Hospital-acquired infections and data breaches may have vastly different causes, but they have one thing in common—they put healthcare organizations and patients at risk. The “pathogens” which cause data breaches originate both externally and internally—but practicing healthcare cyber hygiene can reduce or eliminate their “infection.”
Patient data has high value—to others. According to Verizon’s 2017 Data Breach Investigations Report, healthcare has the second highest number of breaches after financial services. PHI (protected health information) and PII (personally identifiable information) such as Social Security number, healthcare ID number, address, date of birth, and payment data can be worth millions on the ‘dark web’. In their 2017 study, IBM Security and Ponemon Institute estimated the cost of one breached healthcare record at $380, the highest among US industries. An earlier Ponemon study estimated the total annual cost of data breaches in healthcare to be $6.2 billion.
Data breaches and cyberattacks designed to gain information or dump it on the ‘dark web’ put healthcare organizations at financial and operational risk. An external cyberattack or DDoS initiated through brute force, phishing, malware that steals legitimate access credentials, or Locky/Petya-type ransomware that closes down systems can limit patient care by shutting down EHRs, patient portals, and business processes such as billing and payments. Insider breaches due to theft, equipment loss, snooping, and errors may not be as obvious, but they historically have led in the number of breach incidents. They can compromise systems and go on for years–14, in the case of Tewksbury Hospital in Massachusetts.
The financial aftermath of a breach can cost millions more in investigations, settlements, remediation, restoration, and substantial fines. Anthem paid a record $115 million to settle lawsuits over the 2015 breach of 78 million records. The Office of Civil Rights-Health & Human Services (OCR-HHS), responsible for Federal privacy and security enforcement under HIPAA, has increased its activities, recently fining a Denver FQHC $400,000 for security noncompliance. Not securing data also means difficulty in meeting quality care and national performance standards in value-based care, such as the Quality Payment Program required by MACRA and the Medicare Shared Savings Program (MSSP) for ACOs.
Protect patient data through healthcare cyber hygiene. Just as clinicians work ceaselessly to prevent hospital-acquired infections, CISOs, CIOs and healthcare IT departments must dedicate themselves to cyber hygiene—a series of best practices for protecting sensitive data. No matter what type of healthcare or related organization you work in—a large research hospital, clinic, regional medical center, insurance company, or a provider of business or clinical/CRO services—the data you work with must be protected. The five best practices that follow are a start:
1. Train employees
Technical, administrative, and clinical staff are the first line of defense in everyday cyber hygiene. They must understand the importance of practices such as never sharing passwords; securing hardware from theft; avoiding the use of default passwords and system configurations; changing passwords regularly; patching systems to remain current; learning to spot suspicious emails, and not clicking on embedded email links or attachments. Continuing education not only should ensure that best practices are followed, but also as the threat landscape changes, content and approaches are adapted.
2. Encrypt data
Data should be encrypted, both in transit over the network or in email, and while stored, using Transport Layer Security (TLS) 1.2 or higher and AES 256 or higher. Data encryption protects against attackers who manage to breach other defenses and against man-in-the-middle attacks, in which a malicious actor intercepts communications to gain access to sensitive data.
3. Back up everything
Data backups are crucial to combat aggressive ransomware attacks. The only way to return systems and devices to normal after a successful ransomware attack is to restore from a clean backup. Back up business, medical, device, email and other data on a regular schedule, and keep backups in multiple physical locations.
4. Perform regular scanning of devices and applications
Healthcare organizations must regularly scan their networks, workstations, mobile devices, and applications against known vulnerabilities. Cyberattacks can enter through an organization’s network, wireless network, applications, devices and the physical environment itself. Unlike an enterprise into which only badged personnel or approved visitors can enter, anyone can walk into a hospital. Visitors can easily hear a conversation while standing in line, look over materials sitting out in the open, and secretively plug a USB device into a wheeled nurse’s cart or another accessible device. High risk also is associated with any unsecured text, chat and email messages that the organization sends patients on their mobile devices.
5. Conduct regular threat modeling and penetration testing
Threat modeling and penetration testing exercises describe current threats and reveal how attackers can target your organization. They identify systems that can be leveraged to exploit vulnerabilities and potential entry points into networks, applications, and devices. This practice, when regularly done, helps an organization effectively address and remediate existing weaknesses.
Healthcare cyber hygiene ensures that breaches may happen, but disasters don’t have to. No system is perfect, equipment may be stolen from the most secure facility, and ‘black hats’ are endlessly inventive, as the WannaCry and Petya/NotPetya ransomware attacks have proven worldwide. By implementing these practices and continually upgrading their IT systems to meet potential threats, healthcare and related organizations will significantly improve their security postures without compromising services for patients and their families—and benefit themselves financially.
Saurabh Harit is a managing security consultant at Spirent Communications’ SecurityLabs unit where he is responsible for delivering penetration testing services to Spirent clients across the globe.