Health Care: The soft underbelly of cyber security

April 20, 2015
John DeGaspari

Has the health care industry entered the big leagues of cyber warfare?
Two major incidents over the past several months suggest that it has, serving as a wake-up call to the IT departments and C-suites of the nation’s health care organizations that are now scrambling to assess their vulnerabilities to cyber attacks.

On January 29, Anthem Inc., one of the nation’s largest health insurance companies, found itself at the center every chief information security officer’s worst nightmare: it discovered that cyber criminals infiltrated its network and stole 80 million health records, putting roughly one-fourth of the U.S. population at serious risk of identity theft.

Anthem’s incident followed on the heels of another massive breach, when Community Health Systems, one of the largest publicly traded hospital systems in the U.S. with 203 affiliated hospitals, confirmed in July that it was the target of a successful hack that bled the company of 4.5 million health records.

The sizes of these two breaches dwarf a long line of incidents that preceded them. The U.S. Health and Human Services Office of Civil Rights has documented more than 1,150 breaches each affecting at least 500 individuals between October 2009 and February of this year. The vast majority of those breaches, which have impacted provider organizations, their business associates, and health plans, typically range from thousands to tens of thousands of patient records compromised.

The question is, do these latest incidents point to a new threshold in the size and sophistication of cyber attacks? And if so, how prepared are health care organizations to counter those threats?

A new cyber-threat era dawns
Neither Anthem nor Community Health Services responded to requests for interviews. But Laura Galante, manager of threat intelligence for FireEye, a cyber security firm that has worked with both companies, says the incidents indeed represent a turning point for the health care industry.

While she declined to comment on Anthem, whose investigation is active, she notes that Community Health Systems has publicly stated that it suspects the attack originated from a hacker group in China. If that were the case, it would be a departure from state-sponsored hacker groups that historically have set their sights on pharmaceutical research, drug development and health care manufacturing.

The CHS breach points to a change in focus for state-sponsored groups, she says, because the hackers were apparently interested in getting personally identifiable information, traditionally the jewel in the eyes of cyber-criminal groups that typically operate out of Eastern Europe and are not affiliated with the state, for the purpose of monetizing information. What’s behind the latest incident in terms of motivation is still a matter of debate in the security industry. Yet she and other security experts interviewed for this article are certain of one thing: health care is less prepared than other critical industries.

One of those experts is Timothy P. Ryan, managing director of cyber security at the investigative firm Kroll, and a former supervisory special agent with the FBI who supervised the largest cyber squad in the U.S. He has seen a change in the level of sophistication of attacks in recent years. A decade ago, there was a small core of people who had the technical know-how to break into a company and move within it, he says. “Now there are more people who know how to do it, and I don’t see the methodology to detect that or respond to it has having changed as dramatically as the skill sets to carry out those attacks.”

The days in which health care organizations, particularly providers, were under the radar of sophisticated cyber criminals are over, according to Larry Ponemon, founder and chairman of the Ponemon Institute, a think tank focused on privacy and data protection practices. He says that incidents involving external attackers are on the rise, and now account for up to 25 percent of all patient data breaches.

A view from the health care trenches
John Houston is vice president of privacy and information security, and associate counsel at the University of Pittsburgh Medical Center (UPMC). As a large academic medical system with 21 affiliated hospitals, UPMC has significant resources to maintain cyber security. That includes a team of analysts that review security-related communications from its various sources on a weekly basis, and address issues that require attention. It also relies on the private sector for threat intelligence.

Despite the sophistication of today’s hackers, they often use basic tactics such as phishing emails to gain access to networks. In fact, UPMC has recently started to use what Houston describes as mock-phishing — sending emails to employees to see if they click on the link and provide personal information.

When they do, they get a message that, if this were an actual phishing email, they would have given away credentials that would have given hackers entry into the system.

He says it is important to understand that the way data is housed today has changed. Five years ago, much data were housed in the organization’s data center. Today, and increasingly in the future, data will be housed using cloud-based services. Consequently, he has to think differently about protecting his data, which exists both inside the perimeter and outside of it.

In a sense, relying on third-party vendors is more difficult, because it requires a high level of trust. In his view, this is an area where the health care industry needs to mature. “There needs to be a better way, as an industry, to ensure that those vendors are doing what they are supposed to do, that goes beyond having a business agreement.”

UPMC relies on security frameworks. It is a member of the Health Information Trust Alliance, or HITRUST, an industry organization that offers a framework that can be used to certify organizations that handle personal health and financial information.

An equally serious challenge for the industry is the question of having adequate resources to prepare against cyber threats. Health care is an environment of haves and have-nots in terms of security resources, Houston says. “Securing the environment is expensive, and the amount of money you need to spend on security isn’t necessarily directly proportional to your revenue.”

Nonetheless, it’s money that needs to be spent, he says. Identity theft is one of the chief reasons that people steal patient data, which is comprehensive and makes for an attractive target, he says. Russell P. Branzell, president and CEO of the College of Healthcare Information Management Executives, or CHIME, agrees with Houston’s assessment. “In health care, the overall threat to the value of medical identities is significant, because of what you can do with that information,” he says.

That includes the Medicare and Medicaid fraud environment, where numerous expenses are processed electronically through both commercial insurers and government insurers before a pattern of illegal activity reveals itself. He says health care is significantly less secure than other industries, in part because of “the complexity of trying to protect so much of a large automated environment, compared to a fairly small section of vulnerability in the very well-secured financial banking.”

Yet despite being behind the curve, the percentage of the operational budget spent on IT security in health care is small compared to other industries, Branzell says. He notes that in health care, cyber security spending is at best about 3 percent above the net operating budget for IT. By comparison, some big banking organizations spend in the double digits just for security, he says. Of course, banking is a different business model than health care, but he adds that health care organizations will be called on to spend more of their IT budgets on security in the future. That will put a financial strain on many institutions.

One way health care organizations can increase their cyber security readiness is through collaboration with other health care organizations, Branzell says. To that end, CHIME launched a new organization, the Association for Executives in Health Information Security, last year. The aim of the group is to help organizations defend against average threats. It serves as a platform in which instances of access by hackers can be shared among colleagues quickly.

Time to get serious about cyber threats
Hackers that are now targeting health care have definitely raised the bar on security threats, according to Mac McMillan, chair of the Healthcare Information and Management Systems Society (HIMSS) Privacy & Security Policy Task Force and founder and CEO of the IT security firm CynergisTek Inc. He notes that both Community Health Systems and Anthem suspect Chinese state-sponsored attackers.

What sets the latest groups apart from previous generations is that “these folks are very sophisticated, they have all the tools, have the resources, and have the motivation to do what they are doing; and they are very patient in what they are doing,” he says.

While acknowledging that these state-sponsored hacker groups have historically gone after pharmaceutical information, he notes that there is valuable information on the health care provider side, in terms of cutting-edge clinical techniques or managing information in the clinical environment. There is also the added benefit in gaining access to a treasure trove of patient information.

McMillan says the methods of gaining access have evolved, from attacking networks, and once they were hardened, to attacking applications and now, users. “Hackers are no different than any other criminal element,” McMillan says. “They don’t want to get caught. One of the principles of not getting caught is to find the least obtrusive way into a target. What they have learned is to look at all of the social media that we now have.” He adds that they target the average user, who may be gullible, or not paying attention to what he or she is clicking on.

Like UPMC, CynergisTek has developed a mock-phishing platform for its clients, which is tailored to health care organizations. McMillan says the average hit rate is 20 to 40 percent. Of those, about 20 percent have actually filled out a form asking for their credentials. Preventing access through basic means is important. Once hackers gain access to the network, sophisticated attackers consolidate their position inside the network and begin to download software to sniff out other passwords.

One of the things that CynergisTek recommends is that all user IDs and passwords should always be passed inside the network encrypted, so they are harder to get at. Also, people who have administrative privileges should have a second factor of authentication.

Yet even encryption is not a 100-percent effective answer, McMillan says. Even if a customer such as Anthem had encrypted all of its data, once a hacker gains access into the system or an account where they could log in as a legitimate user, it decrypts the data. That’s the level of sophistication that marks the difference in the most recent high-profile incidents, he says.

McMillan says any organization can be hacked, and many probably have been already but are just not aware of it. He says that many organizations in health care, not just smaller ones, are very susceptible to attacks by skillful and motivated hackers. “Certainly those that have not done the things they should do — and there are a lot of them that haven’t — are going to be more susceptible than others. And if they can take down an Anthem, they can take down a regional hospital that has very little security,” he says.

He adds that vulnerabilities have also increased because of the way organizations are connected. Poorly protected smaller organizations might be back doors to larger ones through health information exchange or accountable care organizations. He also draws attention to the increasing role of Big Data in health care, massive repositories of information that can be used — legitimately — for population health and other analyses. “We have to find a balance between progress in science and security and privacy. Those databases have got to be lucrative targets,” he says.

Despite the increased threat level in health care, McMillan says the bad guys don’t always win, and not everybody who makes a run at an organization is going to be a sophisticated attacker. Organizations can certainly raise their readiness to where only the very best will succeed, in his view. Even with regard to today’s super cyber criminals, there are certain things organizations can do to enhance their ability to detect an attack and to make it more difficult to steal data.

In McMillan’s view, it’s completely unfair to throw rocks at either CHS or Anthem: those organizations weren’t victims of anything that any other organization could have been subject to. The key issue, he says, is why the attackers were able to be in the environments for as long as they were without being detected.

Basic rules in the environment or a data loss prevention program should have raised a red flag before it did. Organizations need to pay attention to how they manage data, and should not allow information that should not be on a device to be there. McMillan also questions whether all 80 million records that were breached at Anthem was active information on current customers. If not, why would they still house data on people who were no longer customers?

“If Anthem had purged the information on folks they were no longer covering, it wouldn’t have been 80 million,” he says. “We have to stop holding on to information on all of these people that we no longer have a legitimate business having.” McMillan believes it is time for the executive leadership in health care to become more aware of what’s going on with regard to the threats to the data on their systems. The real issue is that hacking incidents need to be elevated to the same level as other incidents, such as disease outbreaks or disasters that are identified as crucial by risk management groups.

Even in the new world of elevated cyber threats, changing the way an organization perceives computer incidents would do a world of good for the industry in terms of making everyone aware of what the IT department has to deal with, and how serious an issue it is for the organization, he says.