The hospital's guide to getting hacked

If your hospital or health system hasn't been hacked yet, that's likely to change.

 

 

 

 

 

 

 

 

 

 

2014 was a record year for cyberattacks. The healthcare industry comprised 42 percent of all major data breaches reported in the U.S., compromising 8.25 million records, according to Identity Theft Resource. Experts predict cybercriminals won't slow down in 2015 at all.

This year, one in two healthcare organizations will have experienced between one and five cyberattacks in a 12-month span, according to IDC Health Insights.

Given the inevitability of hacks and breaches, here is your definitive five-part guide to getting hacked — who is at risk, how to prevent attacks, how to manage the organization and CIO's reputation, and what you can do to minimize risk of future attacks.

Know and accept that you are at risk of being hacked
No hospital or healthcare organization is immune to cyberattacks or hackers. Every healthcare entity, be it a world-renowned academic medical center in one of the biggest cities in the country or a critical access hospital nestled in the foothills of Appalachia, faces security risks. The main difference is the source of the attack and the type of information bad actors seek.

Robert Faix, principal at healthcare IT-focused consulting firm Impact Advisors, says healthcare risks and threat profiles largely fall into two schools of thought. At one end are the big name, high-profile medical centers that likely have more robust intrusion detection systems. These hospitals are at risk due to the volume of potential information that can be stolen, or, Mr. Faix adds, "simply because of their name." On the other end are smaller, under-100-bed hospitals with tighter budgets and fewer resources for IT protection and security, which can lead intruders to view them as potentially easier targets.

"Both are equally at risk, but for different reasons," says Mr. Faix. "And then you run the gamut in between. Everybody's susceptible; it's just a different type of threat profile."

Additionally, Jim Koenig, global leader of Booz Allen Hamilton's privacy practice, says the type of information cyberattackers are after will determine which hospitals they target. Personal identification information is certainly a coveted resource, but given the wealth of data healthcare organizations house, hackers have their pick of information.

"The more sophisticated attacks are often government-organized attacks. They're searching for intellectual property," Mr. Koenig says. "Large hospital systems have a significant amount of intellectual property related to medical devices."

Hackers who steal this information may use it to develop replicated devices to sell on the black market or develop some other technology, Mr. Koenig says.

Other hackers may seek personal information for identity theft or defrauding purposes, which can be attained from any healthcare organization.

All in all, no healthcare organization is safe. So who are you up against?

Who are the hackers?
Cyberattack threats sound ominous, and healthcare organizations should be alert and on guard. However, huge, targeted cyberattacks that infiltrate a health system's data network are not going to be the norm. In fact, these types of cyberattacks are rather infrequent — they mostly create headlines and inflate national worry.

Instead, insider threats — even carelessness of employees losing hardware — are what health systems will more likely face. The biggest threat facing hospitals really boils down to ordinary forgetfulness and human error.

Paul Christman, vice president of the public sector at Dell Software, breaks down the highest threats and cybersecurity risks. According to the 2014 Verizon Data Breach Investigations Report, a large portion of data breaches — approximately 46 percent of those experienced by healthcare organizations — were due to lost or stolen assets, says Mr. Christman, adding that those types of breaches are wholly preventable.

Insider misuse is the second most frequently cited cause of security incidents for healthcare organizations. Targeted cyberattacks are very low on the risk scale, Mr. Christman says. "The idea of the black hat hacker going after [a healthcare organization] is relatively rare. We just need to keep better track of the devices that we use."

"Cybersecurity is about vigilance, diligence and preparation," Mr. Christman continues. "Over the next year, we will see some spectacular breaches. But if we focus only on the breaches caused by external threats or other newsworthy security incidents, we're going to miss the everyday work that needs to be done through good IT management and good executive leadership."

Once you've been hacked, transparency is key
A healthcare organization's commitment is to the patients, and that does not change after experiencing a data breach.

Mr. Faix says hospitals have an implied "social responsibility" to the patients and communities they serve, partly to be transparent for transparency's sake and partly because patients and communities expect this level of communication and acknowledgement. Hospitals have the responsibility to educate patients about how the breach could impact them and what services are being made available to protect their information from further harm.

"Moreover, the social responsibility of a well-managed communication strategy can go a long way to control rumors and preserve reputation within the community and the industry," Mr. Faix says.

Preserving reputation is undoubtedly important following a data breach, and hospitals are largely in control of shaping their message.

And that message, Mr. Faix continues, should be one of actions taken and not one of impenetrability. "No CIO should ever stand up and declare, 'We are breach-proof,'" he says. "The conversation today is…it's not a matter of if but a matter of when."

The type of CIO that patients, communities and hospital leaders should want leading the IT department is one who has an appreciation for the wide variety of threats to securing patient data, who has a plan in place and can work with information security professionals to implement the appropriate safeguards and demonstrate a commitment to IT security.

What's more, the reputation issue affects more than just the information systems in an organization.

"It's really become a business issue," Mr. Christman says. "It's something that's now top of mind for not just the CISO or the CIO, but it's really inside the [C-suite] constellation."

For example, CFOs have a stake in the game because of the potential for incredible costs associated with responding to data breaches. COOs are concerned because of the effect breaches can have on labor relations and other elements of everyday operations. "From that perspective, the idea of looking at [breach responses] holistically is the way we get after some of the good solutions, which are not necessarily just about technology. It's holistic security," Mr. Christman says.

The gritty details
Communicating a breach response plan to the community is moot if there is no breach response plan to implement. A step-by-step plan should be in place at your hospital today.

The very first thing healthcare organizations should do upon learning of a hack or breach is notify the organization's breach response team, says Aldo Leiva, partner at healthcare-focused law firm Lubell Rosen and leader of the firm's data security and privacy practice. This assumes a hospital already has a plan or team in place, including the chief privacy officer, chief technology officer and general counsel.

After completing the forensic analysis and determining who or what was responsible for the breach, Mr. Leiva says hospitals need to contact law enforcement and determine what other outside consultants, if any, are required. This is where different sized organizations will have to spend varying amounts of attention. Of course the federal government has its own breach notification laws and HIPAA compliance regulations. However, 47 states (all except Alabama, New Mexico and South Dakota) also have their own legislation requiring entities to notify certain parties affected by a breach.

Multi-state health systems, if suffering a breach, have to comply by each individual state's requirements and balance that with federal requirements; a tedious yet incredibly important task.

Additionally, organizations should consider their communication strategy, Mr. Leiva says, which may involve a public relations team to help assemble the language and shape the message the organization intends to relay to the public at large.

As with any response plan, healthcare organizations should practice the strategy and conduct fire drill-type run-throughs to make sure all involved participants know what they should be doing at what times on the actual day of a data breach. As Mr. Leiva says, "the day that it really happens is becoming more likely."

Mr. Christman of Dell Software agrees, saying cybersecurity events should be part of disaster recovery planning, just as hospitals have plans in place for earthquakes or natural disasters. "If you are creating your response plan on the fly as the incident happens, you're not doing it right," he says.

Mr. Christman says Dell refers customers to the National Institute of Standards and Technology's Framework for Improving Critical Infrastructure Cybersecurity, a resource that can guide organizations in their cybersecurity incident response.

Booz Allen Hamilton also developed a guide with HHS and the Health Information Trust Alliance for healthcare providers. The guide contains scenarios and cybersimulations for organizations to practice their response plans. The results of the industry's first simulated cyberattack, which HITRUST carried out April 1, 2014, revealed healthcare organizations' unpreparedness of dealing with a hack, Mr. Koenig says.

"It showed [organizations] that we have to practice the dance even though we receive the instructions for how to do it. We need to choreograph what we need to do so when something comes, we're not thinking, just reacting," Mr. Koenig says. "Testing the systems is a very inexpensive way for organizations to understand their readiness."

Investing now in cybersecurity more than pays for itself in the long run. The costs of suffering a data breach are enormous, and as a protection, more and more organizations are purchasing cyberliability coverage to offset the monetary consequences of an attack, Mr. Leiva says.

The number of organizations with cyber insurance policies more than doubled from 2013 to 2014, growing from 10 percent of organizations to 26 percent of organizations, according to Experian.

Mr. Leiva says he recommends all his clients purchase cyber liability coverage. "The bigger you are and the more patient information you're storing, the bigger the cost of responding," he says.

The neverending story
The healthcare breach drama is one that will never end.

"You don't win this game," Mr. Faix ominously projects. "This is the ultimate cat and mouse game. It cannot be won definitively."

Cyberthreats will always be present for a multitude of reasons. Not only will medical records and personal health information always be valuable, but conditions are changing and hackers are becoming more innovative.

Put another way: "It's a moving target," says Mr. Leiva. "The antivirus patches that are being released are reacting to something that happened in the past. It's an ongoing race that never stops because the hackers keep coming up with malicious code or new techniques."

What's more, hospitals are particularly vulnerable right now because they can't keep up with the number and types of threats, says Mr. Koenig.

"Nobody did anything wrong, but the rate at which the cyberthreat sophistication and pervasiveness has come to hit healthcare has outpaced the normal spend and effort on maintaining and updating good security in healthcare organizations," Mr. Koenig says.

No, healthcare organizations won't find a reprieve from the threats.

"We are never going to be completely protected from hackers," says Mr. Christman. "To provide complete protection, that would require shutting down the organization, and that's not viable. The only way to be completely secure from hackers is to disconnect yourself from the Internet."

More articles on data breaches:

Hackers break into Anthem: 10 things to know
8 recent data breaches
5 cybersecurity trends in healthcare

© Copyright ASC COMMUNICATIONS 2018. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.

 

Top 40 Articles from the Past 6 Months