Now that cyber attacks as a source of data breaches are becoming routine in and out of healthcare, each breach represents not just a monetary loss to providers and payers but also a loss of faith by customers and patients in the healthcare industry. This new fact has pushed data security way up the priority list for healthcare.
Consider this: 81% of healthcare executives say that their organizations have been compromised by at least one malware, botnet, or other cyber attack during the past two years, and only half say they feel that they are adequately prepared in preventing attacks, according to a 2015 KPMG healthcare cybersecurity survey.
“The worst place we could be in is if Americans are so desensitized to the breach of the day that we begin to accept that as normal,” explains Pete Murphy, executive vice president and chief information officer at Cardinal Innovations Healthcare, a managed care organization with 720,000 enrolled members across 16 counties in North Carolina.
Murphy, who previously managed risk and infrastructure in the financial services industry at employers such as TIAA-CREF, started at Cardinal in 2011. “The breach stats in healthcare show that we are being targeted,” he says. “The healthcare security posture is behind other industries that have made these investments and have gone before us, and I think we need to catch up quickly. It’s no mystery that attackers and their methods are increasingly sophisticated.”
One such method is spear phishing, where fraudulent emails appear to originate from a known business or colleague but are, in reality, sent by criminals seeking elevated network credentials or other personal information from the targeted individual.
Once an attacker obtains such credentials, rather than immediately launching an online attack, the attacker may plant advanced persistent threats, Murphy says. “They have some characteristics that are particularly scary. They hide themselves well, either in computer memory or on disk storage. They are likely going to exist in your environment undetected, could be for years sometimes.”
If an organization had only $100 to spend on its security program, “you’d start with bringing your employee base into the problem with you,” Murphy says. “You’d work to increase their awareness of the issue and give them all a little badge and make them all deputy chief information security officers.”
Many of the breaches that occurred in 2015, such as the Anthem breach that affected 30 million members, remain under investigation by the Federal Bureau of Investigation, with no guarantee that the breach cause or causes will ever be brought to light. But the next major breach could have a different cause.
“Companies need to invest in technical security expertise, because the game changes constantly,” Murphy says. “We have some very good security people here that are passionate about it and have inquiring minds and really enjoy what we call threat hunting and attack hunting.”
To respond to the spear phishing threat, Cardinal began doing awareness-testing exercises by sending fake emails to its own employees to see if they would click on them. Murphy says it’s not an exercise that many organizations undertake. As a result of this and other measures, Cardinal’s number of malware infections and actual incidents have declined. Unfortunately, “these extra measures are not yet recognized widely by everyone in the cyber risk insurance world,” so some do not reduce premiums for such insurance, he adds.
Phishing as a security exercise
Other measures Cardinal has taken include increasing the strength of users’ passwords, and increasing the frequency of password expirations, Murphy says. For more sensitive use cases, such as remote access by employees who work with high-risk data, Cardinal is also requiring two-factor authentication—a password plus a biometric or other physical token.
The spear phishing threat is also top of mind for Tom Gordon, senior vice president and CIO of Virtua Health, a Marlton, New Jersey–based system with three acute care hospitals, three health and wellness centers, two ambulatory care centers, three fitness centers, primary and specialty physician practices with 287 physicians plus 87 additional practitioners, plus urgent care centers, ambulatory surgery centers, and long-term care and rehabilitation centers.
“We’ve had people give their credentials up” to attackers via phishing emails, Gordon says. “Then you have to explain to the CFO that the $10 million we spent on security, well, it’s not going to prevent any of that stuff if somebody gave out their credentials.” In response, Virtua has rolled out two-factor authentication, he says.
To run its own phishing awareness exercise, Virtua is turning to PhishMe, a commercially available service specifically offered to providers to run such exercises. Employees who fall prey during these exercises will have their accounts go on a watch list. “And if you do it a second time, well, a more critical conversation takes place,” Gordon says. “It’s not super-expensive, which is nice, and it’ll allow us to run our own internal phishing attacks. The idea is to educate people. It’ll also allow us to find out if there are people who are doing this more often than they should be.”
To bolster security education, Virtua has also brought in security expert Mac McMillan, FHIMSS, CISM, to its quarterly meeting attended by all 700 managers in the organization, to explain what phishing is and when to alert the security team or simply delete those emails.
Gordon also turns to services such as FairWarning to help explain to his CFO and other executives the importance of investing in technology solutions and necessary personnel to monitor the information such tools are gathering.
“We haven’t had a lot of pushback on the infrastructure items, like the hardening software and the encryption software and the intrusion prevention,” Gordon says. “We’ve spent millions on that stuff.”
Still, the possibility of future breaches cannot be ruled out. Fax communications persist and can be sent in error to a wrong phone number, Gordon says. Securing the Internet of things now entering healthcare is also a concern. “We built a new hospital four years ago and a few new outpatient centers,” he says. “Every one of those systems all have connectivity to the outside.” Given that the Target breach of 2013 was initiated by attackers through one of the organization’s heating, ventilating, and air conditioning contractors, the security hardening of such systems has become a must-have.
Organizations join forces
One tangible result of the breaches of 2015 are efforts for organizations to pool their threat knowledge, responses, and other resources. In December 2015, as part of the 2016 Omnibus spending package, Congress provided $31.5 million to enable the National Institutes of Standards and Technology to establish the National Cybersecurity Center of Excellence, and directed the Department of Health and Human Services to establish a task force to analyze how other industries are addressing cybersecurity.
Beyond the federal government’s response, healthcare executives are joining together in other ways to meet the growing threat of breaches. In 2014, the College of Healthcare Information Management Executives formed the Association for Executives in Healthcare Information Security to offer chief security officers and other top-ranking information security leaders the professional development and networking opportunities critical for their success.
Another collective response is coming from the Health Information Trust Alliance (HITRUST), an industry-led consortium that in summer 2015 conducted CyberRX 2.0, an exercise performed in conjunction with Deloitte Advisory Cyber Risk Services and HHS that brought together 250 individuals from 12 health plans across the United States to test their cyber incident readiness and identify areas for improvement for industrywide cyber resilience.
“You have to continuously exercise your plans,” says Ray Biondo, chief information security officer at Chicago-based Health Care Service Corporation, which serves nearly 16 million members across five states and employs nearly 23,000 people in more than 60 local offices.
As one of the participating health plans, HCSC participated in what HITRUST described as the country’s first simultaneous cyber attack simulation exercise for health plans. “At this latest exercise, I think we’ve taken a giant leap forward in the healthcare sector to collaborate and cooperate in this cybersecurity space,” Biondo says.
As the CyberRX exercise unfolded, the HITRUST Cyber Threat Exchange (CTX) shared critical intelligence, yet participants had difficulty sharing their own threat indicators of compromise (IOC) with the CTX and with HHS, the organization says in a summary of its findings. This validated a recent study of the HITRUST CTX, which found that while 85% of organizations use IOCs, only 5% of organizations share their IOCs.
As HITRUST continues its exercises and AEHIE continues its educational efforts, there is also an effort underway to improve IOC sharing via new methods of deidentifying those IOCs to be shared through a dedicated Homeland Security Information Sharing and Analysis Center (ISAC). Each industry vertical, including healthcare, has its own ISAC, says Murphy.
“Several of us in the healthcare industry are meeting to discuss ways to share threat information. We would like for this new leadership of the national health ISAC to become that same central clearinghouse of intelligence and threat information for healthcare,” says Murphy, who was one of the participants who set up the financial industry’s ISAC when he was working for Bank of America.
“It’s going to come down to information sharing, collaboration, and cooperation going forward for us to really thwart some of the stuff,” Biondo says. “We’re never going to stop it all, but maybe we could stop a lot of it, and that’s key.”