Monthly Archives: April 2016

Healthcare organizations are in the cross hairs of cyber attackers

Larry Ponemon

Larry Ponemon

The State of Cybersecurity in Healthcare Organizations in 2016, sponsored by ESET, found that on average, healthcare organizations represented in this study have experienced almost one cyber attack per month over the past 12 months. Almost half (48 percent) of respondents say their organizations have experienced an incident involving the loss or exposure of patient information during this same period, but 26 percent of respondents are unsure.

The research reveals that healthcare organizations are struggling to deal with the same threats other industries face. According to 79 percent of respondents, system failures are the number one risk. The following threats are also considered serious: unsecure medical devices (77 percent of respondents), cyber attackers (77 percent of respondents), employee-owned mobile devices or BYOD (76 percent of respondents), identity thieves (73 percent of respondents) and mobile device insecurity (72 percent of respondents). Despite citing unsecure medical devices as a top security threat, only 27 percent of respondents say their organization has the security of medical device as part of their cybersecurity strategy.

With cyber attacks against healthcare organizations growing increasingly frequent and complex, there is more pressure to refine cybersecurity strategies. Moreover, healthcare organizations have a special duty to secure data and systems against cyber hacks. The misuse of patient information and system downtime can not only put sensitive and confidential information at risk but also put the lives of patients at risk as well.

We surveyed 535 IT and IT security practitioners in a variety of healthcare organizations such as private and public healthcare providers and government agencies . Sixty-four percent of respondents are employed in covered entities and 36 percent of respondents in business associates. Eighty-eight percent of organizations represented in this study have a headcount of between 100 and 500.

PS report chart april 2016

With cyber attacks against healthcare organizations growing increasingly frequent and complex, there is more pressure to refine cybersecurity strategies. Moreover, healthcare organizations have a special duty to secure data and systems against cyber hacks. The misuse of patient information and system downtime can not only put sensitive and confidential information at risk but the lives of patients as well. As shown in Figure 1, healthcare organizations are struggling to deal with a variety of threats such as system failures (79 percent of respondents), unsecure medical devices (77 percent of respondents), cyber attackers (77 percent of respondents), employee-owned mobile devices or BYOD (76 percent of respondents), identity thieves (73 percent of respondents) and unsecure mobile device (72 percent of respondents). Despite citing unsecure medical devices as a top security threat, only 27 percent of respondents say their organization has the security of medical devices as part of their cybersecurity strategy.

The following are key findings from this research:

Healthcare organizations experience monthly cyber attacks. Healthcare organizations experience, on average, a cyber attack almost monthly (11.4 attacks on average per year) as well as the loss or exposure of sensitive and confidential patient information. However, 13 percent are unsure how many cyber attacks they have endured. Almost half of respondents (48 percent) say their organization experienced an incident involving the loss or exposure of patient information in the past 12 months. As a consequence, many patients are at risk for medical identity theft. Exploits of existing software vulnerabilities and web-borne malware attacks are the most common security incidents. According to 78 percent of respondents, the most common security incident is the exploitation of existing software vulnerabilities greater than three months old. A close second, according to 75 percent of respondents, are web-borne malware attacks. This is followed by exploits of existing software vulnerability less than three months old (70 percent of respondents), spear phishing (69 percent of respondents) and lost or stolen devices (61 percent of respondents).

How effective are measures to prevent attacks? Forty-nine percent of respondents say their organizations experienced situations when cyber attacks have evaded their intrusion prevention systems (IPS) but many respondents (27 percent) are unsure. Thirty-seven percent of respondents say their organizations have experienced cyber attacks that evaded their anti-virus (AV) solutions and/or traditional security controls but 25 percent of respondents are unsure. On average, organizations have an APT incident every three months. Only 26 percent of respondents say their organizations have systems and controls in place to detect and stop advanced persistent threats (APTs) and 21 percent are unsure.

On average, over a 12-month period, organizations represented in this research had an APT attack about every 3 months (3.46 APT-related incidents in one year). Sixty-three percent of respondents say the primary consequences of APTs and zero day attacks were IT downtime, followed by the inability to provide services (46 percent of respondents), which create serious risks in the treatment of patients. Forty-four percent of respondents say these incidents resulted in the theft of personal information.

DDoS attacks have cost organizations on average $1.32 million in the past 12 months. Thirty-seven percent of respondents say their organization experienced a DDoS attack that caused a disruption to operations and/or system downtime about every four months and cost an average of $1.32 million. The largest cost component is lost productivity followed by reputation loss and brand damage. Respondents are pessimistic about their ability to mitigate risks, vulnerabilities and attacks across the enterprise. Only 33 percent of respondents rate their organizations’ cybersecurity posture as very effective. The primary challenges to becoming more effective are a lack of collaboration with other functions (76 percent of respondents), insufficient staffing (73 percent of respondents), not enough money and not considered a priority (both 65 percent of respondents).

Organizations are evenly divided in the deployment of an incident response plan. Fifty percent of respondents say their organization has an incident response plan in place. Information security and corporate counsel/compliance are the individuals most involved in the incident response process, according to 40 percent of respondents and 37 percent of respondents, respectively.

Technology poses a greater risk to patient information than employee negligence. The majority of respondents say legacy systems (52 percent of respondents) and new technologies and trends such as cloud, mobile, big data and the Internet of Things are both increasing vulnerability and threats to patient information. Respondents are also concerned about the impact of employee negligence (46 percent of respondents) and the ineffectiveness of business associate agreements to ensure the security of patient information (45 percent of respondents). System failures are the security threat healthcare organizations worry most about. Seventy-nine percent of respondents say this is one of the top three threats facing their organizations followed by 77 percent of respondents who say it is cyber attackers and unsecure medical devices. Employee-owned mobile devices in healthcare settings are also considered a significant threat for 76 percent of respondents. Once again respondents are more concerned about technology risks than employee negligence or error. Hackers are most interested in stealing patient information.

The most lucrative information for hackers can be found in patients’ medical records, according to 81 percent of respondents. This is followed by patient billing information (64 percent of respondents) and clinical trial and other research information (50 percent of respondents). Healthcare organizations need a healthy dose of investment in technologies. On average, healthcare organizations represented in this research are spending $23 million on IT and an average of 12 percent is allocated to information security. Since an average of $1.3 million is spent annually just to deal with DDoS attacks, the business case can be made to increase technology investments to reduce the frequency of successful attacks. Most organizations are measuring the effectiveness of technologies deployed. At this time, 51 percent of respondents say their organizations are measuring the effectiveness of investments in technology to ensure they achieve their security objectives. The technologies considered most effective are: identity management and authentication (80 percent of respondents) and encryption for data at rest (77 percent of respondents).

There is much more to the report, which can download for free here.

 

Worried about the wrong thing: Hospital hacks show privacy, HIPAA might be dangerous to our health

Bob Sullivan

Bob Sullivan

A few years ago, my long-time, elderly, live-alone neighbor was taken away in an ambulance.  I wasn’t home and heard about it second-hand.  At first, I had no idea how serious it was or even where he was taken, but I was really concerned. So I started calling local hospitals to ask if he’d been admitted.  You can probably guess how that worked out for me.

I was stonewalled at every turn. Even when I said might be the only one who would call about him, that I was concerned he had no nearby next of kin, I got nowhere. I was fully HIPAA’d out.

Eventually, I talked to local police who tipped me off that he had been brought to a nearby hospital. I called them again.

“Not to be morbid, but can I even confirm that he’s still alive?” I pleaded.

“Due to patient privacy, we cannot divulge anything,” I was told.

Now you probably know I care about privacy as much as the next person, but if my friend and neighbor was dying in a hospital bed, I was Hell bent to make sure he didn’t die without knowing at least someone cared about him. And this seemed cruel to me.

I called a few more times.  I finally lucked out and got to someone who, from her voice, sounded quite a bit older. Maybe even a volunteer. She heard me out.

“You didn’t hear it from me,” I recall her saying. “But he’s recovering from brain surgery. He probably had a stroke.”

I’m happy to tell you that I went to see my neighbor a few times during the next several weeks, and after a long recovery, he’s actually doing really well.

I tell you all this because I am worried that situations like these are really helping hackers.

Perhaps you’ve heard about the rash of hospital and health care systems being attacked by ransomware.  In the Washington D.C. area, a chain named MedStar was reduced to performing nearly all tasks on paper by a virus that locked all its files and demanded payment to unlock them.  The problem is so serious that U.S. and Canadian authorities jointly issued a warning about ransomware on March 31, calling attention to attacks on hospitals.

What does this have to do with HIPAA, or my neighbor’s stroke?  It shows we are worrying about the wrong things.

All of us have been HIPAA’d at some point.  We’ve felt the wrath of the Health Insurance Portability and Accountability Act, enacted in 1996.  Want a yes or no answer to a simple question from your doctor?  You can’t get an email from her or him. You have to login to a server that will probably reject the first five passwords you enter and then force you to a reset page, and half the time you’ll give up before you find out that, yes, you should take that pill with food.

There’s a saying in the geek world that “compliance is a bad word in security.”    Walk into any health care facility and you’ll immediately get the sense that everyone from doctors to nurses to cleaning staff are TERRIFIED to violate HIPAA.  On the other hand, I’ve been told by someone who has worked on a recent hospital attack, health facilities routinely are five or even 10 years behind on installing security patches.

Geoff Gentry, a security analyst with Independent Security Evaluators, puts it this way:

“We are defending the wrong asset,” he told me. “We are defending patient records instead of patient health.”

If someone steals a patient record, sure, they can do damage. They can perhaps mess up a patient’s credit report. But if someone hacks and alters a patient record, the consequences can be much more dire.

“It could be life or death,” he said.

Gentry was part of a team from Independent Security Evaluators that reviewed hospital security at a set of facilities three months ago in the Baltimore/Washington area.  The timing couldn’t have been better.  The message couldn’t be more important.

“For almost two decades, HIPAA has been ineffective at protecting patient privacy, and instead has created a system of confusion, fear, and busy work that has cost the industry billions. Punitive measures for compliance failures should not disincentivize the security process, and healthcare organizations should be rewarded for proactive security work that protects patient health and privacy,” the report says. “(HIPAA has) not been successful in curtailing the rise of successful attacks aimed at compromising patient records, as can be seen in the year over year increase in successful attacks. This is no surprise however, since compliance rarely succeeds at addressing anything more than the lowest bar of adversary faced, and so long as more and better adversaries come on to the scene, these attempts will continue to fail.”

In the test, Independent Security Evaluators found issues that ran the gamut from unpatched systems to critical hospital computers left on, and logged in, when patients are left alone in examination rooms.  A typical problem: Aging computers designated for a single task that are left untouched for months or even years, missing critical security updates.

Larry Ponemon, who runs a privacy consulting firm, was an adviser on that project.  He assessment is equally as blunt.

“Being HIPAA compliant has become almost like a religion,” he says. “The reality is that being compliant with
HIPAA doens’t get you really far.”

To be clear:  The report didn’t uncover lazy IT workers playing video games while IT infrastructure crumbles around them. Nor did it find uncaring doctors, nurses, or even administrators. To the contrary, if found haggard security professionals desperately trying to keep up with security issues, and generally falling hopelessly behind as their attention is constantly redirected to paranoia over compliance issues.

“A lot of companies have made poor investment decisions in security. They are doing things that are not diminishing their risk,” Ponemon, who runs The Ponemon Institute, said. (NOTE: Larry Ponemon and I have a joint project on privacy issues, a newsletter called The Ponemon Sullivan Privacy Report.)

Hackers are devoted copycats, so we know more attacks on hospitals are coming. At the moment, these attacks seem to have been limited to administrative systems, and the impacted health care facilities say patient care was unaffected. (I did interview a D.C.-area patient who said two doctors were unable to share his patient files, leading to unnecessary delay and expense).

It’s easy to imagine far worse outcomes, however.  Gentry speculated that hackers could attack a specific patient and extort him or her.  Ponemon talked about attacks on pacemakers or other digitally-connected devices that control patient health.

“These sound like they are science fiction, but hospitals are part of the Internet of Things,” he said.  “And there doesn’t seem to be a plan to manage the security risk.”

The plan, Gentry says, has to involve righting the regulatory ship and letting hospitals and health care facilities worry about the right things.

“We need to take a lot of this bandwidth we are appropriating to compliance and use that bandwidth on security and patient health,” he said.

And we’d better start soon. Because we’ve given the bad guys a pretty sizable head start while we were distracted by Herculean efforts to protect my neighbor from me.