Hospitals need to reassess their cybersecurity risk regularly because the cyber threat landscape is changing constantly.

Nov. 18—Hospitals shouldn’t forget mobile devices and other technology platforms when assessing their cybersecurity risk, according to a new report by the Medical Identity Fraud Alliance (MIFA), which collects wisdom from anti-fraud experts to help healthcare organizations fight medical identity theft.

The MIFA report offers advice on identity proofing tools, fraud management practices, and fraud mitigation planning to combat medical identity theft, which affects two million people annually. MIFA, a trade association of healthcare providers, payers and service providers protecting consumers and members from medical identity theft and fraud, endorses a system-wide approach to cybersecurity, according to Ann Patterson, senior vice president and program director.

“Hospitals need to look at all systems to see how they interact with each other and with people, patients, staff, physicians, and vendors. That should include mobile devices, wearables connecting patients to the system, mobile apps, and medical devices,” Patterson said.

A layered approach based on risk assessment is important, she said in an interview.

“Cybersecurity is not one-size-fits-all,” Patterson said. “Each risk assessment will yield differing vulnerabilities. You must also reassess regularly. The cyber threat landscape is changing constantly – as you deploy new technology or change people and processes, you should evaluate how it’s connected to your data security processes.”

Starting Point

Darren Lacey, chief information security officer (CISO) for Johns Hopkins University Health System, advised hospitals investing in cybersecurity to first review and check off the basic HIPAA compliance boxes.

“You have to essentially assess your network and have reasonable controls on devices and strong, sensible controls against abusers,” Lacey said in an interview. “You have to have an active vulnerability management program to assess the network and ameliorate threats. The core itself is really hard to do. The other pieces, the security whiz bang stuff, can go on top of that and can vary substantially, depending upon the size and complexity of the organization. The most important thing is to be able to honestly assess how you’re doing with blocking and tackling.”

Lacey stressed the importance of building high quality IT and cyber security teams.

“The quality and sophistication of people thinking about the problem is your principal hedge against these types of challenges,” Lacey said. “Because top IT and security people are very expensive, many healthcare organizations haven’t wrapped their heads around staffing costs. Add to the equation the sophistication of hacking attempts and that raises the ante. As tempting as it is for hospitals to economize on complex and expensive IT infrastructure, in this environment, that can come back and bite you.”

Ransomware Threat

Rick Kam, CEO of ID Experts, the largest provider of identity protection to the U.S. government, said ransomware is one of the biggest and most recent threats to healthcare organizations.

“They typically come from outside the U.S. and focus on organizations with critical needs to access data and a willingness to pay ransoms when their data is held hostage,” Kam said in an interview.

Kam said healthcare organizations of all sizes are experiencing cyberattacks--up to 4,000 per day.

“Unfortunately, size doesn’t matter, but healthcare is one of the key targeted industries because of their need for data. This is the attack vector du jour; organizations are paying and may be hit even more frequently,” Kam said.

Healthcare organizations of all sizes need clean backup systems, whether their operations include one or 10,000 computers, Kam said.

“Having a good backup system and testing it is imperative. The more sophisticated systems have backup systems off site,” Kam said. “Too many small systems run backups only occasionally or have their backups connected to their existing networks and get attacked. The bad guys know that if they make it harder for hospitals to recover their backups, they are more likely to pay, so one of the first things they do is destroy the backup systems if they can find them. Hospitals need their backups to be unconnected to main network and that’s hard for small offices or hospitals.”

Kam recommended hospitals explore cyber insurance policies to cover the costs of data breaches. More firms are now offering such policies and the prices have dropped.

Lee Kim, director of privacy and security for the Healthcare Information and Management Systems Society (HIMSS) North America, said new malware is being created each day so hospitals must contend with these new strains. According to Symantec, there are 1,179,000 new malware strains each day. Attackers tend to use “tried and true” approaches because they know that many hospitals are slow to patch their systems.

“Criminal attacks are now the top cause of data breaches,” Kim said in an interview.

Kim warned hospital financial executives about a wire fraud scam called the “business email compromise.” In that scheme, hackers try to connect with healthcare executives with access to an organization’s finances and target them with credible-looking bills.

“Because of social media, it’s easy for them to obtain contact information and they send very convincing e-mails appearing to be real people in real organizations,” Kim said. “Some people get coaxed into it and transfer money.”

The Internet Crime Center estimated in January 2015 that organizations had wrongfully paid $3 billion under such schemes.

Threat Grows

Hussein Syed, CISO for RWJ Barnabas Health, said cybersecurity has become a grave threat to healthcare providers and healthcare executives are witnessing record-high levels of exfiltration of patient data.

“It’s not just a topic of conversation at CFO and CEO annual peer meetings, but there is reputational damage, the “Wall of Shame” from HHS and fines imposed on hospitals and health systems due to HIPAA breaches,” Syed said in an interview.

Syed said effective cybersecurity strategies involve forming policies and procedure training.

“Most are more resource dependent than cost heavy,” Syed said.

He estimated that 10 percent of IT budgets should be earmarked to implement the leading technologies to deal with cyberattacks.

Syed suggested hospitals focus on providing e-mail security, blocking spam and phishing attack, implementing advanced threat detection and mitigation, and protecting key systems from denial of services attacks. Syed stressed employee and staff training, education, and awareness.

“You have to show them what can happen, so security becomes a part of the culture,” Syed said.

The American Hospital Association (AHA) said in a written statement that “hospital leaders are using the lessons learned in previous attacks and are applying best cybersecurity practices shared by the AHA in an effort to anticipate and respond to existing and emerging threats.”


Mark Taylor is a freelance writer based in Chicago. 

Publication Date: Friday, November 18, 2016