The current diagnosis for healthcare cyber security is frightening. Here's our current assessment:
- One in three healthcare records were compromised in 2015 (IBM 2016).
- Healthcare is the number one industry when it comes to its records being breached (IBM 2016).
- Ransomware is on the rise, with 88 percent of attacks occurring in healthcare (Solutionary 2016).
- The price of electronic healthcare records is going down from $75-$100 to $70-$50 because of the ease of breaching this data. It's all about supply and demand. (Institute for Critical Infrastructure Technology)
Consumers
For consumers, this should be concerning on many fronts. From a privacy standpoint, such information can be sold for fraudulent pursuits (someone could attempt to get services under another person's plan), putting victims in a difficult position to resolve. Some providers are sensitive to this and are now asking for proof of a photo ID.
From a safety point of view, the data could be manipulated and offered as incorrect information to healthcare providers, which may service victims with medication that could be harmful for them. There is also the potential for tax fraud since many medical records use Social Security Numbers. Unlike credit card data, where the consumer impact is minimized because it is protected and insured money, with consumer’s healthcare data, there is little recourse for the consumer.
Providers
Equally as concerning are the consequences for providers. The global cost of a data breach per lost or stolen record in healthcare is $355, with the average across all industries at $158. While HIPAA compliance with an annual maximum penalty fee of $1.5 million can be daunting, the loss of consumers' confidence in provider services following a breach can be even more damaging. That doesn't even cover providers' liability of inadvertently or incorrectly servicing patients' health needs, which could cause long-term and/or lethal impacts. There is a good incentive for healthcare organizations to address some of the security issues from the Office Civil Rights (OCR) with Phase 2 of HIPAA audits this year and next year. What is disconcerting is the fact that IT security spending for the healthcare industry is about one-tenth of what other industries spend, according to KPMG.
The rise of the ransomware epidemic in healthcare also nourishes the sophistication of the ransomware. The first strains that attacked hospitals were Locky and TeslaCrypt. Both targeted specific content files. One of the latest samples, which goes by the name Crysis, targets all files on a computer except for the ones that allow a user to turn on the machine. It can gain login credentials and take control of a computer until the credentials are changed. Crysis will then exfiltrate data and take control of the data on the hacker’s server. As experience tells us, we can count on more sophistication in the realm of ransomware.
There has been some talk about whether ransomware is really a data breach because in most cases they simply lock it up and don't steal it. Unavailable data still comes with some serious risks, however. For healthcare, if you can’t access the information, you cannot treat or care for your patients. It disrupts your ability to serve. By the way, HIPAA recently classified ransomware as a security incident in their guidelines:
"The presence of ransomware (or any malware) on a covered entity’s or business associate’s computer systems is a security incident under the HIPAA Security Rule."
The biggest OMG moment in this health check up is the latest HIMMS cyber security survey of 2016. The lack of adoption for basic security controls is startling.
HIMMS Cybersecurity Survey 2016 Ok, enough of the bad news. So what can a healthcare provider do? Here's a list of recommendations:
- Make cyber security a top priority in the boardroom to investments.
- Review ransomware prevention tips.
- Implement basic security: Critical Controls.
- Build a Resilient Architecture (part 1).
Next month, Tripwire will be attending the National Health Information Sharing and Analysis Center NH-ISAC conference, where healthcare professionals come to talk and network about their cyber security efforts. NH-ISAC is a membership-based organization that offers a wide range of services to empower healthcare organizations to protect against cyber threats. Participation is highly encouraged. Please stop by Tripwire's table while you're there.
