Healthcare providers represent an attractive target for hackers due to the wealth of information they store about their patients. The Cipher Brief Spoke to Greg Porter, founder of information security consulting firm Allegheny Digital, about the nature of the cyber-threat for the healthcare industry. He says that healthcare providers should be more proactive in their cyber-defenses, and that they should prepare for insider threats as well as external ones.
The Cipher Brief: It seems like there is a trend towards a greater number of hackers targeting healthcare providers. Is this the case and, if so, what is responsible for this trend?
Greg Porter: I think there’s an increase in terms of interest in healthcare organizations because of the data they hold and, in many cases, the inadequate information security controls governing that data. Quite often, when discussing cyber-attacks, you hear words such as “advanced” or “sophisticated” when in reality much of what plagues healthcare security operations are fundamentals: limited awareness regarding what assets contain electronic protected health information; theft or loss of laptops and other mobile devices; inadequate patch management; lack of encryption for sensitive patient data. These types of weaknesses don’t require advanced or sophisticated techniques to exploit, they’re simply providing a welcome mat for attackers to target health care organizations and their protected health information (PHI).
There are a number of factors driving the interest in health care data. For instance, seven to ten years ago, credit card data was much easier prey for fraudsters, going for multiple dollars depending on how fresh the data was and the spending limit associated with the compromised account. At the time, the sheer volume of cardholder data available on the black market began to drive the price per compromised account downward. More recently, companies like MasterCard and Visa have made it more difficult for criminals to get access to this type of data by replacing the credit card’s magnetic stripe with chip-and-PIN technology, and fraud analytics also continue to improve. As a result, attackers began to focus their attention elsewhere, looking for the next easy target. Unfortunately, for healthcare organizations, they appear to be next in line, and I don’t see this issue subsiding anytime soon.
Covered entities, such as a healthcare provider, have been required to protect electronic patient records since 2005. Yet here we are, many years after the fact, and we continue to deal with the challenges. The longer it takes a health care organization to determine what adequate security is and should be, the greater the advantage the adversary has.
To further understand what’s driving the interest of a hacker, take a compromised medical record as an example; it not only contains personally identifiable information (“PII”) about the patient, but also related insurance information and possibly financial data as well. This richness of information creates a number of fraud opportunities for criminals, from basic identity theft, exploiting insurance details and prescription drug benefits, to creating a detailed dossier on a political target of interest. The breadth of potential fraud is really only limited to the creativity of the individual in possession of the data.
Generally speaking, things like our social security number, date of birth, and other basic medical information doesn’t change over time, unlike a credit card number, which we can cancel and change quickly if fraud is detected. The reality that our medical information tends to be persistent means an attacker can use and/or sell this data many times over, to any number of interested parties, into near perpetuity. This persistence is unique to our medical record and is yet another reason covered entities represent such a desirable target to an attacker.
TCB: What are common mistakes that hospitals and other healthcare providers make in regards to cybersecurity? What are the best practices for avoiding these mistakes?
GP: If you examine available breach data, there’s no shortage of mistakes, unfortunately. A bit of a silver lining perhaps to the Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) breach portal is that it’s full of lessons learned; common mistakes include inadequate physical safeguards and/or a lack of situational awareness resulting in the theft of laptops and mobile devices containing unencrypted ePHI. Efficiently identifying and responding to cyber related intrusions before they result in a breach of PHI has been and continues to be a challenge for many healthcare organizations as well.
The breach portal is a good place to start in terms of assessing your current security posture by simply asking, “what are we doing right now to prevent this from happening to us?” The Health Insurance Portability and Accountability Act (“HIPAA”) Security Rule established a baseline standard of care for protecting the patient records a covered entity creates, receives, maintains, or transmits. By law, healthcare organizations must meet those requirements, however they must look beyond HIPAA’s administrative, physical, and technical safeguards and consider other frameworks and controls that will further assist them with defending their systems and data.
Regarding best practices, there’s no shortage of additional security frameworks and controls for healthcare entities to consider, and the “fog of more” can be overwhelming. In my opinion, a reasonable place to start begins with understanding how attackers are compromising enterprise systems and data today and then using that knowledge to guide and prioritize how we can defend our networks to detect and respond to such attacks. The Center for Internet Security (“CIS”) Critical Security Controls represents a consensus, community-based opinion regarding effective and specific technical measures an organization can take to disrupt the actions of an attacker.
TCB: Hollywood Presbyterian Medical Center recently paid a $17,000 ransom to regain control of its systems after being infected by ransomware. How do you see this incident changing the threat environment for healthcare providers?
GP: I really don’t see it changing the threat landscape. Ransomware is yet another way attackers are getting health care organizations to ante up for ineffective security. The incident serves as an example that covered entities should have established processes for identifying the tactics, techniques, and procedures of the adversary and use this understanding to make informed tactical and strategic security investment decisions. Whether it’s covertly stealing medical records or overtly encrypting files belonging to a hospital, the bottom-line is that someone will inevitably pay for failing security, either consumers, the covered entity, or both. Health care organizations need to consider the costs incurred following a breach versus investments in technology and competent staff to detect and respond to an incident before it results in an exposure of PHI.
TCB: How can healthcare providers better protect themselves against cyber-threats?
GP: Legally, you want to be in a defensible position, so first and foremost ensure your business is compliant with relevant regulations such as HIPAA. Recognize that applicable security and privacy laws set an expected standard of care, a minimum baseline, so consider what your organization could be doing beyond meeting regulatory requirements.
I mentioned the Critical Security Controls as being a useful reference for prioritizing controls that provide meaningful risk reduction. Others, such as HITRUST’s Common Security Framework and NIST’s Cybersecurity Framework, can help as well. Additional considerations include forming hunt teams to proactively search your environment for potentially compromised systems and other internal weaknesses.
Lastly, a lot of health care fraud is committed by insiders who already have access to the network and sensitive information. Consider performing a diagnostic analysis of how your organization measures up to the practices outlined in CERT’s Common Sense Guide to Mitigating Insider Threats.
Healthcare organizations are and will continue to be a highly desirable target of attackers for the foreseeable future. As someone who works on addressing the challenges of securing patient data and systems daily, I’d encourage the reader to engage the resources mentioned above, as well as the National Health Information Sharing and Analysis Center (“NH-ISAC”). By harnessing the experiences of the healthcare security community at large, we can better identify and prioritize the actions that need to be taken.
