The U.S. healthcare industry faces a growing risk from cyberattacks, which makes it critical for providers to devote sufficient resources to designing and implementing a strategy that can mitigate that risk.
The risk of cyberattacks, the number of organizations potentially affected, and the damage resulting from them are at unprecedented levels today. News reports are replete with stories of data breaches at large, high profile-organizations, and the number of attacks experienced by hospitals recently provides ample evidence that health care as a sector is not immune, with one report having found that healthcare cyberattacks increased 63 percent in the past year. a
Some have even suggested that health care is being specifically targeted. And although implementing the safeguards required for compliance with the Health Insurance Portability and Accountability Act (HIPAA) and privacy laws and avoidance of breaches is a sound policy, a similar approach should be considered for all cyberthreats. A cyberattack may not result in breach of protected health information (PHI) or personally identifiable information (PII), but it nonetheless can significantly affect a healthcare organization’s operating efficiencies, causing delays and other negative impacts on patient care. Given the gravity of such events, it is critical that all key stakeholders play a role in an organization’s cybersecurity risk management program.
The Unique Challenges of Cybersecurity in Health Care
In an interview with The Wall Street Journal in 2015, Jim Nelms, then the Chief Information Security Officer of the Mayo Clinic, said, “Medicine is 10 to 15 years behind in IT practices than other industries.” b
Nelms opined that protecting healthcare data was harder than securing data at financial institutions because of the vast array of special-purpose computers for medical devices, many of which have the potential to put patients at risk. He also suggested that information sharing between hospitals and medical practices added to that difficulty because of the greater likelihood of human error in those transactions.
Despite these circumstances, healthcare providers spend, on average, less than 6 percent of their IT budgets on security, according to a survey by HIMSS Analytics and the security firm Symantec. c That percentage is compared with 12 to 15 percent for financial and banking firms.
Healthcare providers also are particularly vulnerable to cyberattacks. In 2013, the Mayo Clinic assembled a team of security researchers and asked them to attempt to hack about 40 medical devices, including magnetic resonance imaging (MRI) scanners, ultrasound equipment, ventilators, and electroconvulsive therapy machines. d One researcher summed up the results: “Every day, it was like every device on the menu got crushed. It was all bad. Really, really bad.”
The clinic responded by developing security requirements for device suppliers, creating a threat intelligence group, and ensuring that risks and exposures were reported to the hospital’s board each quarter.
More recently, Independent Security Evaluators (ISE), a security firm, conducted a security assessment that looked at 12 healthcare facilities, two healthcare data facilities, two medical devices from one manufacturer, and a variety of healthcare web applications. In the executive summary of its report on the assessment, ISE says, “One overarching finding of our research is that the industry focuses almost exclusively on the protection of patient health records, and rarely addresses threats to or the protection of patient health from a cyber threat perspective.” e
The devices identified by ISE’s researchers as being potential attack targets had little value with regard to PHI or PII, but they were largely unprotected and an attack on any one of them could result in harm to patients.
A Systemwide Problem
Cybersecurity has long been viewed as the domain of IT staff. In the past, the biggest threat was that a computer virus would inconvenience a handful of computer users. Medical records were paper-based, and healthcare organizations’ systems had limited exposure to the Internet. External threats were minimal, and the extent of damage that could be wrought was much less. Moreover, at one time, hacking was perpetrated predominantly by technical thrill seekers, techno-vandals, and government-sponsored spies. Many organizations were relatively immune to cyberattacks because these old-school hackers saw little value in them.
Those days are over.
Attacks for Profit
Today, there is money to be made in cybercrime. Financial gain is not the only motivation, but it is by far the most common one. A 2016 report by Verizon finds that “breaches with a financial motive dominate everything else, including espionage and fun.” f
This is a significant concern for providers, because medical records are a more profitable target for hackers than are social security or credit card numbers. In a 2014 private industry notification, the FBI cites a 2013 report by RSA, the security division of EMC Corporation, that underscores this difference in value to cybercriminals, finding that a stolen medical chart can earn $50 on the black market, whereas a social security or credit card number will fetch only $1. g Why? Credit card fraud can be identified and addressed in little time. Banks employ computer algorithms to detect out-of-character spending, and a stolen credit card can be cancelled quickly. A stolen medical record, however, can be used for illicit purposes for much longer.
In addition to the sale of stolen information, ransomware has become a prominent model of profitability for criminals. Ransomware purveyors usually employ social engineering techniques to trick a computer user into installing it. But in some more insidious attacks seen in 2016, web servers were attacked and were then used to infect multiple computers inside the organization, greatly increasing the damage. When a computer is infected, the ransomware encrypts every file it can find on the computer itself and other computers on a network. The result is that targeted computers are effectively locked. A single infected computer can be “ransomed” for a payment of a few hundred dollars, but multiple infections can increase the cost, and worse, the amount demanded may increase if the payment is not delivered in a specified period.
There are several important points that leaders of an organization contending with a ransomware attack should understand: First, the attack is possible only because someone has installed malware on one of the organization’s computers. Second, some forms of malware may be communicating with rogue servers outside of the organization–i.e., “phoning home.” That is possible because someone has planted a technical “mole” inside the organization’s network. Even if ransomware is only an annoyance, there is a potential for such a “mole” under the control of someone outside the organization to cause significant damage—for example, by turning on a webcam, installing a keystroke logger to steal the organization’s passwords, or interfering with delivery of radiotherapy. Finally, The U.S. Department of Health & Human Services published guidance in July 2016 that make clear that makes clear that a ransomware attack usually results in a “breach” of healthcare information under the HIPAA Breach Notification Rule. h
The “CIA Triad”
An important and widely accepted model of information security is the “CIA Triad,” where CIA stands for confidentiality, integrity, and availability, regarded as the pillars of security for any information system, whether it is an accounting system or a patient care system such as an electronic health record (EHR). i
Confidentiality. For good reason, the issue of confidentiality has garnered much attention, in part due to the mandates of the HIPAA privacy and security rules and the potential penalties for breaches. But the security rule also addresses integrity and availability of patient information.
Integrity. The HIPAA security rule also addresses the integrity of patient information. If an organization’s auditors cannot attest to the integrity of data in their financial systems, the consequences are apparent to any accounting professional. Integrity of health records and information in data-reliant medical devices also is crucial. And for those systems, accidental or intentional corruption of data could even cause harm to patients.
Availability. The third element of the triad has become more critical in health care with the growing reliance on EHRs and data-reliant medical devices. The security rule addresses availability considerations in the Administrative Safeguards section. Data backup, disaster recovery, and emergency mode operational plans are required to cover disasters and unexpected outages to maintain continuity of patient care.
Collateral Damage Costs
A cybersecurity incident can be costly to an organization in many ways. If it involves breach of PHI or PII, the organization may be subject to fines and penalties. Moreover, time and expense will certainly be required for breach disclosure activities, public relations, legal counsel, and credit-monitoring services for individuals whose information was compromised.
For example, an attack involving ransomware may seem like a relatively low-cost security incident, given that the typical ransom for a single computer is a few hundred dollars. In many cases, hospitals that experienced such attacks in 2016 were able to recover using backup data, and paid no ransom, but some hospitals were without computer systems for several days, and one hospital paid a ransom of about $17,000. j
For a healthcare organization, the impact of being unable to access its computer systems for over a week can be severe. HIPAA rules require organizations to have a contingency plan to maintain continuity of care in the event of disaster. But reverting to paper, which was the only recourse for some hospital ransomware victims, would be far from “business as usual.” A large number of employees—IT, legal counsel, and public relations staff, in particular—would have to drop what they are doing do to focus on the incident. Consultants might need to be engaged, and if physicians and other staff had to rely on paper records for several days, a large backlog of information would eventually have to be collated and entered into the EHR and other systems once back online. Appointments and procedures that were postponed because systems were down would need to be rescheduled. That’s a lot of lost productivity and possible additional cost, even if the organization didn’t pay a dime in ransom.
Cybersecurity as an Enterprise Risk Management Issue
Given the wide-ranging impact that a cyberattack could have on an organization, cybersecurity is clearly an enterprise risk for any organization, including organizations in the healthcare sector. In 2014, the National Association of Corporate Directors (NACD) issued guidance to corporate boards on cybersecurity stressing that directors should understand and approach cybersecurity as an enterprisewide risk management issue, not just an IT issue. k NACD’s guidance includes the following recommendation:
Appoint a cross-organization cyber-risk management team. All substantial stakeholder departments must be represented, including business unit leaders, legal, internal audit and compliance, finance, human resources, IT, and risk management.
NACD further emphasizes the need for board-management discussions concerning cyber-risk that should include identification of which risks to avoid, accept, mitigate, or transfer through insurance, as well as specific plans associated with each approach.
A Risk-Informed Strategy
Despite the fact that average healthcare spending on cybersecurity lags other industries, simply allocating more funds toward preventive measures does not guarantee a successful security program. There are many security solutions on the market, but before deciding which solutions would be best to pursue, an organization should first understand its own unique risks. Not all solutions are appropriate for all organizations. A “best-of-breed” technology solution may address a broad range of risks very well, for example, but if most of those risks are not high priorities for the organization, the solution may be overkill. Cybersecurity spending should be aligned with an organization’s top business risks and proportionate to the risk it is intended to mitigate.
When developing a well-informed strategy, organizations can benefit from adopting the following three recommendations.
Perform a cyber-risk assessment. Just as healthcare organizations are expected to perform HIPAA risk assessments, they also should undertake overall cyber-risk assessments. Although an organization’s IT department will play an important role, the task should not be delegated to IT entirely—financial, operational, and other members of the leadership team should be involved.
IT staff can furnish recommendations for mitigation solutions (and costs) for any number of cyber-threats. But they are not equipped to determine which risks are the most important to address. The unfortunate truth is that no organization can guarantee 100 percent protection from every cyberattack or even any particular cyberattack, so organizations should not dilute their cybersecurity efforts by trying to mitigate every conceivable threat risk. It is up to organization’s leadership team to prioritize responses to cyber-risks in partnership with IT.
The risk assessment should address four broad questions:
- What needs to be protected?
- What are the relevant threats?
- What are the organization’s vulnerabilities to the identified threats?
- What impact would a realized threat have on the organization?
Addressing the first question—i.e., analyzing what assets require protection—involves what is commonly referred to as a “crown jewels analysis.” l In essence, it involves identifying which information assets are most critical to the organization’s mission, and what systems and processes support them.
The second question, focusing on assessment of relevant threats, should contemplate who might attack the organization, what form the attack might take, and the likelihood of its occurrence. These are important considerations: An organization cannot control who will attack it, but it can control its strategy against entities that pose potential threats.
When evaluating vulnerabilities, the organization should carefully analyze weaknesses exist in its systems that could allow a threat to be realized.
In addressing the fourth question regarding the impact of an actual cyberattack, the organization should consider the potential financial and operational costs it might incur from such an event that compromises one or more of its assets, as well as unquantifiable costs, including erosion of the organization’s reputation within its community.
Use existing security guidance. An organization can manage risk by reducing either its vulnerabilities or the impact if a vulnerability were exploited by a cybercriminal. However, organizations do not need to develop a cybersecurity program on their own from scratch. There is considerable free guidance available in the industry to help organizations with such efforts.
Among the best-practice resources that are available to an organization started, two of the most recognized and commonly adopted are the Cybersecurity Framework, developed by the National Institute of Standards and Technology (NIST), and the 20 Critical Security Controls, created by the Center for Internet Security (CIS). m
The NIST framework is a set of standards, guidelines, and practices that allow organizations of any size to implement sound cyber-risk management. The framework is organized around five core functions: identify, protect, detect, respond, and recover.
The CIS 20 Critical Security Controls are not a framework separate from the NIST material, but a set of highly focused actions that complement the NIST framework. The controls were developed by a consortium of security professionals across many industries and nations using actual threat data. They have been proven to mitigate a significant number of the most common vulnerabilities, and they are regularly updated to remain current and abreast of the ever-changing cyber-threat environment. Specific recommendations are provided for each of the CIS’ 20 categories.
If implementing the NIST framework and CIS Critical Controls initially seems daunting, organizations should consider starting with a set of four strategies developed by Australia’s Department of Defense. n Implementing these measures—patching operating systems, patching applications, whitelisting applications, and minimizing administrative privileges—is a great first step. The Australian government found these to effectively mitigate 85 percent of the threats to which it has responded.
Avoid the trap of “checkbox compliance.” Risk assessment and compliance is not a one-time activity. Organizations should avoid the trap of “checklist compliance,” believing they are finished once they have implemented all the recommendations of the NIST framework and the CIS controls and the last box is checked. This notion should be dispelled, along with the idea annual or more frequent audits are all that is required to validate compliance with the organization’s security controls. Security requires constant vigilance, because an organization’s level of protection can degrade in many different ways.
For example, keeping operating systems and applications current with the latest security patches is a critical security control. Maintaining strict control of changes to the organization’s technology environment also represents good security practice. But it is all too easy to delay a patch installation or make an exception for expediency to the organization’s change-control process. Such lapses can have an immediate, detrimental impact on the organization’s security posture, which means one of those boxes just got unchecked.
The Economical Solution: Prudent Strategy
It may be easy to think that because some larger organizations with huge security budgets have been successfully hacked, you don’t stand a chance. But the truth is that some of the high-profile breaches might have been prevented if some of the CIS controls had been effectively implemented.
Security is an important challenge, and success in meeting that challenge is far from guaranteed. But one thing is certain: Organizations can greatly improve their security posture by prudently employing established and recognized strategies.
Now more than ever, it is imperative for healthcare finance leaders to ensure that their organizations place an organizationwide emphasis on data security. The organization’s IT staff will be instrumental in recommending strategies for reducing risks, but the entire organization needs to be involved in determining which risks are the most important ones to avoid and what is the most cost-effective way to do so. Otherwise, too much time could be spent on efforts to reduce less consequential risks leaving too little time to devote to the most significant risks. Falling short could not only waste resources, but also compromise the trust of key stakeholders.
Tom Andre is vice president, Information Services, Cooperative of American Physicians, Inc. (CAP), Los Angeles.
a. TrapX Labs, Health Care Cyber Breach Research Report for 2016 , December 2016.
b. Nash, K.S. “Mayo Clinic CISO Says Health-Care Data Harder to Protect Than Financial Information,” The Wall Street Journal, June 2, 2015.
c. Symantec, “ Addressing Healthcare Cybersecurity Strategically ,” produced by HIMSS Media, 2016.
d. Reel, M., and Robertson, J., “It’s Way too Easy to Hack the Hospital,” Bloomberg Businessweek, November 2015.
e. Independent Security Evaluators, “Securing Hospitals: A Research Study and Blueprint,” Feb. 23, 2016.
f. Verizon, “2016 Data Breach Investigations Report,” 2016.
g. FBI Cyber Division, “Health Care Systems and Medical Devices at Risk for Increased Cyber Intrusions for Financial Gain,” April 8, 2014.
h. Samuels, J., “Your Money or Your PHI: New Guidance on Ransomware,” hhs.gov, July 11, 2016.
i. See Rouse, M., “Confidentiality, Integrity, and Availability (CIA Triad),” WhatIs.com, November 2014.
j. See Letter from Allen Stefanek, president and CEO of Hollywood Presbyterian Medical Center, Feb. 17, 2016.
k. Clinton, L., “Cyber-Risk Oversight,” Director’s Handbook Series, National Association of Corporate Directors, 2014.
l. MITRE, “Crown Jewels Analysis,” System Engineering Guide.
m. NIST, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, Feb. 12, 2014; CIS, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.1, Aug. 31, 2016.
n. Australian Government, Department of Defense, Top 4 Strategies to Mitigate Targeted Cyber Intrusions: Mandatory Requirement Explained, July 2013.