April 2013
Healthcare Information: the New Terrorist Target
By Julie Knudson
For The Record
Vol. 25 No. 6 P. 10
As the industry moves into the digital realm, safeguarding sensitive medical information needs to become a top priority.
Consider the following hypothetical scenarios: Enemy agents gain access to the immunization records of US fighting forces, allowing them to know which biological agents are most likely to decimate troops. Patients who underwent abortions at a local clinic receive death threats because an extremist group pilfered their names from the organization’s EHR system and posted them online. Incorrect dosages of a new medication are administered to patients after a disgruntled employee changes dozens of orders in retaliation for a poor performance review.
A cyberattack on the healthcare system may sound like a Hollywood movie plot, but Rick Kam, president and cofounder of ID Experts, says the threat is anything but fiction. “We’re anticipating that 2013 will be the year of a major breach in healthcare,” he says, adding that the expectation is very large numbers of records to be compromised this year alone. Other industries already have fallen victim, and healthcare’s enormous volume of sensitive data makes it a fruit ripe for the picking, Kam says.
In the January 2013 report “Cyberterrorism: Is the US Healthcare System Safe?” published in Telemedicine and e-Health, Peter Yellowlees, MBBS, MD, a professor of psychiatry and the director of the graduate program in health informatics at the University of California, Davis, explained cyberterrorists’ objectives are “to cause harm and generate fear” while demonstrating that the potential for an attack on the US healthcare sector is very real. Throughout his research, Yellowlees attended conferences where groups such as the FBI presented several case studies illustrating the alarming vulnerability of health systems.
What Is the Threat?
Financial schemes and vengeful employees are the most common reasons for launching a cyberattack, but Charles Croom, vice president of cybersecurity solutions at Lockheed Martin, says it would be a mistake to assume that cybercriminals have only monetary or punitive goals in mind.
Manipulating health records is an ongoing concern, but the mundane scenarios can have significant, unexpected consequences. “Just interrupting operations would be, to me, an important impact,” Croom says.
In addition to bomb threat-type attacks, Yellowlees says assaults on the public infrastructure—most notably water and power supplies—have the potential to cripple the healthcare system. Another likely target is that bastion of data: the EHR. On that front, cyberdangers in the healthcare sector generally fall into three categories: the exposure of private or sensitive data, manipulation of data, and loss of system integrity.
“It’s a matrix,” Yellowlees says. “One issue is looking at the types of places that are attacked, but then the other part of the matrix is looking at who is attacking and why.” Determining which industry areas are vulnerable and where the dangers are likely to originate can help organizations craft a solid defense plan.
Yellowlees says most healthcare systems regularly experience cyberattacks. In many cases, the attacks originate from Eastern Europe and employ automated platforms, but firewalls can thwart the intruders.
But for as much attention as organizations pay to offshore criminals, other types of attacks may actually pose a larger threat. “In some respects, individualized attacks are more dangerous,” Yellowlees says. A disgruntled employee with a list of active passwords and access to a hospital’s systems has the potential to inflict far more damage than someone who must first conquer perimeter security appliances and hack into a system. Authorized individuals can download sensitive data, drop nasty viruses into the organization’s network, and even open back doors for others to use.
These insider, stealth-type attacks can cause greater damage because they typically are much more targeted and likely to impact the trust level of the people—providers and patients alike—using the system, Yellowlees says. “That is the ultimate aim of many of these cyberterrorist attacks,” he explains. “It’s to basically get the users to lose trust in the systems they have.”
Losing trust in a network’s integrity or its data may seem like a secondary concern, but it is really of primary importance. Yellowlees says providers as well as patients must be able to rely on accurate and complete data at every step in the care delivery process. Trust diminishes if medical or financial data are modified or accessed by unauthorized individuals, manipulated information leads to medical errors, and data are made public without proper consent. “If you happen to be a VIP or you’ve had a stigmatized illness, you’re going to be pretty keen to not have that become public knowledge,” Yellowlees says.
Exactly what types of information criminals are likely to be after is still unknown, according to Glenn Kurowski, vice president of health and life sciences at Lockheed Martin. “The people who are out there doing cyberterrorism haven’t focused as much on the healthcare industry, so there’s not nearly as much empirical evidence as to what the targets are,” he says while juxtaposing cases that seem to be borne of simple malicious intent against instances in which data were taken for their monetary value. Where criminals will find the sweet spot is a mystery, although Kurowski says, “It’s still difficult for me to get my head around the financial value of the data in the clinical stream.” Instead, he believes that ushering in disruptions—in terms of privacy or data integrity—to do harm is more likely to be the goal. Causing chaos that affects the brand of a given provider also is a potential motivator, he adds.
How Real Is the Threat?
While the number of reported exposures has dropped since 2010, the portion of breaches attributable to theft has risen. According to a study released by the Health Information Trust Alliance in December 2012, 54% of data breaches in the healthcare sector were the result of theft. The numbers indicate that providers may be getting better at reducing inadvertent data loss, but criminals have continued to gain an advantage in forcing their way in.
As healthcare continues to go digital, more nefarious activity could follow. “The good news is that we haven’t seen a lot of it in the news, but the bad news is that it doesn’t mean it couldn’t happen and it more than likely will happen over the course of the next few years,” Kam says.
The value of sensitive medical information—from street-level hackers all the way to rogue nation states—continues to grow. “Medical records show a lot about our various afflictions, whether it’s a dependence on various drugs or cancer,” Kam says. When data have the potential to influence political elections, gain a competitive advantage in the business world, or simply instigate fear and chaos, it is inherently valuable to those who would misuse it.
The fact that many hospitals are focused on accidental data exposures reveals there already are security holes, weak points that can be exploited by cyberterrorists. If data can quietly leak out, how difficult would it be to fend off a determined attacker? “Healthcare organizations are more focused on data spills because they can get their arms around those, and there is statutory guidance in terms of what the required reporting and remediation are,” Kurowski says. If hospitals want to gear up for an actual attack, he suggests looking at the protection posture taken by companies in the medical device and pharmaceutical industries. “Right now there’s much more recognition of a sophisticated threat actor going after intellectual property for exploitation,” he explains.
Currently, there’s been more nefarious activity in sectors where intellectual property is the principal commodity, but Kurowski anticipates that as the value of medical data begins to increase in terms of intrinsic value, the healthcare space will become an increasingly attractive target. “A few years from now, I think it will be different,” he says.
How to Form a Stout Defense
Ensuring that stakeholders throughout the organization are aware of the problem—its scope and potential consequences—is one of the first steps healthcare providers should take, according to Yellowlees. Next, it’s important to craft a plan that addresses everything within the data-risk landscape. “[Hospitals] need to make very clear policy decisions about how they manage and protect their clinical data,” he says.
Not only do organizations need to evaluate their technical plan, they also must identify the areas where people can help or hinder the process. Social engineering must be addressed in concert with technology and other security platforms. “Look at the human side and make sure that whoever you’re employing doesn’t have a criminal record or isn’t likely to be a security risk,” Yellowlees says. “The big risk from cyberterrorism quite honestly comes from the human element.”
In addition, he stresses the importance of regular system audits to ensure that security measures are in place and being used appropriately. “Hospital groups need to have a fairly comprehensive policy process to protect their data,” he explains. Providers don’t need to develop separate cyberterrorism strategies but should instead incorporate protective measures into their overall plan. The threat landscape is dynamic, and any security tactic designed to defend against cyberterrorism can’t be treated as a set-it-and-forget-it component. “If [they] just come back and review the plan every two years, it’s not going to work,” Yellowlees says.
Part of good organizational awareness includes examining the different ways a terrorist may be able to access sensitive data. Kam says it’s crucial to develop a holistic defense plan that addresses all potential gaps, even those that may be difficult to plug. “IT organizations need to look at not only the data they manage but also data that is managed by their users,” he says.
With the growth of mobile devices in the healthcare realm, many IT groups no longer have the tight grip on access and storage protocols that they used to. “Those other data sources need to be included in IT’s overall strategy because it is, unfortunately, a weak link in the chain,” Kam says.
Kurowski echoes the need to plan for all the methods an attacker might employ, pointing out that healthcare organizations often have additional challenges on that front. “I think it’s very difficult to manage provider systems right now because they’re being put together from so many pieces,” he says. “Between consolidation and coexistence among providers, these tend to become a bunch of disparate pieces in a network.”
Each link in the chain must make cybersecurity a priority, Kurowski says, adding that once everyone is on the same page, only then will a discussion about protection mechanisms be meaningful and effective.
— Julie Knudson is a freelance business writer based in Seattle.
Why Hospitals Have Been Slow to React
Large health systems generally have the expertise on staff to ensure that cyber security issues are on the organization’s agenda and that a fairly robust suite of countermeasures has been put into place. Peter Yellowlees, MBBS, MD, a professor of psychiatry and the director of the health informatics graduate program at the University of California, Davis, believes that smaller hospitals are more likely to be lacking the necessary resources (often in terms of both knowledge and funding), thus becoming more vulnerable to a cyberattack. “They may simply be less aware of this issue,” he says.
Still, even large organizations are sometimes stymied by leadership inertia. “One of the issues we’re seeing is at the board and executive management level,” says Rick Kam, president and cofounder of ID Experts. “There is essentially a lack of awareness that this problem exists.”
The frantic pace of technology innovation in the healthcare sector has fed that knowledge gap. It can be difficult, especially for nontech folks in the C-suite, to even keep up with the latest offerings, let alone anticipate what may be on the horizon. Kam believes that the rapid and widespread shift to mobile devices and cloud computing has compounded the issue, making the transition from one platform to the next much faster than in years past. “Technology is shifting very quickly, and the mindset of executives is not shifting quickly enough,” he says.
—JK