HIPAA Compliance for Medical Practices
82.7K views | +35 today
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...

Healthcare security: adapt or die

Healthcare security: adapt or die | HIPAA Compliance for Medical Practices | Scoop.it

"It is not the strongest or the most intelligent who will survive but those who can best manage change" – a quote, often attributed to Charles Darwin, (turns out it was actually a paraphrase by some accounts), but that aside, a lesson in evolutionary biology turnsout to be incredibly useful in the realm of healthcare security.

When examining the rapid speed at which the threat landscape for healthcare is changing and combining it with the traditionally slow-to-adapt nature of the healthcare industry in general, the problem's pretty clear.  

Increasing frequency of cyberattacks

It's a different threat world nowadays. Think about it. Every 60 seconds, 232 computers are infected with malware; 12 websites are successfully hacked, with 416 attempts; more than 571 new websites are created; 204 million emails are sent, and 278,000 tweets are sent out into the twittosphere – all in a single minute. Combine this with the fact that on the black market, medical records are worth $60, compared to credit card data, which typically sells for $20. So, what are the implications for a healthcare security professional?

"That makes us a significant targets," said Intermountain Healthcare's Chief Information Security Officer Karl West at the Healthcare IT News Privacy & Security Forum this past March.

Indeed, Federal Bureau of Investigation officials confirmed this, after issuing a flash alert last year warning healthcare organizations that hackers are targeting them.

Today, Intermountain is able to block about 93 percent of inbound email to the health system. When compared to two years ago, when he and his team were blocking 72 percent, it seems impressive. But, keeping in mind what 60 seconds means for the cyber world, "it isn't enough," he said.

To illustrate his point even further, West showed a map depicting a five-minute snapshot of external authentication attempts into Intermountain Healthcare. There were 16 lines from various places across the globe, all leading back to the Intermountain headquarters in Utah.

Sure, one might be a patient or a physician traveling abroad. But that's not the explanation for all of them. What this shows, West explained, is the "shifting landscape" of security threats.

And if you understand this landscape, if you adapt, keep up with it, evolve alongside with it, then you're ahead of most.

Security priorities in the recent past, as West continued, were all about setting up firewalls and perimeters to surround a hospital's data center. Today, there's the now-known risk of manipulation and misuse of that data that can pose substantial financial costs for the organization and medical risks for the patients.

"We're shifting away from that traditional view of security as a firewall perimeter with detection at ingress and egress points in and out of our system," West said. "That really doesn't exist for us today because of things like social, mobile and the cloud, and for us, the collection of big data."

Ron Mehring, CISO of the 25-hospital Texas Health Resources, seemed to agree.

"We build huge monolithic infrastructures that are almost worthless today."

  As he sees it, healthcare security nowadays is still much like the Great Wall of China – "huge, monolithic infrastructure" that works "only for short while," he said. "We build huge monolithic infrastructures that are almost worthless today." No more should healthcare security be about chasing the technology or all about compliance, he added. "We're going to step back and look at this as a threat problem."  

And threat it is. A 2014 report put out by the Center for Strategic and International Studies and McAfee estimated that cybercrime costs the global economy a whopping $400 billion annually, with a potential of reaching a towering $575 billion. (That's billion with a "b.") For the U.S. alone, some 40 million people had their personal information stolen in 2013.

"As an industry we can't ignore this stuff anymore," added Mehring. "We need to think about these kinds of attacks that are meant to disrupt operations and prioritize efforts against them far more than we have done in the past."

But what about innovation? What about efficient data-sharing abilities? As West pointed out, a CISO must strike a balance between mitigating risk, while also allowing for innovation and data exchange to take place.

Does security kill innovation? Mehring wasn't having that. "If you were innovative, you'd have security built in," he said.

Insider snooping

Cyberattacks aren't the only concern for healthcare IT security teams across the country. As more hospitals implement myriad IT systems and shift away from paper toward electronic medical records, employees are becoming a big focus for security professionals nowadays.

"Your people that work for you are a very large threat," said Cathleen A. Connolly, FBI supervisory special agent at the Privacy & Security Forum this March, speaking in the context of combatting insider threats within healthcare.

Connolly, who serves as lead of the healthcare fraud squad based in San Diego, has investigated many cases involving healthcare employees who inappropriately access patient medical records.

She described one case where a hospital assistant was copying hospital face sheets and selling them.

Indeed, IT security professionals say this problem is top of mind for them.

"The disgruntled employees are the biggest concerns," said Susan Snedaker, information security officer at the 600-bed Tucson Medical Center in Arizona.

It's easier said than done to keep track of these employees, but Snedaker and her team have a good strategy.

"We work with our managers and our directors in the clinical area and have them identify (the employees) that they're concerned about," she said, "so we can put additional controls and monitors around those folks."

And this monitoring proves essential, said Lynn Sessions, partner at BakerHostetler, who focuses specifically on healthcare operations and HIPAA.

"There is a requirement (in HIPAA) that there be some monitoring of their systems," she said in an interview with Healthcare IT News. Although it doesn't specifically require monitoring related to employee access, it's "generally the way it's been interpreted," she said.

It's clear, Sessions added, that the Office for Civil Rights "wants to know whether your employees are snooping" – whether that be for criminal reasons or negligently reasons, which may suggest the organization did not have appropriate system safeguards in place, or even that it has a "rogue employee" on its hands.

But how often are a healthcare organization's employees actually snooping? Does it really happen that often?

"Yes," said Sessions. It most certainly does.

From Connolly's perspective, one of the problems contributing to insider snooping is from a "real deficiency in (employee) training." Training is designed to check the box, if you will, for compliance purposes.

The security folks at the West Virginia United Health System have made this training piece a priority and have already seen marked success in curbing employee snooping.

Mark Combs, assistant chief information officer at WVUHS, has implemented a host of initiatives that aim to improve this problem.

For the training piece, Combs said they have a privacy officer present to all new employees about what their expectations are with privacy and security. The health system also sends out monthly security reminders from the individual's privacy and security officers.

What's more, they're not afraid to audit their employees.

There's an old adage Combs uses to describe his philosophy on this: "What's measured is what matters," he said. "So people know we're measuring and watching their access; it gives them pause when they start to consider to do something like this."

Audits are performed at the health system "almost daily," he said, amounting to several millions of accesses audited each year. The access audits from multiple applications enterprise-wide are consolidated, and then, as Combs described, WVU has an application that consolidates those and runs reports, which are analyzed by a special team.

So big takeaways, as Combs as his IT security colleagues have hit home? Next time you think your hospital or health system is secure, next time you think a firewall perimeter is all it takes, or that healthcare is not the target of cyberattacks, your organization is not a target, think again. You're waist deep in it, and how an organization prepares, how it secures, trains, anticipates and adapts can make all the world of difference for its patients and bottom line.

No comment yet.

Anthem Was Right Not to Encrypt

Anthem Was Right Not to Encrypt | HIPAA Compliance for Medical Practices | Scoop.it

The Internet is abuzz criticizing Anthem for not encrypting its patient records. Anthem has been hacked, for those not paying attention.

Anthem was right, and the Internet is wrong. Or at least, Anthem should be “presumed innocent” on the issue. More importantly, by creating buzz around this issue, reporters are missing the real story: that multinational hacking forces are targeting large healthcare institutions.

Most lay people, clinicians and apparently, reporters, simply do not understand when encryption is helpful. They presume that encrypted records are always more secure than encrypted records, which is simplistic and untrue.

Encryption is a mechanism that ensures that data is useless without a key, much in the same way that your care is made useless without a car key. Given this analogy, what has apparently happened to Anthem is the security equivalent to a car-jacking.

When someone uses a gun to threaten a person into handing over both the car and the car keys needed to make that care useless, no one says “well that car manufacturer needs to invest in more secure keys”.

In general, systems that rely on keys to protect assets are useless once the bad guy gets ahold of the keys. Apparently, whoever hacked Anthem was able to crack the system open enough to gain “programmer access”. Without knowing precisely what that means, it is fair to assume that even in a given system implementing “encryption-at-rest”, the programmers have the keys. Typically it is the programmer that hands out the keys.

Most of the time, hackers seek to “go around” encryption. Suggesting that we use more encryption or suggesting that we should use it differently is only useful when “going around it” is not simple. In this case, that is what happened.

The average lay person, as well as the average clinician, do not bother to think carefully about security generally. Making an investment in the wrong set of defenses serves to decrease and not increase the overall security of the system. This argument is at the heart of the arguments against the TSA, which serves to make us “feel” more secure without actually increasing our security. The phrase for this is “Security Theater”.

You see encryption at rest, unlike encryption in transit, comes with significant risks. The first risk is that keys might be lost. Unlike car keys, once encryption keys are lost there is no way to “make new ones”. Of course you could backup your keys, securely, off-site, but that is extra costs, extra steps. Second, if encrypted data becomes corrupted, it is much more difficult to recover than unencrypted data.

In short, there are cases where encryption-at-rest can be dangerous and there are only a few cases where it can be helpful.

For clinicians, it is easy to make a parallel: the risks associated with unneeded testing. A lay person assumes that if there is any chance that the “CAT scan might catch it” then they should have a CAT scan. The clinician understand that this tests comes with a cost (i.e. increased long-term cancer risk) and is not as “free” as the patient feels it is. The public only becomes aware of this when a test scandal occurs like the famous PSA test, where the harm was massively larger than the good provided by a given test.

Both “Human Body” and “Information Technology” are both complex systems, and in general do not respond well at all to oversimplified interventions.

Moving back to Anthem.

Anthem has a responsibility, under HIPAA, to ensure that records remain accessible. That is much easier to do with unencrypted data. The fact that this data was not encrypted means very little. There is little that would have stopped a hacker with the level of access that these hackers achieved. Encryption probably would not have helped.

By focusing on the encryption at rest issue, the mainstream press is missing the main story here. If indeed Anthem was targeted by sophisticated international hackers, then there is little that could have been done to stop them. In fact, assuming international actors where involved, this is not as much as failure for Anthem as a failure of the NSA, who is the government agency tasked with both protecting US resources and attacking other nations resources.

As much as the NSA has been criticized for surveilling americans, it is their failure to protect against foreign hackers that should be frequent news. Currently, the NSA continues to employ a strategy where they do not give US companies all of the information that they could use to protect themselves, but instead reserve some information to ensure that they can break into foreign computer systems. This is a point that Snowden, and other critics like Bruce Schneier continue hammer: the NSA makes it easy to spy, for themselves and for others too.

It is fine to be outraged at Anthem and I am sure they could have done more, but I can assure you that no insurance company or hospital in the United States is prepared to defend against nation-state level attacks on our infrastructure. In fact, Anthem is to be applauded for detecting and cutting off the attack that it did find. Hackers are much like roaches, if you can spot one, there are likely dozens more successfully hiding in the walls.

No comment yet.

Why Are Health Insurers Hacker Targets?

Why Are Health Insurers Hacker Targets? | HIPAA Compliance for Medical Practices | Scoop.it

The massive cyber-attacks targeting health insurers Premera Blue Cross and Anthem Inc. make it clear that hackers increasingly view large healthcare organizations, especially payers, as attractive targets.

"What makes Premera and Anthem high-visibility targets is the volume of personal data they have," privacy and security expert Kate Borten, founder of the consulting firm The Marblehead Group, tells Information Security Media Group. "Of course, every healthcare organization should be concerned, but smaller organizations are probably less visible targets."

Daniel Nutkis, CEO of the Healthcare Information Trust Alliance, testified during a March 18 U.S. House subcommittee hearing on cyberthreats: "Any healthcare organization is a treasure trove of personally identifiable information and protected health information and is very much a high value [target] ... for nation-states to hacktivists."

Millions Affected

Premera says it is notifying 11 million individuals about its breach. The Anthem hack affected 78.8 million individuals, making it the largest incident on the Department of Health and Human Services' tally of major health data breaches.

A Premera spokesman told the Wall Street Journal that the Anthem and Premera incidents were "different cyberattacks." The FBI declined to offer a comment to ISMG about its investigations into the cyberattacks and whether the incidents are related.

Earlier this month, a report from ThreatConnect, a threat intelligence product and services vendor, said clues in the Anthem breach suggest the attack was launched from China. The report noted that malware used in the Anthem attack contained malicious code that ThreatConnect says has been exclusively used in the past by Chinese APT groups. The Wall Street Journal reports that some experts see signs of similar links to China in the Premera hack.

But Deborah Kobza, executive director of the National Health Information Sharing and Analysis Center, says the China link in both attacks is "only speculation at this point," and that there's been "no confirmation."

On March 18, an Athem spokesperson told ISMG that the insurer has "no new information from the investigation to share with regard to the origin of the attack. We're continuing to work with the FBI and hope to have more to offer upon completion of the investigation soon."

Multiple Motives

Darrell Burkey, a product director at security vendor Check Point Software Technologies, says hackers have multiple potential motives for stealing data from health insurers.

"The information can feed many illicit business opportunities," he says. That ranges from using the data for fraudulent claims to insurers to intercepting Medicare payments. But other motives include "blackmailing wealthy, famous, important people to either pay ransom or their health records will be released," he says. "Consider the wholesome Hollywood [star] that has illicit infections or prominent CEO undergoing counseling or has some dire disease, etc."

Similarly, Borten notes that when millions of personal records are reaped, "the first potential gain is money linked to the sale of the data for identity theft. It is puzzling, however, that Premera reports an intrusion, but no indication that the data was removed."

Data from the Anthem hack hasn't shown up yet on the black market, Kobza says. But stolen information from the recent health insurer attacks eventually could be offered for sale by fraudsters, experts say.

"It's like stealing a famous painting - getting rid of it quietly and profitably is the hard part," says Cameron Camp, security researcher at ESET, a security consulting and technology firm. "In the case of the Anthem breach, it would be better for attackers to either trickle it out into the market, or use it for some secondary attack, like fraudulently filing fake tax returns or other scams."

Although Borten acknowledges that data stolen from Anthem and Premera could turn up on the black market, she says there could be other motives for the assaults. "This was a stealth attack, so it wasn't for a public political reason. It may have been simply a probe to see how vulnerable such organizations are, especially if this was a foreign attack," she says.

Richard Barger, ThreatConnect's chief intelligence officer, says hackers could have targeted the insurers for specific reasons. "Both Anthem and Premera cover a large number of U.S. Federal government employees. If a foreign government obtained sensitive information on the federal workforce, they could leverage this for blackmail or to enable HUMINT [human intelligence] asset development," he says.

Breaking In

So how much effort does it take to breach the IT systems of health insurers?

"In the case of Anthem, the attackers were able to gain access to an administrative account and do a database query," Camp says. "But that's certainly not the only piece to the puzzle, as they still had to do reconnaissance, exfiltration, persist in the network, do lateral discovery and cover their tracks. These aren't simple, cheap, or quick things to do, either in Anthem or the current [Premera] breach."

Jason Matlof, executive vice president at LightCyber, a breach detection solutions firm, notes: "For a professional cybercriminal, it is not terribly difficult to breach a company's network. While legacy threat prevention systems are about 95 percent effective in blocking intrusion attempts, that leaves five percent wide open for cybercriminals to make nearly unlimited attempts to get in with no risks or downside" he says.

In a statement, Premera, based in Mountlake Terrace, Wash., says the company on Jan. 29 discovered that cyber-attackers had executed a sophisticated attack to gain unauthorized access to its IT systems. However, further investigation revealed the initial attack occurred on May 5, 2014, Premera says.

Some security experts say the attack on Premera may have begun months earlier than that. "ThreatConnect found evidence that the faux Premera infrastructure was staged as early as December 2013," ThreatConnect's Barger says. "Initial reports on the Premera breach have indicated that the attack began in May 2014, however, based upon the data that we are seeing, it is likely that there maybe have been a more long-term effort or at least interest, thus broadening the possible window of exposure."

Meanwhile, the Anthem breach, which was announced on Feb. 4, likely began as early as Dec. 10, 2014, with intrusions likely continuing until Jan. 27, according to a company spokeswoman.

So why did it take months for these cyberattacks to be discovered?

"Detection of an attack takes about 205 days on average, which is long, but better than the average of 229 days last year," Richard Bejtlich, chief security strategist at the security firm FireEye, testified during the March 18 House subcommittee hearing. And 70 percent of the time, organizations learn about a breach from the FBI or other external, rather than detecting it themselves, he said.

Camp told members of the House panel: "Attackers want to persist undetected for as long as they can, so if you didn't catch them attacking you, it's also likely that unless they slip up, you wouldn't notice them silently looking around for things to steal, or possibly even as they spirit data out your digital front door and onto the Internet."

The Wrong Focus

Among the issues that also contribute to the healthcare sector's vulnerability is that the industry long has been "focused on compliance rather than risk-based security," Nutkis testified.

So if the healthcare sector is a growing target of attackers, what should organizations do to step up their defense and detection?

Using smaller databases, protected by robust access controls, could help reduce the damage when attackers strike, Borten, the consultant, suggests. "If older or archived data were kept separately with fewer users having access permissions" the number of records breached in these attacks could have been reduced, she says.

Also, improved cyberthreat information sharing within the healthcare sector could help thwart breaches, Camp says. "If victim organizations can share with others in their trust groups who defend health sector organizations, the whole sector will benefit, especially if that can happen rapidly."

NH-ISAC's Kobza is hopeful that recent hacker attacks will help all healthcare organizations to realize they need to share threat intelligence to help thwart attacks. "This is the model that has been adopted in other critical infrastructure sectors, and given the size of the prize in healthcare, it should become our standard as well."

Lysa Myers, a security researcher at ESET, adds that healthcare organizations can take steps to "retrofit" their systems to better defend against hackers. "Encrypting sensitive data, multi-factor authentication, network segmentation, ongoing employee security training - these things all can be fit into existing systems and they can significantly improve the defenses businesses have in place," she says.

No comment yet.

Hospitals likely to be cyberattack targets in 2015

Hospitals likely to be cyberattack targets in 2015 | HIPAA Compliance for Medical Practices | Scoop.it

As hospitals and health care providers continue to use more electronic records, they're increasingly becoming the targets of cybercriminals.

That's according to Carl Leonard, a principal security analyst for Websense, who said hackers are breaking into the computer networks of health care facilities with increasing frequency and taking valuable personal information that is often secured improperly.

In 2015, Websense projects the health care industry will see a substantial increase in cyberattacks.

St. Louis is home to a large health care community, with more than 25 regional hospitals accounting for more than $7.6 billion in annual revenue, according to St. Louis Business Journal research.

The Websense report said medical records hold a trove of data that is more valuable than other records and can be used for various types of fraud.

"The healthcare industry is a prime target for cybercriminals," Leonard said in a statement. "With millions of patient records now in digital form, healthcare's biggest security challenge in 2015 will be keeping personally identifiable information from falling through the cracks and into the hands of hackers."

In Missouri, a majority of health records make their way through the Missouri Health Connection, a nonprofit organization that operates Missouri's statewide health information exchange. The MHC was established in 2009 and includes the records of St. Louis' three largest health-care providers, SSM Health Care, BJC HealthCare and Mercy.

The MHC uses an application suite called HealthShare from InterSystems, a Cambridge, Massachusetts-based software technology company that specializes in data management, to serve as the backbone for its health information exchange.

Mercy, in a previous statement to the Business Journal, said "protecting the personal health information of our patients is one of Mercy's highest priorities. We have information security policies and procedures in place as well as technical controls such as digital security measures. We consistently evaluate risks associated with security and continue to make investments to remediate those risks to maintain and improve Mercy's information security system."

Hard hit recently, U.S. retail stores saw the average cost of cybercrime reach $8.6 million in 2014, according to the Ponemon Institute— more than double the average cost in 2013.

St. Louis trails only Tampa and Orlando among the most-hacked cities in America.

No comment yet.