With healthcare moving into the digital age with things like Healthcare.gov, the digitization of patient records and video conferencing with patients, data has a much greater chance of being exposed than ever before.
It is no surprise that attacks on the healthcare field will continue to grow. A 2012 report put out by the Centers for Medicare & Medicaid Services stated that “Cybercriminals see greater incentives in stealing medical information rather than credit card numbers (“street” resale value is claimed to be $50 per health care client record versus $1 per credit card number)” (Harmonized Security and Privacy Framework, 2012).
As this world relies more on technology to conduct everyday tasks, the risk of having sensitive data stolen or leaked continues to increase. Society now lives in the era of the Internet of Things (IoT), that is, the concept of enabling network connectivity to virtually every object. It is argued that digital hospitals, for example, “provide an opportunity to improve the quality and safety of patient care, reduce inefficiencies and wastage, support world-class clinical research, and enable better management and administration of the hospital environment itself (Deloitte, 2012).” While these technological advances have increased the level of convenience for both the hospitals and patients alike, they do come with an increased risk of a data breach – whether malicious or non-malevolent.
According to the SANS Institute, “the 2014 SANS Securing the Internet of Things Survey support the prediction that the healthcare/pharmaceutical space will be among those that experience the highest level of near-term deployment and use of IoT devices" (Filkens, 2014). This means that all systems designed to be used in the medical capacity need to be designed with security in mind. That is, the design should support the confidentiality, availability, and the integrity of all data. Ensuring the confidentiality extends further than just patient-doctor privacy. Patient records contain some of the most coveted and private details about someone’s life. Therefore, steps must be taken to ensure that the privacy of all patients is safeguarded and meets all of the mandated privacy regulations. Availability is critical in treating patients. In emergency medical situations, every second counts. This means that the information needs to be accessible almost instantaneously. Additionally, the information needs to be accurate. If the integrity of the patient’s data is compromised, it could be life threatening.
To better understand the magnitude of this threat, let’s look at some statistics.
- According to the Identity Theft Resource Center (ITRC) “over 120 million people have had their medical and/or personal data exposed, as a result of healthcare industry data breaches. That represents 68.1% of the total number of breach victims created so far in 2015 across all industry sectors” (2015 Data Breaches, 2016).
- It is estimated that data breaches could be costing the medical and healthcare industry up to $6 billion annually. According to one study, “More than 90 percent of healthcare organizations represented in this study had a data breach, and 40 percent had more than five data breaches over the past two years. According to the findings of this research, the average cost of a data breach for healthcare organizations is estimated to be more than $2.1 million” (Fifth Annual Patient Privacy & Data Security Report, 2015).
- When examining the source of malicious traffic, the SANS Institute found that “7% of traffic was coming from radiology imaging software, another 7% of malicious traffic originated from video conferencing systems, and another 3% came from digital video systems that are most likely used for consults and remote procedures” (Finkins, 2014).
In 2015, criminal attacks were the number one type of data breach (Benchmark Study on Privacy & Security of Healthcare Data, 2015). This paper aims to explore three approaches to mitigate the risk associated with hospitals using information technology with the goal of reducing the chance for a cyber attack. The approach will examine the steps to implementing a high-level security program to educate and train all stakeholders in how to identify social engineering attacks. The following section will cover the need for developing a strategy to protect the network assets and infrastructure. Lastly, this paper will examine the third approach; the benefits and challenges of implementing a cloud service for healthcare professionals.
One of the techniques employed by malicious attackers is social engineering. According to Christopher Hadnagy, social engineering is defined as “the act of manipulating a person to take an action that may or may not be in the “targets” best interest. This may include obtaining information, gaining access, or getting the target to take certain action” (Hadnagy, 2010). Employers across the board seem to agree that employee negligence is by far their greatest threat. In fact, the Benchmark Study on Privacy & Security of Healthcare Data reported that 70% of respondents cited employee negligence as the biggest threat to the security of data in the healthcare field. The same study also reported that “96% of respondents say they had a security incident involving lost or stolen devices” (Benchmark Study on Privacy & Security of Healthcare Data, 2015). This essentially indicates that healthcare employers view employees as the number one cause for data breaches. The question remains, what can be done to mitigate this risk?
For starters, it is paramount that healthcare providers learn to create a culture of security for their employees. This includes continuing education programs to ensure that all employees are trained in identifying potential threats before they happen. One way to accomplish this objective is by developing an in-house security program. This is more than just talking about the risks. As Hagnady states, “calling security awareness a “program” indicates that it is something ongoing. A program means you schedule time to continually educate yourself. After you obtain all this useful information, then you can use it to develop a program that will help you to stay secure” (Hagnady, 2010). This continuous training embeds in all employees the culture of security and helps keep all personnel dedicated and up to date with the latest threats and means of mitigation.
One of the easiest ways to safeguard information and data is by using the principle of least privilege. That is, ensuring employees only have access to the least amount of information necessary to facilitate their job. Social engineers use an array of tactics to footprint and gather information about a target. Some of these tactics include using daily interactions and pleasantries with the goal of establishing rapport with an unsuspecting employee. Training and educating employees about the techniques used by social engineers helps recognize the potential for an attack and thus, prevents employees from being susceptible. Couple this education with the principle of least privilege, social engineers may find it more difficult to obtain information needed to launch an attack because of the amount of gatekeepers necessary to get through.
Social engineers also use malware attacks to gain access to a system. This approach is successful for a number of reasons. For starters, malware can enter a network a number of different ways, most of which appear innocuous to most employees. Additionally, it is very easy to impersonate someone else when sending an email. Emails alone prove very difficult in determining both the identification and authentication of the sender. For example, the malware CTB Locker “spreads through aggressive spam campaigns. The email poses as a fax message which carries a .zip archive as an attachment. If the executable file inside the zip file is accessed, the data on the system is encrypted and the victim is asked to pay a ransom to receive the decryption key” (Gheorghe, 2015). These types of attacks are becoming more and more prevalent. In fact, in late February of 2016, a Los Angeles hospital paid $17,000 to hackers in order to remove the encryption of their files. Ransomware is one of the biggest threats facing the healthcare industry for a least the foreseeable future.
Employees should be educated about these threats and policies should be in place to help mitigate the risk. Of course, these policies need to be aligned with the regulations put forth by both the Medical Information Privacy and Security Act (MIPSA) and the Health Insurance Portability and Accountability Act of 1996 (HIPPA), as well as other regulation compliances mandated by law. The Federal Bureau of Investigation (FBI) has issued warnings about the Business Email Compromise attacks that also pose a huge threat to the healthcare industry. This is essentially when “criminals either hijack or impersonate the email of a senior member of staff in an organization” (Honan, 2015). Employers need to establish a policy for electronic communication to protect against an inadvertent breach from complying with what appears to be a demand from senior management. These policies should model the recommendations put forth by the Internet Crime Complaints Center (IC3) which are as follows:
- Establish a company web site domain and use it to establish company e-mail accounts in lieu of free, web-based accounts.
- Be careful what is posted to social media and company websites, especially job duties/descriptions, hierarchical information, and out of office details.
- Be suspicious of requests for secrecy or pressure to take action quickly.
- Consider additional IT and Financial security procedures and 2-step verification processes. For example
- Out of Band Communication: Establish other communication channels, such as telephone calls, to verify significant transactions. Arrange this second-factor authentication early in the relationship and outside the e-mail environment to avoid interception by a hacker.
- Digital Signatures: Both entities on either side of transactions should use digital signatures. However, this will not work with web-based e-mail accounts. Additionally, some countries ban or limit the use of encryption.
- Delete Spam: Immediately delete unsolicited e-mail (spam) from unknown parties. Do NOT open spam e-mail, click on links in the e-mail, or open attachments. These often contain malware that will give subjects access to your computer system.
- Forward vs. Reply: Do not use the “Reply” option to respond to any business e-mails. Instead, use the “Forward” option and either type in the correct e-mail address or select it from the e-mail address book to ensure the intended recipient’s correct e-mail address is used.
- Significant Changes: Beware of sudden changes in business practices. For example, if a current business contact suddenly asks to be contacted via their personal e-mail address when all previous official correspondence has been on a company e-mail, the request could be fraudulent. Always verify via other channels that you are still communicating with your legitimate business partner.
Lastly, it is imperative that employers conduct regular audits and compliance checks to ensure that all employees are following the policy. Policies are a wonderful thing to implement but they must be followed and enforced. This includes making sure that employees do not click on links embedded in emails, having an accountability policy in place for stolen and misplaced devices, developing scripts for employees who are responsible for fielding telephone calls, minimizing access to hardware resources, and creating a culture of security through obscurity. Additionally, employers need to create a culture of security in that all employees are dedicated to as well as offering continued training to mitigate new risks as they become more prevalent. This training needs to be mandatory and enforced through security audits and other white-hat tactics.
Another approach to protect against malicious attacks is securing the network and its assets. While the convention has always been to take all steps necessary to secure each endpoint on a network, that alone is not enough. According to the 2014 SANS Endpoint Security Survey, “attackers are bypassing perimeter protections en-masse and do not need to use stealth techniques to do so. These results show that, once compromised, these networks are not only vulnerable to breaches, but also available to be used for attacks such as phishing, DDoS and fraudulent activities launched against other networks and victims” (Filkins, 2014). Additionally, the same study reported that “security devices and applications themselves were either compromised, which is a common tactic among malware families, or that these “protection” systems are not detecting malicious traffic coming from the network endpoints inside the protected perimeter—inside the firewall or behind the VPN concentrator. If they are not detecting, they are not reporting—and that means they are out of compliance with privacy and security regulations for patient data" (Finkins, 2014).
Network security is only as strong as its weakest link. Therefore, it would be wise to use a segmented network architecture approach. In this way, network administrators and security analysts for a hospital have the ability to use subnets in order to protect the identity of nodes on a specific network. Additionally, this approach also mitigates the risk associated with malicious attackers using port scanners to locate port vulnerabilities in the infrastructure. Using this approach also allows for the administrators to utilize groups and permissions to limit exposure to data that may not be need to be accessed, further supporting the principle of least privilege. In other words, this approach enables nodes to send data across the subnetwork, that is then routed to the outside world via a single host (or small groups of hosts), keeping the identities of the nodes on the subnetwork protected. Exposing the least amount of nodes to potential hackers improves the overall quality and integrity of the network’s security.
Another component necessary for securing the hospital network is by using firewalls. Firewalls enable administrators to prevent an unauthorized attacker on the outside from accessing a node on a network while also ensuring that inside users cannot access or transmit sensitive information. Simply put, firewalls protect against malicious activity from entering a network and keeps critical sensitive data from leaving. It is paramount to understand that firewalls alone are not enough to protect against network intrusions and securing sensitive data. Firewalls must work in conjunction with established firewall security policies that are ultimately responsible for determining which traffic should be allowed to pass through a networks boundary.
According to Pfleeger, using a packet filtering gateway is a great way to “screen traffic before it gets to a protected network” (Pfleeger & Pfleeger, 2012). This filter either blocks or allows packets based on the destination IP address for each packet. The packet gateway filter is also capable of examining the type of transfer protocol associated with each packet. This is how this particular type of firewall regulates network boundary access. Additionally, packets that are not included explicitly in the firewalls security policy are automatically discarded. While Pfleeger argues that these screening routers are “the simplest, and in most cases, the most effective type of firewall” (Pfleeger & Pfleeger, 2012), it is worth exploring the benefits of utilizing a circuit-level gateway in conjunction with the primary firewall.
Pfleeger defines a circuit-level gateway as “a firewall that essentially allows one network to be an extension of another” (Pfleeger & Pfleeger, 2012).This type of firewall works by examining the incoming and outgoing packets to ensure that data that is being sent or received is actually going or coming from the target network. Packets that are being sent to or received from the target network are then encrypted/decrypted as needed while packets not going to or coming from the target network are subsequently routed through the primary firewall.
The most critical tactics in securing a network is using encryption. For example, if a medical office with multiple locations wanted to have the ability to safely and securely transfer patient information from one location to another, they could establish a virtual private network (VPN). A VPN works through the circuit-level gateway by using link encryption. In link encryption, data is encrypted just prior to transmission and decrypted instantly upon arrival. Another encryption method, end to end encryption, encrypts and decrypts data at the highest level of the network protocol stack. In this way, data stays encrypted throughout the entire transmission – even when the data is routed through several hosts, prior to reaching its intended destination. There are several differences between these two encryption methods, as seen in Table 1 below.
Many industries have started shifting their computing into the cloud. One of the main benefits of cloud computing is the cost savings. With companies like Amazon Web Services, users can benefit from having the appearance of a large data center without the cost. That is, businesses only pay for the services that they use. Additional savings are passed on to the user in that they no longer require the need for power hungry hardware to host and store their data. Additionally, Amazon Web Services – as well as other cloud providers – are scalable, highly available, and provide a great and affordable means of backing up sensitive data, since it is stored offsite in the cloud.
Another benefit to using the cloud is that information can be accessed remotely which enables for fast sending and receiving of patient files. This speed of availability is paramount in most emergency medical situations. Conversely, the cloud is dependent upon internet connectivity; therefore, if the medical facility is experiencing an outage, the data in the cloud would be inaccessible. This is why many professionals recommend having secondary internet service from a separate provider to ensure redundancy.
One of the biggest threats to date facing cloud computing is operating with insecure application programming interfaces (API). APIs are the set of rules that dictate how third party software interacts with systems. If the third party application has an API that communicates with the cloud platform, and has any known vulnerabilities, attackers may be able to exploit this weakness. It is very important that administrators ensure that all software operating in conjunction with sensitive data is up to date and free from all known vulnerabilities.
In conclusion, employers need to create a culture of security for their employees. Ensuring that hardware is protected by locking USB ports, using self-encrypting hard drives, and using biometric functionality are great ways to enhance security. However, more there is more to protecting data than just protecting the physical infrastructure and systems. Employees need to be educated, trained, and audited about the latest tactics employed by social engineers in order to mitigate against those particular types of attacks. Additionally, network administrators and security personnel need to be proactive in finding and eliminating vulnerabilities in their infrastructure. Tools like port scanners and packet sniffers are great in the sense that they offer administrators a real-time look at network and port activities. Employing the same tactics as a malicious attacker allows administrators to be more hands-on in their defense strategies against a possible attack. Finally, healthcare managers exploring the cloud should first run a cost-benefit analysis to see if migrating to the cloud is in their best interest. Additionally, medical facilities should be looking to implement some form of cyber insurance to reduce the cost of liability in the event of a data breach.
2015 Data Breaches | ITRC Surveys & Studies | ID Theft Blog. (2016, January 25). Retrieved March 1, 2016, from http://www.idtheftcenter.org/ITRC-Surveys-Studies/2015databreaches.html
Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data. (2015, May). Retrieved March 1, 2016.
Filkins, B. (2014, February). Health Care Cyberthreat Report: Widespread Compromises Detected, Compliance Nightmare on Horizon. Retrieved March 1, 2016, from http://www.sans.org/reading-room/whitepapers/analyst/health-care-cyberthreat-report-widespread-compromises-detected-compliance-nightmare-horizon-34735
Gheorghe, A. (2015, May 28). How Does Ransomware Work? The Ultimate Guide to Understanding Ransomware – Part II. Retrieved March 05, 2016, from http://www.hotforsecurity.com/blog/how-does-ransomware-work-the-ultimate-guide-to-understanding-ransomware-part-ii-11856.html
Hadnagy, Christopher (2010, November 29). Social Engineering: The Art of Human Hacking. Wiley. Kindle Edition.
Harmonized Security and Privacy Framework – Exchange Reference Architecture Supplement. (2012, August 1). Retrieved March 1, 2016, from https://www.cms.gov/CCIIO/Resources/Regulations-and-Guidance/Downloads/Harmonized-Security-and-Privacy-Framework-ERA-Supp-v-1-0-08012012-a.pdf
Healthcare Industry Data Breaches in 2015. (2015, November 26). Retrieved March 1, 2016, from http://www.hipaajournal.com/healthcare-industry-data-breaches-2015-8192/
The $6 Billion Medical Liability Epidemic: Data Breaches. (2015). Insurance Journal, 90(17). Retrieved March 1, 2016, from http://www.insurancejournal.com/magazines/features/2015/06/15/371028.htm
Pfleeger, C. P., & Pfleeger, S. L. (2012). Analyzing computer security: A threat/vulnerability/count
ermeasure approach. Upper Saddle River, NJ: Pearson Education International.
Ubiquiti Networks victim of $39 million social engineering attack. (2015, August 6). Retrieved March 05, 2016, from http://www.csoonline.com/article/2961066/supply-chain-security/ubiquiti-networks-victim-of-39-million-social-engineering-attack.html