The Enemy Within

As cyberattacks in the health care industry increase, hospitals must ensure their networksand their patients’ dataremain safe.

Right now, cybercriminals probably are attacking your spread-out, opportunity-laden information technology network. Maybe they’re inside already. Maybe they’re not. Either way, they want your patients’ data—and they are determined to get it.

No longer do security breaches typically involve the theft of a single unencrypted laptop containing patient data (stolen mainly for the computer’s value). Today’s hackers have drained reams of patient information from electronic health records (EHRs) or payment systems with the stealth of a B-2 bomber. Once the hacker encrypts the files, hospital databases become unusable until a ransom is paid, which not only costs a pretty penny, but also can freeze clinical operations.

“Although we have been seeing cyberattacks for 20 years or longer, they have become far more prevalent and, more importantly, far more devastating in the past few years,” says Fred Cate, J.D., vice president for research at Indiana University and an authority on information privacy and security issues.

Criminals enjoy economies of scale in intrusion tools, where the marginal cost of multiple assaults is close to zero, according to Cate.

“If they can attack one hospital, for the same price they can attack a thousand hospitals,” he says, noting that in addition, hackers can attack each hospital thousands of times a day.

One consequence of the increased number of cyberattacks has been a more active stance by the federal Office for Civil Rights (OCR) on protecting health information privacy.

“We’ve moved past the stage where the government is helping the industry understand what its obligation is,” says Jeffrey Short, J.D., who specializes in health care IT and privacy issues with Hall, Render, Killian, Heath & Lyman in Indianapolis. “Now the government is expecting the industry to understand it and take appropriate action, which means enforcement activities are going to become more aggressive and more extensive.”

Of breaches serious enough to require reporting to OCR, the ones involving external hacking nearly doubled nationwide between 2015 and 2016. Since 2009, when covered entities began reporting breaches of more than 500 records immediately under the rules of the Health Information Technology for Economic and Clinical Health (HITECH) Act, Indiana has had 58, placing it sixth among states, says George Bailey, senior advisor on security for Purdue Healthcare Advisors in West Lafayette.

Without more sophistication on the part of both IT security layers and the people who know how to use them, the imminent threat of criminal in filtration will only get worse, notes Short. He says that hospital executives in Indiana and around the nation “are discovering that their contingency, their triaging procedures, may not have been thought through well enough; it takes a lot more time, a lot more effort and a lot more money.”

VULNERABILITIES TO AN ATTACK

The increase in scope and volume of cyberattacks is tangible evidence that health care is being targeted, says Bailey. Part of that is because the industry has only been using EHRs on a large scale since 2011, whereas other industries experienced a similar onslaught when they went digital in the early 2000s. And part of it is the raw value of stolen patient data. Medical information is worth 10 times more than a credit card number on the black market.

To house and use that data, health care organizations are ever more dependent on digital data systems. That includes not only EHRs, but also software to control surgical tools, medical devices and other treatment mechanisms.

Previously, information technology was monitored by a central data management center. But the control of IT networks has become decentralized as health care organizations continue to grow through mergers and the internet becomes the main link between facilities and providers, says Dustin Hutchison, Ph.D., a partner with Pondurance, an Indianapolis-based information security and threat management firm.

During the initial IT growth, network integration, not security, was the goal, says Michael Ebert, cyber health care and life sciences leader at KPMG. And for a while, threats were mainly small and usually involved internal unauthorized access. But as integration became accomplished through the use of the internet, the nature of the danger changed drastically, as tracked over time by the security field’s top 10 threats. Before the internet-based network became the norm, “the external hacker threat was number nine; now it’s number one,” says Ebert. He notes that before, the top threat was from malicious actions within the workforce, but “now that’s down to number five or six.”

The health care hacking issue boils down to three interlocked vulnerabilities.

First, health IT networks are sitting ducks for intrusions from outside if they only have the traditional protections in place: firewalls to reject suspicious transmissions and anti-virus software to shield computers and other receiving points. Automated threat management adds another layer, patrolling for suspicious movement into part of the network that a given user account shouldn’t be accessing. “All of a sudden we might see that somebody has accessed an odd domain and data are starting to go to this other external IP address. The amount of data leaving is relatively large, and this is maybe happening after hours,” says Hutchison.

Second, attempts to trick employees into downloading malware from an innocent-looking email, called phishing, are becoming the most effective method of gaining entry to a health care IT system. “Firewalls and anti-malware software are critical, and they should absolutely be used, but here’s the problem: Most successful attacks come from inside the firewall,” says Cate. “And they’re usually the result of phishing attacks.” One gullible surrender of login credentials puts an intruder inside the firewall, bypassing all that expensive technology.

Third, websites and virtual private networks that serve valid purposes outside the perimeter of protection are not secured nearly as tightly, creating easy opportunities to sneak past the system of sentries surrounding the main network infrastructure. Bailey suggests installing a strengthened login progress called two-factor authentication that involves both a password and another entered code that only the user could know, such as one sent to a personal phone that is good for a limited time.

THE CYBERSECURITY INVESTMENT

Any intention to increase cybersecurity has to start at the top. Open support from hospital leaders can overcome staff resistance to new rules about clicking on attachments or using hack-resistant passwords and other methods of protecting access credentials.

“As a CEO, you have to make it clear and visible that you are serious about it,” says Short. “It isn’t a project; it is a changing of the culture. And unless it’s taken seriously and treated that way, you’ll do the project, but the risk is still there.”

Safe use of the network requires ongoing training with no exceptions. Short relates the resolve of one hospital in Indiana that instituted universal training and set a deadline: “On that day and time, they disabled everyone, including physicians, who hadn’t done the training. Everyone completed it by noon that day.”

The technology and expertise to monitor and respond to today’s sophisticated cyberattacks require board support for the necessary budgeting, Short notes. For small hospitals, the annual expense is easily more than $100,000 and more likely near $500,000, which includes an outside monitoring service. No matter how small, a hospital needs someone paying attention to security, either a chief information security officer (and staff ) or a managed security systems provider.

The investment for large multihospital systems is vastly larger, says Ebert. One client, an $11 billion health care organization, asked him for a proposal for comprehensive cybersecurity services, and the CIO wanted to know if the $7 million budgeted for it would suffice. Ebert said it was more like $7 million squared. That worked out to 10 to 15 percent of the IT budget the next three years instead of the prevailing 4 percent for security. The amount would decrease to 8 to 9 percent a year once the $49 million plan’s main elements were in place.

The plan included retrofitting the existing IT network to account for years of inattention to how its growth and configuration left it vulnerable to breach, allowing an intruder to roam at will. Only after the system is redesigned to curb the easy advance of hackers could more sophisticated security be fully valued, says Ebert.

A key element of the retrofit involved what the security industry calls “segmentation,” or the separation of areas within the network so users can only access those areas needed for their work. If a hacker gets in, this practice may prevent the ability to move across the network.

“If they come in, they’re going to get only so far,” Ebert says, noting that the organization could address much of the threat through management of access privileges and better methods of identifying and authorizing credentials. “Hackers are going to take the path of least resistance. If they keep hitting barriers, they’re going to go phish somewhere else.”

RANSOM COUNTERMEASURES

With those measures in place, threats such as ransomware become less of a menace to the health care environment. Ransomware requires acquisition of privileged access to fully affect the contents of valuable IT servers or databases. Hackers may come in at a low level of authorization but elevate their access as they compromise the credentials of highly placed users.

A rigorous practice of minimum-necessary access goes a long way toward fighting ransomware damage, says Hutchison. If employees don’t have higher rights than their role requires, then a phishing ruse might not be productive. Proper segmentation combined with a system backup plan can reduce breach severity. A workstation or laptop that has been backed up can be wiped clean and reloaded.

These types of precautions are necessary because it’s not easy to counteract human nature. Despite training efforts, it’s not practical to expect all employees to ignore those official-looking emails and malicious attachments.

“The phishing attacks are getting so good that it’s almost impossible to stop them sometimes,” Hutchison says. “No longer do you see the poor grammar and misspellings. They’re sneaky. There’s money to be made, so they invest some time and do it well.”

Once your system has been compromised, you must act quickly—and carefully. One incident involving the rapid advance of ransomware demonstrated the downside of having everything connected to the internet.

“They were trying to stop the spread of the malware that was creating the ransomware, and they just unplugged everything,” Ebert says. That included the entire phone network, which used the Voice over internet Protocol (VoIP) method of operation. “They would analyze each system and then plug it back into the network. And they had to do this across multiple acute-care facilities, physician practices and so forth to isolate it down.” The phones were out for two to three days.

There are other ways to push back against cybercriminals. A 200-bed Indiana hospital with a large employed physician group hit by a ransom demand last year chose not to pay it. Instead, the hospital shut down the IT environment and restored the data with a backup version after locating and eradicating the source of the attack. Without a system backup and a way to eradicate the attack, the hospital could have been out millions of dollars.

“Disaster recovery and business continuity planning is not just for when a tornado hits your facility,” says Bailey. “It can help you with a cyber event as well.”