Healthcare providers and payers have been confronting cyber attacks for several years, and there are no indications the threat environment will get any better in 2017.

Hackers are constantly creating new forms of malware, and that makes identification of them difficult and making it increasingly difficult for information security professionals to stop network infiltrated.

Hackers’ favorite way to get in systems, by sending “phishing” emails that appear to be legitimate yet download a virus when an employee clicks on the mail, continues to work.

Meeting the Challenge
Providers are fighting back. Henry Ford Health System, with six hospitals serving metro Detroit and the city of Jackson, has engaged an outside vendor to monitor firewalls, outbound traffic and inbound logins, including the successes and failures of those logins, according to John Fowler, deputy information security officer.

A failed login, particularly a string of failures, could mean a legitimate user forgot the password, or it could be an indicator of real or attempted compromise. But successful logins also can be suspicious, such as a user logging in at one location, then logging in again at another location. That, Fowler says, could be a compromise or the user knowingly shared his password with someone else. Either way, these scenarios and others should be treated as early indicators of possible compromise and investigated.

Henry Ford Hospital

Henry Ford also is using data loss prevention software to assess information leaving the organization so only authorized data that also complies with various state and federal regulations is released.

“Data loss prevention is becoming a major part of our security protection,” Fowler notes. The software also can assign confidential levels to specific individuals so only those absolutely needing to see the data can see it.”

Doing homework
Experienced hackers take time to study an organization and figure out how best to get in before making their move, says Hussein Syed, CISO at nine-hospital Barnabas Health serving New Jersey. That means providers need to do their own homework by assessing vulnerabilities and implementing protective measures.

Barnabas is changing its security culture by requiring two-factor authentication for all remote users with no exceptions, so if malware is on a computer and a hacker has a username and password, data can’t be accessed because of the additional authentication required, Syed explains. Two-factor authentication could be a biometric scan or a one-time randomly generated PIN that regenerates every 30 seconds.

Barnabas Health also is using “privileged account management,” under which employees with higher access levels also need stronger authentication, such as a key card for an additional authentication step. “These fortify security beyond baselines,” Syed says.

The organization also monitors computers—conducting an audit of a computer—to ensure no one is copying the database or making unapproved changes. Further, some technicians are working full- or part-time looking through network environments to detect abnormal activities, including employees who may be getting less vigilant about security.

Healthcare organization also must, to the degree they can, conduct their own forensics to take the malware they find, examine it and assess the implications of the malware and actions that should be taken, Syed advises. “Once a hacker has complete control, that’s when you have problems.”

Inexpensive and open source forensics are available; the problem is finding the technical resources to appropriately use forensic technologies, he notes “Hiring and retraining forensic professionals is difficult. Compensation plays a big role as financial companies can pay much higher than healthcare. Good security pros get approached weekly.”

Syed suggests hospitals bring in security interns, train them and hope they stay for a while. He’s working with the Barnabas human resources department on hiring and training interns, “and leverage their expertise and eagerness to learn to my advantage.”

Finding a Balance
A major challenge for health organizations for many years, now exacerbated as the threat environment has significantly increased, is to find the right level and mixture of security without unduly imposing new burdens on those who use information technology.

While restricting access to data is part of Henry Ford’s security posture, so also is making it easier to share data to ensure business functions are not impeded. A cloud storage platform can support the sharing of information among authorized users and should be encouraged via a corporate-supplied cloud, Fowler says. Those needing such services and not getting it will go and find their own cloud service to get around the restrictions, he warns. “They’re just trying to get their jobs done.”

In a major new initiative, Henry Ford now has a full-time forensic analyst on staff, a position that Fowler says is not yet common in the industry. Most organizations adopting forensics outsource this function, “but their vendor is paying attention to us and other clients, and at a cost,” he adds.

The delivery system further belongs to several collaborative organizations that include the National Health Information Sharing and Analysis Center, Michigan Healthcare Cybersecurity Council and the CISO Coalition, an invitation-only program to share information in a safe environment “to see the threats coming before we get hit,” Fowler says.

Malware everywhere
With a little technical knowledge it is easy to become a hacker. The Dark Web, a subset of the Internet, is a malware marketplace enabling hackers to remain anonymous. Malware, says Daniel Bowden, vice president and CISO at Virginia-based Sentara Healthcare, can be easily purchased on the Dark Web and then easily find its way to you.

Most acquired malware is not new; it often is older software that someone else wrote and a hacker that buys it can tweak it for his or her own means, he explains.

It is imperative, he contends, that healthcare organizations engage in cyber threat information sharing programs to identify indicators of compromise “so you can block that host before it gets to you.”

Sentara Healthcare participates in national, healthcare-specific and Virginia-based threat sharing initiatives, and interactions with these entities happen throughout each day, Bowden notes. “If someone in your forum finds a threat, they publish it so you can see if you already are hit with it.”

He advises also not just having software programs that filter or block malicious activities, but also technology to determine if filters actually block the malware. And additional double-checks are available. “When we get shared feeds from the forum, we might find that Cisco already blocked something that you already blocked.”

There is never an opportunity to take a break, Bowden warns. “The business is always changing and data is always organically growing, so you need to constantly reset your capabilities, reviewing and re-evaluating how quick to recover if hit via data backups, recovery of snapshotted data or tapes.”

In the past year, Sentara has invested in a security operations center that includes logging tools that will show brute force attacks, phished credentials, untypical user behavior or a signature hit of specific malware.

But above all, a robust cybersecurity training program is a bulwark of protection. Sentara conducts annual training of 28,000 staff members as well as non-employed providers and others with access to information systems; the training is conducted in stages throughout the year.

The training program includes mock attacks on employees and others to identify those who made a mistake and need a security reminder. If someone clicks on a link they should not have, they are directed to a site that tells them they would have fallen prey to an attacker, and are told what the specific error was.

Phishing exercises are not just for large provider organizations; smaller ones need to do their best based on resources to always keep security top of mind, Bowman cautions. “If they have the right skill sets, smaller hospitals can write their phishing training programs and not have to buy a tool to deliver the campaign.”

(This article appears courtesy of our sister publication, Health Data Management)

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access