Despite the aggressive efforts of government regulators, the health care industry's reputation for security hasn't been stellar. Multiple breaches are reported on a weekly basis and with health care exchanges popping up under the federal Affordable Care Act, the situation could get worse before it gets better.
One way custodians of health care data might be able to better protect patient information is by integrating "big data" security solutions into their systems. That, however, can present health care organizations with even more security challenges.
"When you look at the known number of data breaches in health care, it's staggering," said Stu Sjouwerman, CEO of KnowBe4, a security awareness training company.
Health care organizations have increasingly been targeted by hackers as more and more of their data becomes electronic. Since 2009, hospitals and medical practices have been under the gun by regulators to ditch paper for electronic records by 2015. "There's been pushback that timeframe is too ambitious for providers to properly secure their data," said Joan Walker, a senior consultant with TayganPoint, a management consulting firm.
Not only is more medical information being placed online, but those who have access to that data is also expanding. Consumers can view their medical information online and medical professionals can use electronic information for sharing and collaboration with each other. "More online sensitive data and more access to that data means more opportunities for hackers," said John Pescatore, director of emerging trends for the SANS Institute.
"Health care has always been attractive to hackers, and it's even more attractive now," added Alan Brill, senior managing director for Kroll Advisory Solutions, a risk management firm.
Part of that attraction stems from a sort of "Perfect Storm" for data predators. "The transient nature of data and the porous nature of the network leads to hackers focusing on health care," said Ed Gaudet, general manager of Imprivata's Cortext products group, maker of authentication systems for medical personnel.
Adding to a health care organization's data security problems are medical devices -- such as MRI and CAT scan machines -- that connect to its networks. "They all connect to the network, all have Internet access and all have vulnerabilities that manufacturers have not been patching, which present a whole new set of security challenges to providers," Pescatore explained.
While health care organizations have always been concerned with preserving the confidentiality of patient records from unauthorized snoops, having that information targeted for financial gain by digital bandits is relatively new to them. "They're in the business to serve and treat patients," explained TayganPoint Senior Consultant Jay Stanell. "If they have a choice between spending their money on an imaging machine that saves lives and multiple tiers of security, that's not an easy decision for them."
Those decisions will have to be made, however, because their electronic information has the same appeal to hackers that all electronic information does. "Health care is being targeted by a lot of the same kinds of attacks from anyone who's going after financial information, something that can easily be converted into credit card payments or Social Security numbers for identity theft or tax fraud," said Suzanne Widup, a senior analyst with Verizon's RISK Team.
"With all these health care exchanges coming online, that's something that I'm sure is going to get a lot of scrutiny by the bad guys," she added.
Those exchanges will be soft targets for net bandits, maintains Larry Ponemon, founder and chairman of the Ponemon Institute. "These exchanges will contain lots of facts about individuals, and those facts will be very helpful in creating false credentials and false identities," he said.
"They were a rush job and security wasn't a strong feature," Ponemon noted. "As these exchanges develop their data bases, there doesn't seem to be any extra special security effort being put into place."
Health care organizations are also being attacked from the inside. "We're seeing people being recruited from inside the organization because they have access to the data and they can feed it to bad actors on the outside," Widup said.
What's more, health care organizations of all sizes are being targeted by hackers. Dan Edwards, president of PactOne, which provides consulting services to dental and orthodontic offices with anywhere from five to 120 computers, said a common attack on those health care providers is ransomware.
In a typical ransomware attack, malware encrypts all the data on a computer. Then the computer operator is informed they must pay a ransom to receive the key to decrypt the data. "That's really not true because after you pay them, they keep the money and never give you access to your data again," Edwards said.
In those cases, an organization learns quickly the value of good storage hygiene. If an office has been diligently backing up its data, it can restore the data that's been targeted by the ransomware from those backups and continue operations with a minimum of disruption.
As cyber attacks on health care providers increase, they, as have other industries, will begin to turn to big data solutions to protect their large stores of information. "It's impossible for a human to intelligently, accurately and reliably see unusual activity regarding access to electronic health records," said Lee Kim, director of technology privacy and security solutions for the Healthcare Information and Management Systems Society, a global not-for-profit organization focused on promoting better health through information technology.
Kim explained that network traffic can be analyzed using big data tools to establish baselines for usage by individual users. "When there is an aberration in activity, a heuristic analysis can be done to identify where the aberration might be and flag it, in real time," she said.
"That way," she continued, "if there is potential criminal activity or an insider threat, a security team can head that off ASAP."
A challenge to any big data security set-up is making sure that all relevant data is being scrutinized. That's becoming increasingly problematic as more and more devices are allowed to access a health care organization's networks. "They really need to know where their data is, because if they don't, then it's going to be hard to make sure it's secure," Verizon's Widup said.
Moreover, data that's attractive to hackers can be found in more places than just patient records and medical devices connected to networks. Any point in the payment chain that contains data can be a target. For example, some cafeteria point of sale and co-pay collection systems implemented by third parties have Internet connections that can be attacked by bad actors. "We've seen breaches there," Widup said.
When deploying a big data security solution, care must be taken not to add to an organization's vulnerabilities. "Most hospitals practice security by silo," said Phil Simon, author of Too Big to Ignore: The Business Case for Big Data.
"They have their data segmented," he continued, "and as that data is brought together to build bridges between data sources, then the bridges have to be properly tested."
"We live in a world in which there are data sources all over the place," Simon said. "There's a tremendous opportunity for organizations that take advantage of that, but if they don't watch what they're doing, there can be security issues and HIPAA violations and bad PR. That's one of the reasons that many health care organizations have been reluctant to do a lot with big data."
Since many health care organizations don't have the chops to deploy a big data solution, they often must rely on third-party contractors to do so. That can lead to problems if a contractor isn't familiar with the health care regulatory landscape. "Third-party organizations that specialize in big data are very familiar with dealing with that data, and I have no doubt that the majority of them really do understand how to secure that data appropriately, but they've probably never had to do a HIPAA high tech compliance review," Kroll's Brill explained.
"This mechanism that's been developed, which is a combination of HIPAA and high tech with an overlay of all the state privacy laws, becomes incumbent upon on you to follow even though you are not a health care organizations and don't ever see a patient," Brill added.
As with many new technologies, big data's current abilities to protect a health care organization's information from digital desperadoes can be exaggerated. "Big data solving security problems is a very much over-hyped term," Pescatore of SANS said. "Big data tools are useful for finding out where you went wrong, finding the paths of an attack that succeeded, but we're not seeing big data tools prevent attacks."
Nevertheless, those tools can increase the reaction time of an organization when it is attacked. "Security analytic tools can be used to more quickly notice the signs of a potential compromise and limit the damage from an attack," Pescatore added. "Rather than find out from a customer that your system has been compromised for six months, you can see a warning that an MRI machine is talking to the Internet and it never did that before."