Ransom, implant attack highlight need for healthcare security

All healthcare data breaches are not equal.

They're all bad, and reaching epidemic levels. The security testing company Redspin, for one, found that Protected Health Information (PHI) breaches nearly doubled from 2010 to 2011. The Department of Health and Human Services has reported 525 breaches of 500 or more records, involving 21.4 individuals over the past three years, said Redspin president and CEO Daniel Berger.

But the raw numbers are only a piece of the story. Gienna Shaw, editor of FierceHealthIT, wrote in a post this week: "It's not the numbers that interest me most. It's the stories behind them," she wrote. "And there are so many stories ..."

One involved the Surgeons of Lake County, a small medical practice in Libertyville, Ill. Hackers broke into the system last summer, gained access to the names, addresses, Social Security numbers, credit card numbers and some medical information on more than 7,000 patients, then encrypted all the information and demanded a ransom.

Another involved medical students creating fake identities so they could post patient information on Facebook and other social media sites. A third involved malware infecting hospital equipment.

Shaw said the Veterans Administration reported "173 incidents of security breaches of medical devices from 2009-11 that disrupted glucose monitors, canceled patient appointments and shut down sleep labs."

She also cited a 2012 report from the Government Accounting Office that said wireless implanted medical devices such as defibrillators and insulin pumps for people with diabetes were vulnerable to hacking.

No hacker with a laptop so far has delivered a fatal shock to a pacemaker patient. But just the possibility is "some serious freak-out level information," Shaw wrote.

Why, when other industries -- particularly the financial sector -- have been able to curb the frequency of damage from data breaches, have things in the healthcare industry gotten worse? Bill Ho, president of Biscom, called it partly a Willie Sutton syndrome, named for the bank robber who said he chose that profession because, "that's where the money is."

[See related: Healthcare security needs a booster shot]

"There is a lot of good information you can use [in health data]," Ho said. "[And] not just for money but for things like social engineering."

Redspin's Berger said records often include more than Social Security and credit card numbers. They also include, "personally sensitive information such as diagnoses, treatment plans, prescription information and complete medical histories," he said.

The advantage of electronic health records is clear, but carried risk. Adam Levin, founder of Credit.com and former director of the New Jersey Division of Consumer Affairs, wrote in a Huffington Post blog post: "To have current, accurate, and reliable data about a patient's medical history just a click away -- whether the issue is urgent or routine -- will save money, time, and, of greatest import, lives." But attacks to steal and sell personal health data or hold it for ransom are also "ultimately made possible by the digitization of medical records and the placement of those records on networks -- often unprotected ones," Levin wrote.

To make that less likely, one obvious step would be to protect the network, according to experts including Robert Hudock, a lawyer and certified "ethical hacker," who was profiled last year in FierceEMR.

Hudock's first recommendation is to keep electronic health records (EHR) on a segregated network, if at all possible. Among others are to run risk assessments; conduct audits; run a data loss prevention software program on the perimeter server; apply all security patches to internet applications that are connected to the HER system; make sure firewalls are installed properly, and antivirus programs are operational; clearly delineate with any IT vendors who will be responsible for security patches and; make sure any medical software runs without super-user rights.

But that does not eliminate the human element. Danny Lieberman, CTO of Software Associates, said Hudock's recommendations are common best practices, but noted that "the main source by far of PHI breaches is trusted insiders in hospitals, not malware."

"Most hospital EHR systems use a flat permissions scheme, which means anyone can view a patient record. Putting an EHR on a separate network segment won't mitigate trusted insider breaches with hospitals that don't implement SOD (separation of duties), strong passwords and hierarchical access control," he said.

And even best technology practices are not an automatic fix, he said. "The sheer number and diversity of information systems and medical devices that attach to a modern hospital network create a huge threat surface and gigantic maintenance challenge for the IT security and IT operations staff," he said.

Lieberman said he believes the best protection for patients' confidential information is "a serious software security assessment of medical device products and EHR systems before they get installed."

He added that he would not be worried about hackers attacking the average patient with an implanted device. But he said it could be used as a deadly political tool.

"I would be worried about nation-states attacking heads of state who had an implanted cardiac defibrillator," he said.

Read more about data privacy in CSOonline's Data Privacy section.

Read more about data protection in CSOonline's Data Protection section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsdata privacysoftwareHealthcarehealth careRedspinindustry verticalsdata protectionFacebook

More about BillDepartment of HealthFacebookSoftware Associates

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts