Essential Steps for Cybersecurity

On April 8, 2014, the FBI took the unprecedented step of sending private notices to healthcare providers, warning them that their cybersecurity systems were weak at a time when hackers are more eager than ever to steal patients’ records so they can commit a range of cybercrimes.

“The healthcare industry is not as resilient to cyberintrusions compared to the financial and retail sectors, therefore the possibility of increased cyberintrusions is likely,” said the FBI’s private notice, which was obtained by the Reuters news agency.

The FBI’s concerns mirror those of the global information services company Experian. In its 2015 Data Breach Industry Forecast, Experian called the healthcare industry “a vulnerable and attractive target for cybercriminals."

“Over the last three years in the United States, we have seen between 2,500 and 3,000 serious data breach incidents annually, such as the data breach at Target where millions of customer credit card numbers were exposed,” says Michael Bruemmer, Experian’s vice president for data breach resolution. “Forty-six percent of these attacks were aimed at the healthcare and pharmacare industries.”

Healthcare’s vulnerability to cybercrimes will increase as further data-sharing requirements kick in. This is why now is the time for healthcare providers to get serious about enhancing cybersecurity.

‘Anticipate and Foil’

That’s already happened at Seattle Children’s Hospital (SCH). Five years ago SCH hired Cris Ewell to act as its first chief information security officer (CISO), with the power to report problems and recommend solutions directly to top management and SCH’s board.

“My job is to create and manage a proactive risk management strategy for every bit of data that goes through SCH,” says Ewell. “This means if I find something IT-related that falls into the category of unacceptable risk, I can get it dealt with immediately in order to protect our data security.

“With all the threats to healthcare data that are out there, we don’t have time as providers to sit back and react to threats; we have to anticipate and foil them up front,” Ewell adds. “Fortunately, the people in charge of SCH know this and have given me the ability to proactively keep our data safe.”

According to Reuters’ report on the FBI’s notice to healthcare providers, patient data stolen by hackers commands a high price among criminals. “Cybercriminals were getting paid $20 for health insurance credentials on some underground markets, compared with $1 to $2 for U.S. credit card numbers prior to the Target breach,” the report said, citing cybersecurity firm Dell SecureWorks.

There are many reasons why healthcare data is so valuable. “Health insurance data makes it possible for people lacking health insurance to use someone else’s policy to cover their expenses,” Bruemmer says. Patient records can be used to obtain controlled substances under phony prescriptions, giving drug pushers easy access to quality, high-profit product. The data can also be used to fraudulently establish credit card accounts under patients’ names, while the attached Social Security numbers can be used to commit identity theft.

Unfortunately, many healthcare providers’ cybersecurity is just not up to the task of protecting their records against such motivated hackers. One reason is that this sector has traditionally been focused on healing patients, not protecting their data. Another is the highly distributed nature of healthcare data storage, with patient information being located on a range of servers with varying degrees of security and monitoring.

“Even if a hospital does a good job of protecting its files, the third-party suppliers who work with them may not,” warns Ewell. “A savvy hacker might exploit a weakness in such a supplier to get into the hospital’s database and steal what they want.”

A third reason healthcare providers are vulnerable is due to staff carelessness. In fact, “80% of the instances of cyberintrusion can ultimately be traced to staff negligence,” Bruemmer says. “Whether through opening ‘phishing’ e-mails that allow viruses to be inserted into a hospital’s LAN or using easily guessed passwords like 123456 and password, staff can end up opening the doors to intruders and data theft.”

Steps to Take

What can healthcare organizations do to firm up their cybersecurity? Seattle Children’s Hospital’s decision to create a CISO with the power to act proactively against hackers is an excellent option. Having someone in this position—“distinct from the IT department,” says Ewell, “so there are no conflicts of interest”—can drive the actions and attitude change required to deal with hackers these days. It is a change as fundamental as someone from in a small town moving to New York City and learning to lock their doors at night.

Hiring an IT security professional to conduct a cybersecurity audit is a very good idea. So is hiring a firm such as Experian to do such an audit, recommend solutions to deal with current threats and then help establish a healthcare provider’s ongoing cybersecurity management system. “Hackers are just going to become more and more sophisticated as time goes by,” Ewell notes. “This means healthcare providers have to prepare to combat their attacks on a continuing basis—without end.”

To underscore that point, Premera reported a breach in March that affected around 11 million customers. The larger Anthem breach earlier this year may have involved as many as 80 million. The cost of the latter could top a staggering $100 million, exceeding the company’s cyberinsurance coverage.

Healthcare providers also have to educate their staff members on cybersecurity in a meaningful and engaging manner, so these people show vigilance in handling patient data, forwarding suspicious e-mails unopened to their cybersecurity departments and avoiding virus-ridden websites. (The smartphones and Web-connected tablets employees bring to work have to be guarded against as well. SCH routes such traffic through an electronically isolated part of their network, so that any viruses/malware these devices either carry or contract can’t get into the hospital’s database.)

The bottom line: “It is possible for healthcare providers to significantly improve their levels of cybersecurity protection,” says Bruemmer. “But it doesn’t just happen. You have to work at it on a committed, ongoing basis.” 

James Careless is a freelance writer with extensive experience covering computer technologies.

Sidebar: Cybersecurity Tips

The U.S. government’s HealthIT.gov site offers the following tips for cybersecurity in healthcare:

• Establish a security culture that makes good habits and practices automatic.
• Protect mobile devices with strong authentication and access controls.
• Use a firewall.
• Install and maintain antivirus software.
• Maintain good computer habits: Uninstall non-essential software, secure backdoor connections, monitor for patches and updates, disable old accounts quickly.
• Plan for the unexpected. Create data backups regularly and reliably.
• Control access to protected health information; use role-based access control.
• Use strong passwords and change them regularly.
• Limit network access. All new software and applications should require approval.
• Control physical access to devices, secure areas.

Sidebar: What Anthem Did in Response to Its Data Breach

While Anthem has taken some high-level heat for its response to this year’s massive data breach, the company has taken some steps in response.

After learning of the intrusion in January, it contacted the FBI to begin investigating and hired the cybersecurity company Mandiant to shore its defenses. It also reached a deal with AllClear ID to automatically provide two years of free identity theft repair and credit monitoring services to members of affected plans. These members can upgrade at no cost to add ID theft insurance.

Anthem also set up a dedicated website to deal with fallout (www.anthemfacts.com) and is contacting potentially impacted members with information on the credit monitoring and ID theft services. It offers a dedicated toll-free phone number for questions about the incident.As many as 80 million current and former customers and employees may be at risk.

Take-Home Points

HOSPITALS—Vulnerabilities include employee carelessness and the distributed nature of healthcare data storage, with patient information residing on a range of servers with varying degrees of security and monitoring.

CARE PARTNERS—Data must be airtight; hackers may target partners for backdoor access.

ALL PLAYERS—Strategies include designating a dedicated information-security staffer; having a professional audit done; creating cultural vigilance; and ensuring tablets, smartphones and other mobile devices are secure.