How Hospitals Can Prepare for Inevitable Breaches of Patient Data
Snapshot
A series of high-profile breaches underscored the vulnerability of online records and the ability of cyber-criminals to quickly adapt their tactics. Providers and vendors are intensifying efforts to protect data from prying eyes.
Breaches of confidential patient information are proliferating and the culprits are more sophisticated and sinister than ever. A few years ago, the typical incident involved a petty thief who snatched a laptop computer or an employee who accidentally exposed patient data online. Now, hackers and spies stalk the entire health care environment every day, at organizations large and small.
Their goal: to acquire protected health information, or PHI, a rich trove of data about individual patients. PHI was a focus of HIPAA’s privacy regulations, issued 15 years ago, to prevent the risk of harm to people’s reputations and livelihoods. Obtaining PHI enables identify theft, enormously valuable on the criminal market. Records can be stolen by the millions — often without being detected for months.
“The one thing that keeps me up at night is security,” says Cletis Earle, vice president and chief information officer of 242-bed St. Luke’s Cornwall Hospital in Newburgh, N.Y.
Giant corporations like Anthem and Target were hit by breaches, he points out, despite having invested “millions and, in some cases, billions of dollars in security.”
That doesn’t bode well for other organizations, large or small.
The risk of PHI theft is growing as the nation’s health care system moves toward a value-based care model, which promotes more robust use of electronic health records and improved information technology integration across the continuum of care.
“The sophistication and creativity of hackers today is pretty scary,” says Michael Archuleta, HIPAA security officer at 25-bed Mt. San Rafael Hospital, Trinidad, Colo. “You really have to be on your toes and pay attention, because viruses, malware and computer security threats change almost daily.”
A more alert and proactive security industry has risen up to fight data breaches in networks of EHR systems and administrative computers, but weaknesses abound. Hackers can get access through such medical devices as computerized pumps or through basic automation systems, such as cooling or lighting controls, when those are connected to the main IT network infrastructure. Or, they can simply trick employees into disclosing their credentials and use their information to log in.
Advanced, persistent
The continual evolution of cyberattack methods can confound attempts to block intrusions, says John Houston, vice president for privacy and information security at UPMC, a Pittsburgh-based health care network. Health care executives and trustees “need to be mindful of that; it’s not a static discipline,” he says. “We’ll never be able to say at some point we’re done, we’ve got all the security we need, we don’t have to worry about it, we’re protected evermore. That isn’t ever going to be the case. Threats change, technologies change and our business changes.”
And, Houston says, the tools need to adapt to fight all three kinds of change.
Security plans also need to account for the fact that new and evolving malware can sneak into an IT system with alarming stealth. “Today’s attacks are so sophisticated and stealthy that it usually takes a while for the attack to be detected,” says Axel Wirth, technical architect with Symantec Corp.’s U.S. health care division.
Even when the attack is detected and remedied, the original malware source can stay hidden in a form not detectable by most security methods; it can rear up again a month later and pose the same threat all over again, he says. That’s exactly what happened in a case example described by TrapX Labs, an independent research division of TrapX Security, in a May 2015 report, “Anatomy of an Attack: MEDJACK (Medical Device Hijack).”
These “advanced persistent threats” not only collect data when activated, but also report back to the hacker, get further instructions and slowly spread throughout the organization. “It’s all under the control of a human director, and that is why those attacks are so dangerous,” Wirth says.
No news is not necessarily good news for hospital executives or trustees with ultimate responsibility for breaches. “The thing that scares me is some of these small to midsize hospitals have almost no security staff in place, and they don’t even know if they’ve been hacked … and wouldn’t know how to find it if they did [know],” Houston says. “It’s critically important that people don’t get this false sense of security because the CIO is saying, ‘We haven’t been hacked.’ They just don’t have any evidence of it.”
UPMC, a $12 billion organization with more than 20 hospitals and 500 outpatient sites, has about 60 people doing security-related work. But a $5 billion health system, he says, might have four or five staff. “Their complexity may be very similar to the complexity of UPMC, but they might not have either the wherewithal or possibly the money to do what we do.”
Mechanical breach points
Getting a read on every possible entry point is the main objective of a HIPAA security risk analysis, says Alessandra Swanson, a team leader in Chicago’s Office for Civil Rights, the federal agency that responds to HIPAA security threats and violations. Risk analysis is “not something to check off” in a compliance program; rather, it is the foundation of breach prevention, she says. If organizations don’t know every place where PHI may be accessible, they can’t take sufficient steps to mitigate security risk.
Houston agrees on the need to be HIPAA-compliant, but “the first thing to distinguish is that compliance does not equate to security, or being secure.” Hospitals can be well aware of scores of medical devices that might pose problems, but doing something about it takes the concerted effort of staff. Likewise, preventing email trickery, more than the latest anti-virus software, requires employee vigilance and education.
Knowing that medical devices are often the port of entry for data thieves has touched off alarms about smart pumps and the mainly older and often defenseless computer operating systems and programs that made them “smart.” Some manufacturers have addressed pump security, says Wirth, but, in general, “the medical device ecosystem is certainly widely underprotected.”
Medical devices are regulated by the Food and Drug Administration and, ironically, the inadequate security is fostered partly by the FDA’s resolute protection of a device’s inner clinical works to safeguard clinical function and ensure patient safety. Because of the potential to disturb its mechanical integrity, “no one can look at the inside of a medical device,” Wirth says. Even if that were possible, with hundreds of different manufacturers’ running devices on a variety of operating systems with varying security maturity, there is no standard for averting or blocking malware that targets them, he adds.
St. Luke’s Cornwall employs multiple software and hardware tools to thwart particular kinds of attacks, but “most of those [medical] devices do not fit on the network the way a computer would sit on the network,” says CIO Earle. A test of the organization’s defenses found that individuals could take control of some of its smart pumps. “Think about it from this perspective,” Earle says. If “someone can take advantage of a smart pump, think about what he or she could do with it. That’s not good.”
Computerized support systems also are vulnerable to a breach, says Paula Nixa, an information security analyst for the Mayo Clinic in Rochester, Minn. A building automation system, which controls heating and cooling, may have computer servers and workstations on the same network as the rest of the IT infrastructure. Clinics and hospitals need to know how their network is structured and how to isolate it, she says. Any support network on the same cyber-highway as clinical care and patient record systems is a potential on-ramp for hackers.
Bait and phish
The possibilities for sabotage exist — disabling air conditioning to shut down surgery, or taking malicious control of medical devices. However, “in most cases, hackers couldn’t care [less] that it’s a medical device; they’re just looking for ways to get into your network,” Houston says. Depending on existing defenses, it may be easy to first get into equipment and use it as a pivot point to sneak elsewhere — going “east-west” in security lingo. Whether to steal data or identities, hackers are opportunistic. “They’re going to look for the easy mark,” he explains.
An easy way in, experts warn, is through an organization’s computer-using workforce. It could be an enticing email message, an attachment or “survey” to download, or even a well-researched target. Mt. San Rafael’s threat detection and security plan, Archuleta says, starts with end users.
“We can have the best threat detection systems, but nothing is 100 percent. And most breaches happen because an employee leaked [information].” Threats often include phishing, the act of creating an official-looking but fake email message to get such information as user IDs and passwords.
Employees at Mt. San Rafael receive training on security threats at new-hire orientations and ongoing educational sessions. The training encourages employees not to wait to report a suspected breach attempt, even if it turns out to be a false alarm. “We have policies in place that assume we’ll be infiltrated,” Archuleta says.
UPMC actively phishes its own workforce. When employees do something inappropriate, “we nicely tell them they did the wrong thing,” Houston says. Those not taking the bait are left alone for three months, but those falling for it get phished regularly to emphasize the lesson, he adds.
The phishing expedition is conducted by UPMC’s human factors group, an initiative complementing technical security that focuses on proper access management, Houston says. The group uses innovative means to uncover atypical access and usage, which could indicate that either an outside intruder has taken control of someone’s legitimate credentials or an actual employee is breaching the system. Alerts go off when logged-in users access records not normally needed for their respective roles, access an inordinate number of records at one time, or access data at odd hours of the day or night, he says.
'Everlasting initiative’
Organizations have to operate in the digital era, and they can never let down their guard about the potential for attacks, says Earle of St. Luke’s Cornwall. “Remember, we are dealing with people who are just sitting there — it’s their day job,” he says of the criminal hacking occupation. Network security and risk assessments are “an everlasting initiative,” Cornwall says. Security “should be at the top of the minds of every board member” and executives and trustees must provide sufficient funding for it in operating budgets.
When considering the expense of protecting patient and employee data, Wirth of Symantec says the C-suite and board “should look at the problem as a risk to their business: It’s a risk to revenue, it’s a risk of lawsuits, a risk of reputation, a risk of fines — you name it.”
The responsibility for reducing risk partly lies with the IT network and medical device vendors. At minimum, they have to keep abreast of breach threats and deliver security patches expeditiously. Beyond that, “hospital executives and board members need to speak to the executives and the boards of the medical device manufacturers and bring it, as a business risk, to their attention as well,” Wirth says.
The Mayo Clinic has started making the issue real for companies that seek to sell IT-related goods and services. It has contract language on security assurances in its procurement processes for medical devices, says Nixa, and is working toward including such clauses in contracts for facility IT systems. Mayo also is moving toward better awareness of security with its core IT vendors, aided by HIPAA requirements for business associates and by national news stories about privacy and security breaches, she says.
Wirth allows that “more and more manufacturers are finally waking up and taking on responsibility, trying to figure out how to [improve] security. And government agencies are waking up, for different reasons.” For example, the FDA, in its mission to ensure that products used in medical treatment are safe and effective, has published guidance statements on security during the past two years. The Federal Bureau of Investigation is interested as well, and has a complement of cybersecurity task forces, forensic experts and data scientists at 56 offices nationwide. Other agencies mobilizing to fight the increasing threat include the Federal Trade Commission and the Department of Homeland Security.
In the meantime, “You have to pre- pare yourself for failure, and you have to start measuring your risk,” Earle says. “It’s not a matter of if, it’s a matter of when. Your organization is going to take a hit; that’s just the nature of the business now.” Besides the HIPAA and community relations aspects, the risk includes how long an organization can sustain itself if, say, an EHR or email system becomes infected. “How long are you willing to keep that system down while you remediate?”
Health systems may be compromised as they read this. “We’re most likely already hacked and we don’t know it,” Earle acknowledges. “Cryptobots may be in organizations and they’re just sitting dormant,” a threat undetectable until they wake up and start their intrusions. “When they do, hopefully our systems kick in the way they’re designed.”
John Morrissey is a freelance writer in Chicago.