Cyber security was a top issue for healthcare CIOs and their teams in 2014, as they continued to deal with issues such as targeted attacks, mishandled and lost records and the introduction of new technologies (like cloud computing and wearables) into hospitals and clinics. A November 2014 study by Bitglass discovered that nearly half of data breaches in the U.S. involved healthcare providers, and that the sensitive information lifted from them was up to 50 times more valuable than credit card data.
With credit card issuers already beginning the transition to chip-and-PIN technology to replace unsecure magnetic strips, it’s possible that healthcare records will become more lucrative once payments cards are harder to compromise. What can cyber criminals do with this pilfered information? They can sell it, certainly, but they can also use it for identity theft and, potentially, manipulation of networked medical devices. The Ponemon Institute estimated in 2013 that medical identity theft cost providers and patients $12 billion in 2013.
Even cyber security incidents that didn’t target actual hospitals, clinics or insurers have often had repercussions for the healthcare industry. For example, the Sony Pictures breach in late 2014 exposed terabytes of data on company employees, including medical details for them as well as their spouses and dependents. With this incident and others from last year in mind, let’s look at what could be ahead for healthcare security in 2015, including:
- Increasing pressure on hospitals, owing to regulations, electronic health records and wearables.
- New incentives for collaboration with state and federal governments.
- Hacktivism, malware and distributed denial-of-service attacks.
Nonprofit hospitals show impact of legislation, EHR transition and new devices
Recent breaches have shown that both big and small healthcare providers are at risk. For example, last year more than 4 million records were breached at Columbus Health Systems, the second largest hospital chain in the U.S. At the same time, nonprofit hospitals around the country have faced mounting pressure from Web-based cyber attacks, especially in the wake of budget cuts and the introduction of electronic health record systems to more provider sites.
ACA, EHR and security testing
With the rollout of the Affordable Care Act, hospitals are delivering care to a growing number of patients. For some nonprofit institutions, this change has created a budget crunch as operating costs rise faster than revenues. Standard & Poor’s has maintained a negative outlook for hospital bond ratings, at a time when hospitals are not only taking on more patients than ever but also upgrading their systems for EHR.
Accordingly, there may not be much time or money left over for comprehensive network security testing. Vulnerabilities can arise, putting patient information at risk in an increasingly challenging security environment. Websense found that in September 2014, cyber attacks against hospitals had surged 600 percent year-over-year, in part because of the growing digitization of healthcare records. A 2015 Experian report forecasting data breaches for this year cited the same EHR trend as well as the rising uptake of wearables in healthcare – i.e., wristbands, Bluetooth-enabled adhesive bandages and other tracking/monitoring devices – as risk factors for healthcare organizations this year.
Wearables, privacy and breaches
One in ten Americans already owns a wearable of some kind, and research firm Gartner has estimated worldwide sales in 2014 at 70 million. Gadgets like the Jawbone UP and the upcoming Apple Watch have already captured consumers’ imaginations, but the long-term impact of having a smart device on one’s body may be felt most of all in the healthcare industry, where there are potential use cases such as outpatient monitoring.
Still, staying on top of wearables and the data that they transmit over Bluetooth and Wi-Fi will be challenging given the new attack surfaces and privacy concerns. An October 2014 report by PricewaterhouseCoopers found that 82 percent of respondents to its survey were concerned about privacy invasions, while 86 percent believed that wearables made them more prone to data breaches.
State and federal officials look to improve breach data sharing and protect health information
Healthcare providers are expected to be prime targets for cyber criminal campaigns in the coming years, according to security research Jon Oltsik, who pointed to the declining prospects for credit card data theft as one reason that cyber criminals would channel their efforts toward health records. Fortunately, government officials seem to be taking note of this trend and calling for collaboration on and regulation of health security issues.
New York Attorney General has called for biometric data and medical and health insurance information to be covered by the state’s definition of “private information.” New Jersey Governor Chris Christie also recently signed a bill requiring insurers in the state to encrypt healthcare data and protect their systems with measures beyond just a username/password combo.
At the federal level, the White House’s updated Cybersecurity Legislative Proposal promotes enhanced data sharing that could benefit healthcare cyber security. The Health Information Trust Alliance (HITRUST) has applauded the proposed for its emphasis on notifying individuals about data breaches and promoting collaboration between the public and private sectors in heading off breaches at the pass.
Malware, DDoS remain key concerns for healthcare industry
While lost and stolen files – rather than hacking – still account for the bulk of all security incidents in healthcare, CIOs and their teams still need to keep an eye on malicious activity. For example, last April Boston Children’s Hospital suffered a week-long DDoS attack that hampered access to email. A Fortune 500 company that controlled its own healthcare network was also victimized in 2014 by CryptoLocker, the innovative ransomware that uses strong encryption and a countdown timer to up the ante.
Going forward, network security, two-factor authentication and other cyber security measures will be critical for keeping healthcare systems safe. Organizations must keep their eyes on both external and internal threats.
“If you don’t have the proper segmentation in place, or you don’t have strong credentials in place, or dual-factor authentication, then if an employee brings malware into the system it potentially opens up that system to all kinds of vulnerabilities,” observed Ari Baranoff, Assistant Special Agent in Charge, US Secret Service, Criminal Investigative Division, in a recent interview with HealthITSecurity.com.