Essay: Healthcare Breaches: An Evolving Threat

The key steps to achieving data security in healthcare organizations is to following policies and procedure, conduct audit trails, data classification, data protection, encryption and disaster recovery/business continuity (Ayala, 2016).

To increase authority and guidelines in this new arena for healthcare the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 was established. The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 provides HHS with the authority to establish programs to improve health care quality, safety, and efficiency through the promotion of health IT, including electronic health records and private and secure electronic health information exchange (Thomson, 2011). The Act is directed towards protected health information that is not secured by a technology standard that renders protected health information unusable, unreadable or indecipherable to unauthorized individuals. Additionally, it addresses entities subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) that access, maintain, retain, modify, record, store, destroy, or otherwise hold, use, or disclose unsecured protected health information (Thomson, 2011).

The types of data breaches include unauthorized access, theft of computers, laptop, and other portable electronic device that contain identifiable patient information. Some identified prevention measures against security breaches are appropriate use of HIPAA guidance and regulations, conducting risk assessments and regular audits, using encryption and authentication methods, and the use of wireless network (Thomson, 2011).  We will discuss these more in depth when we get into mitigation.

Almost all the breaches that have occurred could’ve been prevented.  Many are the result of overly relaxed security standards, lack of planning, and training. Most if not all breaches can be credited to very lax security protocol and enforcement of security standards. The top causes of breaches are lost or stolen computers, pdas, and mobile devices; increasing hacker attacks; and insider threats and attacks.

This paper will address security planning, breach events, reactions and actions taken after the breaches as well as the sub details to each of the fore mentioned areas.  What exactly is happening and can it be mitigated. Another critical issue is what is being done with the stolen data? Healthcare industry leaders must understand that cybersecurity is not just a technical issue but a preventative measure for immeasurable concerns. To successfully evaluate the various policies and procedures of cybersecurity in the healthcare realm requires research from various sources.

 Let’s explore three breaches and see the variety in the situations as well as the tools to mitigate and prevent them from reoccurring.

Data Breaches in Healthcare Statistics

The Breach level Index (BLI) identified that in 2014 over 1.02 billion records were compromised. The total number of data records stolen in 2015 reduced by 39% to 707.5 million records (Gertz & Ahuvia, 2016). The BLI, therefore, noted that 1.9 million records are stolen each day, 80,766 are stolen every hour, and 1346 records each minute and 22 records each second (Gertz & Ahuvia, 2016). This staggering amount of data compromised identified that there is a high rate of data breaches. The most breached sector regarding data are the government agencies, which is followed by the healthcare industry. 19% of the total records compromised came from the healthcare industry. This 19% accounts for over 134 million records compromised (Gertz & Ahuvia, 2016). Although the healthcare industry is the second regarding the data lost it is the most breached industry identifying that the healthcare industry has more loopholes and increased security gaps, in 2015 22% of the breaches accounting for 374 million records were from this sector (Hcs-ins.com, 2016). 38% of all healthcare data breaches resulted from unauthorized access while theft accounted for 29% of all the breaches. These statistics, therefore, signify the aggressiveness of hackers in targeting healthcare organizations due to the value of an individual data like social security numbers and Medicare numbers. Identify theft accounts for more than 50% of the data breaches (Gertz & Ahuvia, 2016).

The Breaches

The first breach we will explore is a breach from back in April 2016 at Orleans Medical Clinic in Indiana. The clinic noticed unusual activity on one of their serves where patient information was stored, that discovery raised suspicions. The clinic notified patients immediately stating that their PHI was potentially compromised and accessed by an unauthorized person. The server was used to store electronic health records as well as demographics but no payment information was stored on this server. Following proper protocol the clinic launched an investigation into the situation. The investigation initially was launched to determine what the attacker had done with it, simply reviewed it or copied it for personal gain. The investigation yielded a time line that showed the attacker gaining access to the servers on April 5th 2016 and inappropriate access of PHI on the 17th. However, the clinic did not receive confirmation of the individuals affected or send out notification until sometime in July. In total the breach affected the clinics entire enrollment of 7,000 patients.

According to Orleans representatives the servers became unsecure after a recent upgrade was implemented, thus allowing for the hackers to access it.  In a direct statement from the clinic they reassured the public by stating "This incident did not involve or affect the security of our patient portal in any manner, and at no point were we unable to access the information needed to provide high quality healthcare services to patients," per the notice. "Upon learning of the incident, we immediately secured the server so that this type of attack could not occur again." After the investigation, it was still unclear if the hacker had stolen any information or just breached the system.

From the information from the organization and the conclusions drawn by Orleans it appears that this breach occurred due to possible human error with the upgrade. Followed by being hacked or accessed by an unauthorized user. Looking at the results and the entire situation we must ask, could this have been prevented? Absolutely, proper mitigation such as good firewalls, using a DMZ server, and effective training could potentially prevent mishaps. The resolution of how the information was used was never discovered or revealed. To mitigate the inappropriate information if it was to be used was 12 months of free credit monitoring with Equifax.

The next breach we will look at is the Medical College of Wisconsin in Milwaukee. The Medical College observed unauthorized emails accessing an employee’s email account, a breach that would affect 3200 patients. They immediately opened a forensic investigation to get to the root of what had occurred. The email account compromised did not contain any financial information or SSNs except of two patients.  In the statement released regarding the breach MCW said "MCW is committed to safeguarding the privacy of patients' healthcare information and has taken steps to minimize the risk of a similar incident in the future, including ongoing updates to its system security and firewalls and conducting security awareness and training reminders for all workforce members on how to effectively protect private patient information”.  MCW is no stranger to breaches and data compromise, only a year previously had they had another breach. This breach was caused when a document and laptop were stolen from a doctor’s personal vehicle, only affected 401 patients (Kamoun &Nicho, 2014). The organization faced multiple HIPAA violations in this breach. In both breaches no information has been used for any purpose. Again, two very different events that both could potentially be prevented with adequate measures taken.

Another breach, the breach of Saint Francis Health System that was executed using ransomware. Ransomware is a malicious software designed to block the access to a computer system until the terms of ransom have been met, which is usually monetary. Ransomware is the newest way of cyber acts especially in healthcare as hackers with malicious intent are realizing the value of healthcare data. In this instance the hacker requested 24 bitcoins (about $14,500 USD) in exchange for them to return control over 6,000 patient’s records. Saint Francis decided not to pay the ransom citing it doesn’t guarantee that the hacker will do what they agree to. The hacker only obtained patient names and addresses from the breach. In a statement Saint Francis released they are quoted as saying: "The health system understands the importance of protecting our patients' information and deeply regrets that this occurred," reads a statement from the hospital. "Saint Francis has been working with a leading forensics firm to investigate this incident and look for ways to enhance our existing security measures.” Preventable? Possibly but as I stated in the opening having a department dedicated to the protection of the network and her assets in a healthcare setting has until recently been viewed as a luxury and not a necessity.

MongoDB ransomware

The last incident I will review is the breach at Emory Health in Atlanta, GA that potentially affected over 200,000 patients. Hacking entity who uses the handle “Harak1r1” who exploited a misconfigured MongoDB database. The vulnerability erasers the database rather than encrypting the files on databases without admin passwords and are left online. The hacker requested .2 bitcoin (about ($200- $220 USD) to return access back to Emory and restore the entire system, to show the serious nature the appointment database was removed and replaced with the ransom message. In totally about 79,930 of the original 200,000 patients were affected. Doing the investigation of this breach Emory discovered another breach from an anonymous security research center in the same database. It is believed that the research firm penetrates systems seeking out vulnerabilities to solicit clients. Once such research firm cited discovery of poorly configured database systems that contain patient data belonging to Emory. This hack is the largest single hacking incident reported this year (Arndt, 2017).

The following is a screen capture of the ransom message that replaced the database:

 (Health dive, 2017)

All the mentioned breaches had one or several things in common. One think that stands out is the lack of basics that were seemingly after thoughts in the incident.  In the text for this class we learned about basic mitigation principles and techniques. More than anything the healthcare industry must be willing to invest more into the evolution of protection from the new emergent cyber threats.  Hackers know that systems in the healthcare sector are likely to be easy targets and are often seen as goldmines because of the types of data housed on a health organizations server. Mitigation begins with planning, as in having actual plans and policies in place to prevent as many openings or cracks in the systems. Also by invoking actual consequences and penalties can drive organizations to properly secure and report incidences.  This includes both physical safe guards such as training an authorization for access and otherwise, to network and system securities. Also, included in planning is conducting system assessments to understand the vulnerabilities of the system. Below is a chart of the estimated breaches per month in just the last year.

This chart helps the organization see the trend in high vulnerability and hopefully allows for planning in accordance with the data.

Consequences and Accountability

First-time infringement of the law by an individual, who did not know the law can be as low as 100 dollars or as high as 50,000 dollars for a single violation.  For violations of the law that are not due to willful neglect can lead to a fine between the amounts of $1,000 to $50,000. For offenses cited as willful neglect that are corrected in a timely manner are $10,000 to $50,000 (Herold & Beaver, 2014). If a violation was because of negligence lead to a charge of $50,000 or more for one violation. The maximum penalty for a single violation can also be as high as $1.5 million in a given year.

Mitigations

When it comes to creating, a solution based risk analysis plan there are many ways to go about doing so, if I were the CISO/CMIO my plan would be outline in five parts.

1. Classify my assets and encrypt all my data at rest

One commonality in these breaches was the types of actual information retrieved, no SSN or financial information. I would have servers containing the most vital and valuable information stored on one server or set of servers with the utmost protections to include a DMZ and off site backups. I would mandate encryption of the data any devices use that could easily grow legs and walk off or be easily stolen if left in a compromising space. Devices like organizational mobile devices, laptops, PDAs, and the likes. Although there are many roadblocks to this method I deem it vital to a successful plan of action.  Data encryption is the best practice in protecting data from being accessed by third parties. Encryption of data allows the health organizations to store and transmit data in a secure manner (Otalliance.org, 2016). Encryption reduced risk associated with data breaches because they cannot understand the data they steal without decrypting it which is a tedious and difficult task. Encryption improves the confidentiality process within the health organizations as only the authorized receiver will be able to decrypt the data (Gaidhani, 2015).

2. Stay Informed on Threats and Exploits

Insist on knowing what is going on, what tools are being used, what root scripts, or hacks. Ask question not just in regards to your type of organization but to any organization that has experienced a breach. Share and receive Intel, conduct research, and ensure someone is staying in front of what may becoming the next big exploit or vulnerability. In the Emory breach, there was a known vulnerability in MongoDB but even with that knowledge no one stopped it or protected the system from it.  This proves the importance of not just getting the information but using it as well.

3. Conduct more frequent vulnerability assessments and penetration testing

We know that a threat can come from anywhere, inside or outside and usually are an exploitation of a discovered weakness. Establish a team or teams to attack the system in the exact manner a malicious actor would. The data collected from an internal asset attempts to get into or breach the system can help structure the security plan effectively and efficiently because the results will tell you exactly how, when, where, and what was the hole (Sammes & Kizza, 2009). I would if feasible in my first year do this monthly or bi monthly and once the organization had a good handle on exploits a vulnerability in our systems I would move it to randomly and quarterly. As the breaches grow and include more than the once standard “stolen device or file” into actual malicious cyber threats and actors there is no space for anyone using technology as an enhancement or standard to get complacent. Another thought is using more than just the minimums with in the requirements of the HIPAA security rule. My team would be instructed to do periodic risk analysis as well as system audits more frequently than required. In many breaches that are discovered, it’s usually sometime after the initial contact or breach has occurred this keeping this data exposed and vulnerable for far too long. With more reviews and repetition, it would my goal to reduce time between actual occurrence and resolution. Also, ensure that my team is built with the technical aspects in mind when conducting these reviews and analysis. I have personally seen in some military medicine where the auditor and even us as enforcers keep our audits and reviews technically limited only showing major concern for physical security practices.  Verifying that the files are locked behind at least two locks. But showing little to no concern about the security of the workstation that the files are saved on and printed from.

4. Invest in the security awareness & adequate training of the entire team.

The greatest risk to any organization’s security is the lack novice or ignorance of security practices and the lax enforcement thereof. Almost every healthcare breach can in some way or the other be linked to the root cause being complacency because the individual(s) did not take the security courses, policies, or protocols serious (Sammes & Kizza, 2009)..  Also, if the people at the lowest level who traditionally don’t work with or have a need to deal with secure data at the very least have been trained to recognize it and how to secure it if they come across it. I’ve found that the best way to accomplish this and have a warm and fuzz that it’s working and adequately done is scenario or situational training. Randomly initiating social engineering attacks, sending out those appealing but suspicious emails. This way you see the reactions and gauge the effectiveness of your training. Normally in a healthcare setting complacency is natural and staff are mostly concerned with the Joint Commission’s standard for information security. Even with all the EMR & EHR training and implementation man still don’t consider the security of those items a personal responsibility of anyone that can access the records. Train everyone across the organization to recognize and report suspicious activity, and if possible secure unsecure data. I think the most important think in this would be to ensure leadership rewards and recognizes those who respond correctly in training scenarios and in real time as well.

5. Share and receive information with other organizations.

The responsibility of security now officially extends outside the organization. The Omnibus rule legally extends compliance with HIPAA security provisions and direct civil liability for breach to business associates and their vendors (Secretary, 2017). Just as the intelligence and law enforcement community share Intel to better piece together a total picture of a suspect or threat, I see vast benefit in companies sharing information about their breaches with others. Not only those in the same industry but those who have experienced trending breaches. If Company A and B were the victims of a ransomware attack by bad guy one, it is quite possible the by sharing the details with Company C and D those organizations can possibly recovery faster if compromised or even prevent an attack. It’s the equivalent of watching game tapes from another school or team from the previous week(s) of an opponent you are gearing up to play. You can collect valuable Intel and identify trends and patterns if any, this information can direct the organizations efforts to prevent and protect or recover in the event of a compromise.

It is my personal and professional opinion that these five steps would create a substantial and successful plan of action for combating breaches and loss of data assets. The list of good practices is a vast one and will always depend on the tempo of the actual organization as. An example would be attempting to train the housekeeping crew in depth on security practices in a top-secret organization where their presence around certain data would be a significant event.  It is evident that in healthcare even garnering proper and effective security practices will follow the same path as actual healthcare itself. We “practice” medicine and often carry that mentality with us in all aspect. I am sure eventually the healthcare sector will and have in recent years grown to use better practices and more sound decision making in regards to the security of sensitive information and systems.

I have explored and analyzed a few breaches, and evaluated the various policies and procedures of cybersecurity as it relates to the healthcare industry. Understanding and implementation is imperative to successfully defeating of the adversary and the protection of our vital personal information. Also, putting the right people in the right places to do the jobs and understand all ramifications of safeguard failures is imperative. The management of cybersecurity risk is an enormous responsibility that requires everyone in the healthcare community be vigilant in their efforts.  Data protection strategies are classified into three, physical safeguards, technological safeguards, and administrative safeguards. Physical safeguards such as locking away computers another device that contains personal data can protect data. Administrative safeguards such as implementing policies such as data breach response plans and training programs to increase understanding of data breaches and data protection laws. Technological safeguards include the use of software such as antivirus and antispyware, data encryption or password management strategies to protect data. The major challenges facing the implementation of effective data protection strategies include limited financial resources, increased growth of data, use of data by many people, use of outdated equipment’s and inability to control how authorized personnel use data. It is critical to safeguard data in the healthcare industry to ensure that personal data is not exploited.

 Thus, ensuring the safeguarding of patient and organization information as well as providing exceptional patient care.

Reference:

(n.d.). Retrieved February 11, 2017, from https://www.healthit.gov/policy-researchers-implementers/health-it-legislation-and-regulations

(Arndt, R). Retrieved March 5, 2017, from https://www.healthit.gov/policy-researchers-implementers/health-it-legislation-and-regulations

Ayala, L. (2016). Cybersecurity for Hospitals and Healthcare Facilities. doi:10.1007/978-1-4842-2155-6

Barnett, D.J., Sell, T., Lord, R.K., Terbush, J., & Burke, T. (2013). Cyber Security Threats to Public Health. World Medical & Health Policy. no. 1 (2013): 37-46. Retrieved from: http://onlinelibrary.wiley.com/doi/10.1002/wmh3.19/abstract

Blanke, S. J. and McGrady, E. (2016), When it comes to securing patient health information from breaches, your best medicine is a dose of prevention: A cybersecurity risk assessment checklist. J of Healthcare Risk Mgmt, 36: 14–24. doi: 10.1002/jhrm.21230

Coronado, A. J., & Wong, T. L. (2014). Healthcare Cybersecurity Risk Management: Keys To an Effective Plan. Biomedical Instrumentation & Technology,48(S1), 26-30. doi:10.2345/0899-8205-48.s1.26

Duplaga, M. I. D. Z. K. (2007). Information Technology Solutions for Healthcare. : Springer London. Retrieved from http://www.ebrary.com.library3.webster.edu

DeGaspari, J. (2016). How to Measure Anything in Cybersecurity Risk,19-34. doi:10.1002/9781119162315.ch2

Gertz, A. & Ahuvia, M. (2016). 2015 Data Breach Statistics: The Good, the Bad and the Ugly – Gemalto blog. Gemalto blog. Retrieved 24 June 2016, from http://blog.gemalto.com/security/2016/03/03/2015-data-breaches-by-the-numbers/

Kamoun, F., & Nicho, M. (2014). Human and Organizational Factors of Healthcare Data Breaches:. International Journal of Healthcare Information Systems and Informatics,9(1), 42-60. doi:10.4018/ijhisi.2014010103

Khan, I. U., & Rehman, S. U. (2016). A Review on Big Data Security and Privacy in Healthcare Applications. Big Data Management,71-89. doi:10.1007/978-3-319-45498-6_4

Kruse, C. S., Frederick, B., Jacobson, T., & Monticone, D. K. (2016). Cybersecurity in healthcare: A systematic review of modern threats and trends. Technology and Health Care,1-10. doi:10.3233/thc-161263

Mulero, A. (2017, February 27). Charts: Must-know healthcare cybersecurity statistics. Retrieved March 4, 2017, from http://www.healthcaredive.com/news/must-know-healthcare-cybersecurity-statistics/435983/

Otalliance.org. (2016). Security & Privacy Best Practices | Online Trust Alliance. Retrieved from: https://otalliance.org/resources/security-privacy-best-practices

Sammes, A. J., & Kizza, J. M. (2009). A Guide to Computer Network Security. London: Springer London.

Secretary, H. O. (2017, February 13). Enforcement Highlights – Current. Retrieved February 17, 2017, from https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/index.html

Singh, H. S. D. F. (2015). SAFER Electronic Health Records. : Apple Academic Press. Retrieved from http://www.ebrary.com.library3.webster.edu

Thomson, L. L. (2011). Data breach and encryption handbook. Chicago, IL: ABA Section of Science & Technology Law, American Bar Association.

Wu, S. (2007). Guide to HIPAA security and the law. [Chicago]: ABA Section of Science & Technology Law.