From the April 2015 issue of HealthCare Business News magazine
Time to get serious about cyber threats
Hackers that are now targeting health care have definitely raised the bar on security threats, according to Mac McMillan, chair of the Healthcare Information and Management Systems Society (HIMSS) Privacy & Security Policy Task Force and founder and CEO of the IT security firm CynergisTek Inc. He notes that both Community Health Systems and Anthem suspect Chinese state-sponsored attackers.
What sets the latest groups apart from previous generations is that “these folks are very sophisticated, they have all the tools, have the resources, and have the motivation to do what they are doing; and they are very patient in what they are doing,” he says.
While acknowledging that these state-sponsored hacker groups have historically gone after pharmaceutical information, he notes that there is valuable information on the health care provider side, in terms of cutting-edge clinical techniques or managing information in the clinical environment. There is also the added benefit in gaining access to a treasure trove of patient information.
McMillan says the methods of gaining access have evolved, from attacking networks, and once they were hardened, to attacking applications and now, users. “Hackers are no different than any other criminal element,” McMillan says. “They don’t want to get caught. One of the principles of not getting caught is to find the least obtrusive way into a target. What they have learned is to look at all of the social media that we now have.” He adds that they target the average user, who may be gullible, or not paying attention to what he or she is clicking on.
Like UPMC, CynergisTek has developed a mock-phishing platform for its clients, which is tailored to health care organizations. McMillan says the average hit rate is 20 to 40 percent. Of those, about 20 percent have actually filled out a form asking for their credentials. Preventing access through basic means is important. Once hackers gain access to the network, sophisticated attackers consolidate their position inside the network and begin to download software to sniff out other passwords.
One of the things that CynergisTek recommends is that all user IDs and passwords should always be passed inside the network encrypted, so they are harder to get at. Also, people who have administrative privileges should have a second factor of authentication.
Yet even encryption is not a 100-percent effective answer, McMillan says. Even if a customer such as Anthem had encrypted all of its data, once a hacker gains access into the system or an account where they could log in as a legitimate user, it decrypts the data. That’s the level of sophistication that marks the difference in the most recent high-profile incidents, he says.