon Institute, as part of their 2015 Cost of Data Breach Study: Global Analysis, reported that healthcare records were worth more than any other data record at around $363 per record.
The loss of data records in the industry is due to a number of factors, including theft but also due to accidental insider loss. In fact, PWC found that accidental loss of sensitive data within the industry ran at 22%, whereas theft of data stood at around 15%. Worryingly, PWC in the same report found that this unintentional loss of data ran at 83% higher than other industries analyzed in their report. In two further studies that found similar loss statistics, one 2014 report into data breaches in healthcare, attributed 68% of data breaches to lost or stolen devices and another, by the California Attorney General’s Office found that 70% of compromised health records were due to lost or stolen devices.
(We shouldn’t, however, forget about intentional cybercriminal activity against healthcare data and we will look at some of the major breaches later on.)
It seems then that a major part of your security strategy in this industry should be around device itinerary and access control.
As aforementioned, the future of healthcare security will also be impacted by the IoT. Healthcare, especially parts of the healthcare supply chain, is the perfect candidate for the use of IoT technologies. Analysts Marketresearch.com predict the Healthcare segment for the Internet of Things will be worth $117 billion by 2020. This weaves far more complexity into the healthcare sector, especially with respect to security and privacy. Standards working groups – such as the Kantara Initiative, a User Managed Access group (UMA) – are currently beavering away to find the standards for privacy, consent and security of the IoT and some. They are making good progress, but the technology development is outpacing the standards development and we have to brace ourselves for the cybercriminals exploitation of this new paradigm.
The fact that data is lost primarily by unintentional means and unsecured devices is at odds with the fact that healthcare is one of the most tightly regulated industries.
Healthcare related privacy and security considerations are met through the enactment of the Health Information Technology (HITEC) and Health Insurance Portability and Accountability Act (HIPAA). These two data protection frameworks are used throughout the industry in an effort to ensure security of our health data. However, since the update to HIPAA in the form of the breach notification rule, 45 CFR §§ 164.400-414 was introduced in 2009, over 31 million people have had their health information and personal identifying information (PII) compromised in security breaches.
I believe that HIPPA and HITEC can work within this highly complex industry if employee training is improved and more modern security intelligence tools are employed.
Examples of healthcare security breaches
2014 and 2015 were the years that healthcare took a cyber breach battering. Here are just some examples of the largest breaches:
- Anthem – Anthem is one of the largest healthcare insurance providers in North America. In 2014 a cyber attack breached 80 million patient records. The theft was of personally identifying information, including email addresses, personal details, and social security numbers. It is thought this information was then used in the subsequent attack on the IRS in 2015 and may be used in further attacks. The theft is likely to have occurred from stolen credentials gathered through a spear phishing attack.
- Premera – In a similar (perhaps related) attack to the Anthem one above, Premera BlueCross healthcare insurance lost the PII of 11 million customers. Again this included social security numbers and also credit card details, as well as medical records.
- Sutherland Healthcare Solutions Inc. – This breach involved the theft of eight computers containing the personal data of 342,000 patients. The data on the machines wasn’t encrypted.
- Community Health Systems Inc. – An attack using the Heartbleed OpenSSL software vulnerability, led to the loss of around 5.4 million patient records held by Community Health Systems Inc. It’s likely the vulnerability was used to expose login credentials to company resources. The theft is estimated to cost around $150 million.
A healthy future
Healthcare has two big security problems – malicious data theft and unintentional loss of data.
In terms of the malicious theft of information, we are seeing a climatic shift in the types of cyber attack being committed. Instead of payment card fraud, we are seeing a shift towards the theft of PII, such as social security numbers, which can be used for identity theft related crimes, exemplified in the IRS breach where cybercriminals used personal information to legitimately access customer accounts and apply for tax rebates.
The resolution of sophisticated attacks based on identifying data is complex itself and requires a multiple layered security approach, involving behavioral analysis, monitoring of employees and devices, as well as improved mechanisms used to control access to user accounts.
The loss of data through negligent insiders, lost devices, or simply sending information to the wrong party is, again, solvable through a multi-layered approach. This time, by including employee training along with security intelligence tools based on modern investigation and surveillance techniques.
Stay tuned for part two of our Cyber Security Risks Series, where we’ll explore challenges facing the Finance industry.
Perimeter defenses are insufficient when protecting vulnerable industries, such as healthcare. These vectors require a holistic approach to cyber security that allows them to rapidly remediate post-attack.