Consumers are more worried now about their protected health information (PHI) being compromised, thanks to high-profile breaches like Anthem and Allscripts. The recent RSA Data Privacy Report surveyed 7,500 consumers in Europe and the US. It showed that 59 percent of the respondents were concerned about their medical data being compromised. Thirty-nine percent were worried that a hacker would tamper with their medical information.
They have good reason to be concerned. Healthcare as an industry continues to be a prime target for hackers, and there is a significant risk from internal threats, too.
Why healthcare is a target for hackers
Healthcare organizations tend to have a few attributes that make them attractive targets for attackers. A key reason is the number of different systems that are not patched regularly. “Some of them are embedded systems that, due to the way the manufacturer has created them, can’t be easily patched. If the healthcare IT department were to do so, it would cause significant problems with the way the vendor can support them,” says Perry Carpenter, chief evangelist and strategy officer at KnowBe4.
The critical nature of what healthcare organizations do puts them on the radar of attackers. Health data is a valuable commodity in the cybercriminal world, and that makes it a target for theft. Because of what’s at stake—the well-being of patients—healthcare organizations are more likely to pay ransomware demands.
What follows are the five biggest healthcare security threats for the year ahead.
Of the top ten breaches in healthcare in 2017, six were ransomware attacks according to the CryptoniteNXT Health Care Cyber Research Report for 2017. The report noted that the total number of reported major ransomware attacks (those affecting more than 500 patients) increased from 19 in 2016 to 36 in 2017.
There is no reason to believe that ransomware attacks will tail off this year. “Until we harden our people and our systems sufficiently, [ransomware] will continue to prove successful and gain more momentum. The vector they will continue to use is the human that will click on something or download something,” says Carpenter.
The reason is simple: hackers believe their ransomware attacks are more likely to succeed because hospitals, medical practices, and other health organizations put lives at risk if they can’t access patient records. They will feel compelled to take immediate action and pay the ransom rather than go through a long recovery process from backups.
“Healthcare is a business, but healthcare also deals with peoples’ lives,” says Carpenter. “Anytime you have a business that intersects with the most personal and most important parts of peoples’ lives and you cause a threat to that, there is an immediate need to react. That works really well for the cybercriminal who has deployed ransomware.”
The effect of ransomware when a healthcare organization cannot recover quickly can be devastating. That point was dramatically made when electronic health record (EHR) company Allscripts shut down due to a ransomware attack in January. The attack infected two data centers and took a number of applications offline, affecting thousands of its healthcare provider customers.
2. Theft of patient data
Healthcare data can be more valuable than financial data to cybercriminals. According to the Trend Micro Cybercrime and Other Threats Faced by the Healthcare Industry report, stolen medical insurance ID cards sell for at least $1 on the dark web and medical profile prices start at $5 each.
The hacker can use the data from the ID cards and other medical data to get government documents such as driver licenses, which sell for about $170 according to the Trend Micro report. A complete farmed identity—one created from a full set of PHI and other identity data of a deceased person—can sell for $1,000. By comparison, credit card numbers sell for pennies apiece on the dark web.
“Healthcare records are worth exceedingly more than, say, credit card data because they aggregate lots of information in a single place,” says Carpenter. That includes financial information and key background data on individuals. “Everything you need for identity theft is there.”
Criminals are getting trickier about how they steal health data. Pseudo-ransomware is one example. “It’s malware that looks like ransomware, but isn’t doing all the nefarious things ransomware does,” says Carpenter. “Under the covers, it’s stealing healthcare records or moving laterally across the systems to install other spyware or malware that would then benefit the criminal at a later time.”
As the next section explains, healthcare insiders are stealing patient data, too.
3. Insider threats
According to the recently released Verizon Protected Health Information Data Breach Report, 57.5 percent of all the threat actors responsible for breaches at surveyed healthcare providers were insiders. Only 42 percent were external attackers. Financial gain is the main motivation for internal threats at 48 percent. For external attackers, financial gain was the motivation in 90 percent of the cases.
A significant portion of insider breaches are motivated by fun or curiosity, mainly accessing data outside their job responsibilities—looking up PHI on celebrities, for example. Espionage and settling grudges are also motivations. “During the course of patient stay in a health system, there are dozens of people that have access to medical records,” says Kurt Long, CEO of Fairwarning. “Because of that, healthcare providers tend to have loose access controls. The average worker has access to a lot of data because they need to get to the data quickly to care for people.”
The number of different systems in a healthcare organization is also a factor. That includes not just billing and registration, but systems dedicated to OB/GYN, oncology, diagnostics, and other clinical systems, says Long.
“Financial could be anything from the theft of patient data to use in identity theft or medical identity theft fraud schemes. That’s become a routine part of the industry,” says Long. “People are changing bills for themselves or friends an family, or [they are doing] opioid diversion or prescription diversion. They capture the prescriptions and sell them for a profit.”
“When you look at the opioid crisis overall, it’s a direct translation to the healthcare environment where healthcare workers are sitting on a goldmine of prescription opioids in the system,” says Long. “It’s the latest data point in the overall crisis of opioids. Healthcare workers recognize the value of them, and they might be addicted to them or using their access [to prescriptions] for financial gain.”
One public example of insiders profiting from stealing patient data is Memorial Healthcare Systems, Long notes. The company paid a $5.5 million HIPAA settlement last year for an insider breach where two employees accessed PHI of more than 115,000 patients.
Phishing is the most popular means for attackers to gain entry to a system. It can be used to install ransomware, cryptomining scripts, spyware, or code to steal data.
Some have suggested that healthcare is more susceptible to phishing attempts, but the data shows otherwise. A study by KnowBe4 shows that healthcare is on par with most other industries in terms of being victimized by phishing. Healthcare organizations with 250 to 1,000 employees that have not received security awareness training have a 27.85 percent chance of falling victim to a phishing attempt, compared to an average of 27 percent across all industries.
“[You might think] the altruism, the immediate life and death situations could cause a psychological readiness to click on something that would make [healthcare workers] more susceptible,” says Carpenter, “but the numbers aren’t bearing that out.”
Size matters when it comes to phishing susceptibility. The average healthcare organization of 1,000 or more employees is 25.6 percent likely to be phished, according to the KnowBe4 data. “Organizations of 1,000-plus employees, we see that most of them have received a little more training and are operating at higher level of sophistication because they’ve had to put different systems in place to comply with stringent regulations,” Carpenter says.
The clandestine hijacking of systems to mine cryptocurrencies is a growing problem across all industries. Systems used in healthcare are attractive targets for cryptojacking because it’s critical to keep them running. The longer the system runs, the more the criminal can make mining cryptocurrencies. “In a hospital environment, they might not rush to unplug the machines [if cryptojacking is suspected],” says Carpenter. “The longer the [infected] machines are up and running, the more it benefits the criminal.”
That’s assuming a healthcare provider can detect a cryptomining operation. Cryptomining code does not harm systems, but it consumes a great deal of computing power. The most likely way to identify it is when systems and productivity slows. Some cryptojackers will throttle their code to lessen the detection risk. Many healthcare organizations do not have the IT or security staff to identify and remediate that kind of cryptomining attack.
Tips to minimize healthcare security threats
Do a better job of patching and updating critical systems. “The fact that those old unpatched systems are out there and embedded as critical equipment causes a greater vulnerability for the ransomware strains out there,” says Carpenter. This can be difficult because the patching process might disrupt critical systems or impair a vendor’s ability to support the systems.
In some cases, no patches are available for known vulnerabilities. Carpenter recommends pressuring the vendor in cases where they haven’t or can’t patch or update systems. “Be aggressive with the vendor and ask why these systems can’t or haven’t been updated and keep the pressure on as an industry.”
Train employees. Healthcare is below average for training employees to recognize phishing attempts, according to the KnowBe4 study. Many healthcare organizations are small—fewer than 1,000 employees—and that might be a factor. “It’s not just telling them what the right thing to do is,” says Carpenter. It’s about creating a behavioral conditional program that will train them not to click on phishing links.”
That program means sending out simulated phishing emails. Employees who click on the links should receive immediate feedback on what they did and how they can do the right thing in the future. Such programs can have a dramatic impact.
Training works, if it’s applied consistently over time. The KnowBe4 research shows that healthcare organizations of 250 to 999 employees can drop their phishing susceptibility from 27.85 percent to 1.65 percent after a year of phishing training and testing.
Be careful with information about staff. The more personalized a phishing attack, the greater chance it will succeed. In a spear phishing attack, the attacker tries to learn as much about the targeted individual as possible. “If the out-of-office replies give a name of someone to contact, [the attacker] can build trust by using those names and chains of relationships,” says Carpenter.
Beef up your ability to defend and respond to threats. “The number one thing that worries me [about healthcare security] is care providers lack the ability to appropriately investigate an incident once it’s detected, the ability to document it and assess the harm, and to adequately do sufficient forensics to cooperate with law enforcement or legal. They also lack the staff to fully remediate so that this never happens again,” says Long. His advice: “Get the right expertise on staff or through partnerships.” He adds that security needs to be a priority at the board and executive level. “The first step after having prioritized security is to make sure you have a dedicated CISO with applicable experience.”
Smaller healthcare providers might not have the resources to hire a CISO, but they still need to prioritize security, Long says. “They might have to get more creative about how they get access to top-notch security expertise. That might be through partnership or managed security services, but there’s no replacement for stepping up to the plate and saying, ‘My patients deserve security and I have to be committed to partnering or getting the right security people in here.”