Brigham and Women’s, St. Luke’s Cornwall, Allina Health, Middesex Hospital. All of these organizations in the last 60 days joined the government’s list of health providers affected by security breaches. And 2015 looks to be the worst year ever for healthcare security issues.
While some incidents are a result of lost or stolen files, sophisticated hackers looking to lift the treasure trove of information found in health records are now the leading cause of data loss
The threat isn’t likely to ease. Cybercrime is a “growing $6 billion epidemic that puts millions of patients and their information at risk,” according to a report on healthcare data security published last year by the Ponemon Institute.
To counter the growing threat, providers need to rethink their security strategies.
Rapid rise in medical identity theft
No longer are virus scanning and intrusion detection software sufficient.
“Protection technologies have a purpose; the problem is there are really wonderful ways to evade these things,” says Ronald Mehring, chief information security officer (CISO) for Texas Health Resources. “We’ve seen that with a multitude of breaches across organizations that have strong programs.”
The key, say experts, is a complex solution of multiple defense layers embedded with new data analysis techniques that can spot hackers before they can break into health data stores.
CIOs and their security staffs have to consider a class of more sophisticated tools that can sense when a breach is being attempted or already underway. For example, advanced classes of firewalls are aware of the applications running behind them and can take into consideration what is and isn’t normal traffic trying to access those applications.
Many organizations are turning to these types of layered protection, healthcare security professionals say.
“You want to have advanced application-level firewalls at the edge,” says David Reis, vice president of IT governance and security at Lahey Health, Burlington, Mass. “You want to have intrusion detection and prevention at the network layer inside the firewall to catch those things that get through the firewall. And then for the Internet-facing systems that you’re really worried about, you can put host-based intrusion detection on those very specific servers.”
But layered approaches alone may be incomplete because of threats burrowing in from the Internet, says Mehring. “Before, we looked at it like this iterative approach. Somebody comes in from the Internet, they hit an external firewall--some type of defense system that keeps them out, at the outer shell. Then if they make it past there, there is some other control, then some other control, and some other control. It doesn’t quite work that way anymore, because of the way users interact with technology, the Internet.”
Network protections can be thwarted when an employee unwisely falls prey to a phishing gambit, by either clicking on a hacker’s URL link or attachment. “Professionally and personally, that’s my biggest worry,” says Reis. Phishing attacks “can be incredibly effective, especially in the healthcare market where we’re all trained to be patient-centric, trained to be helpful.”
HIPAA has prompted health systems to elevate their efforts, adding encryption of data at rest, media protections, and backup and security protocols, says Russell Branzell, president and CEO of the College of Healthcare Information Management Executives. “It was the nudge we needed to get started, and most organizations generally have those in place today,” he says. Now they have to weigh technology “that measures and reacts to human nature and behavior.”
Barrier technologies are programmed to look for unique signatures of a finite number of viruses and other malware. “You need so many hits of people, machines, users getting infected in order for a rule, a pattern, a signature to be generated,” says Lee Kim, director of privacy and security for the Healthcare Information and Management Systems Society. In contrast to rules-based responses to attackers, the newer behavior-based methods look for departures from normal activity.
It’s all about trying to stay even with hackers who are continually changing their attack modes. “Prevention now is far more important than it’s ever been,” Reis asserts. “Detection is important, but we’re putting a lot more of our focus on preventive measures rather than detection measures, because things happen so much more quickly now than they did even five years ago. If you wait until you’ve detected, you’ve had a really big event. The key now is to make sure that event doesn’t happen.”
“Protection technologies have a purpose; the problem is there are really wonderful ways to evade these things. ”
Increasingly, security technology is performing analyses on data coming from breach prevention and detection systems, sifting for suspicious activity, says Darren Lacey, CISO and director of IT compliance at Johns Hopkins University and its medical school. “Detection controls, what they do is they say, ‘Well, this thing is happening, and it looks kind of funny--what do you want me to do about it?’ ”
Answering those questions are a set of investigative controls, sometimes automated in their responses, but usually operated by a staff pro responding to alerts, says Lacey, adding, “Detection controls are most beneficial when they’re integrated well with investigating.” Information aggregated from the various detection points--firewalls, host-based protection systems, audited activity logs and so on--aid in “creating new prevention signatures and new prevention rules.” And if a detection system sees something get through, “that will shape what prevention controls you run in the future.”
Prevention controls at the outer rim of the IT network include lists of IP addresses known to be both destinations for stolen data and sources of command-and-control centers for a network of malware called bots, guiding them through a breached system looking for lucre. “But sometimes these botnets change IP addresses, so your preventive rule sets don’t tell you a lot,” says Lacey.
A detection system might identify a new IP address to which several devices inside an IT network are communicating back and forth, for unknown reasons. Chances are that something suspicious is in play, Lacey explains, and an alert is triggered for investigation. The first response likely is to set up a new preventive control, adding the address to the block list. If it prevents a compromised computer from communicating back to an outlaw site, “that greatly reduces the amount of damage that bots can do.”
10 Top Health Data Hacks
The giant breach at health insurer Anthem (previously WellPoint) potentially affecting up to 80 million insured members and employees, reminds us that the hacking threat to protected health information is persistent and growing. The HHS Office for Civil Rights Web site of large breaches lists more than 90 major incidents of hacking, which have become much more prevalent during the past two years. Here are the 10 largest healthcare hacking incidents to date. Texas Health Resources takes the analytical route even further, devising risk profiles of users in its 25-hospital system based on their access to areas of the network, especially highly sensitive lodes of information, and how much of a target they would be for, say, phishing attempts, says Mehring (See sidebar). He calls it a zonal approach within the network as compared with a layered approach, intended to shut down breaches before they can spread.
“Quickness is key,” Mehring declares. “What we’ve found is that when that phishing email comes in, those first two hours that it’s in your environment are the most critical.” THR uses a cloud-based product that does a better job than in the past at detecting an attack and purging the invading agent, he says.
Vast improvements in the speed, computing ability and connectedness of healthcare information technology greatly complicate the business of keeping IT systems safe from intrusion. “Not only do hackers’ methods change, but the systems that we’re trying to protect evolve as well,” says Reis. “The systems get more complicated, and the hackers get more sophisticated, and to be effective we have to be able to keep up with both at the same rate.”
The fast movement of huge amounts of data make near-real-time intrusion detection critically important, says Kim of HIMSS, because attackers that get in can move quickly and access quantities of data in no time. A reactive strategy of spotting known malware in action will miss the mark, she emphasizes, because reaction hours or days later is often too late.