In our continuing discussions on topics of interest for data science, we’ll be exploring specific issues that impact research infrastructure, uses of technology, and policies on data use and sharing. The landscape on privacy and security of health information is fast moving, and relevant to harnessing the potential of data. In concert with National Cybersecurity Month, this blog post comes from Christine Sublett, a member of the Department of Health and Human Services (HHS) Healthcare Industry Cybersecurity Task Force. Here, she engages us in a perspective on how our nation’s information infrastructure is evolving to protect the integrity of health information, and the roles we’ll all play in this important facet of our responsibility to patients.

According to a recent Accenture report on the Cost of Cybercrime, healthcare is fifth on the list for the highest cost of cybercrime with an annualized cost of $12.47 million, with the financial services industry having the highest annualized cost of $18.28 million.  The report also notes that while large organizations experience a higher proportion of costs related to malicious code, insiders and Denial of Service attacks, smaller organizations experience a higher proportion of costs related to phishing, social engineering, malware and stolen devices.  The report also notes that organizations can recognize significant cost savings by deploying Identity and Access Governance, Security Intelligence Systems and User Behavior Analytics technologies.

Over the past 25 years, we have seen the threat landscape change and adapt. In the early days after HITECH, the security problem was lost or stolen laptops without encrypted data, or data carelessly copied to the open web.  Now, we see attacks aimed at exploiting application, database and API vulnerabilities are increasingly attack vectors of choice. Attack vectors enable hackers to exploit technical vulnerabilities. They also, however, exploit human vulnerabilities through social engineering (phishing and spear phishing). Today we need to focus on threat vectors rather than specific attacks.

With alarming regularity new data breaches are identified, and frequently these breaches involve our healthcare data. While most of us have heard of large-scale data breaches such as the one that happened at Anthem in 2015, smaller healthcare breaches frequently are undiscovered or under-reported. In healthcare, security can be a patient safety issue and should be treated as an enterprise-wide risk management issue, rather than just an IT issue.

Healthcare has a unique culture; sharing and openness is critical to support its mission of saving lives, but also presents security and privacy issues. The question of security spending is often presented as an issue between ‘spending money on security or spending money on a new MRI machine.’  However, it is short-sighted to assume these are mutually exclusive; making better choices about the hardware and software we do procure can help meet both patient care and security requirements.

Health care data is one of the rare types of personal data that one cannot change and has value that may increase over time. This difference in value is reflected in the price for medical records (vs. credit card or other financial data) available for sale on the dark web. The theft of healthcare data can result in potential for:

In addition, health care data may be used for a variety of evil and illegal purposes including:

  • Identity theft
  • Theft and sale of intellectual property or proprietary information
  • Disruption of healthcare delivery and patient care

Healthcare organizations are often targeted because they are viewed as being easy marks due to inadequate cybersecurity as is widely discussed in public, and proven repeatedly through the increasing number of breaches reported due to hacking and ransomware, versus a stolen or lost laptop. Organizations such as small provider organizations or practices often have inadequate security resources (personnel and budget) to protect against today’s threats. Even large hospitals, however, are not immune to the challenges of adequately securing their healthcare data. Nearly 90% of healthcare organizations have suffered from a breach. Given the interconnectedness of our healthcare organizations, small entities pose a significant security risk for larger organizations. As small organizations are compromised by malware, ransomware, or other digital threats, larger organizations can be laterally compromised. 

Ransomware continues to be a significant issue in healthcare (as well as other industries). Since 2016, numerous healthcare organizations have been victims of ransomware attacks. While computers are at risk of ransomware attacks, the risk of ransomware and other vulnerabilities extend far beyond computers to include medical devices, the Internet of Things (IoT) and other network-connected devices.  Several healthcare organizations including Hollywood Presbyterian and MedStar Health have fallen victim to these attacks, impacting their ability to deliver patient care.

Human error or action are often the cause of a breach or security incident. While companies may purchase security detection and defense technologies, they also need to invest in employee education programs.  Phishing education and simulation activities teach end users how to identify these types of attempts and protect the workforce. Incident table top exercises simulate cyber threat scenarios and educate workforce and incident response team members, as well as present learning opportunities before a real event.

Earlier this month, Lucia Savage, Chief Regulatory and Privacy Officer at Omada Health and I spoke at the Privacy + Security Forum in Washington, DC. Our talk, Point /Counterpoint: Regulatory and Industry Perspectives on Improving Security in Healthcare, addressed countervailing positions on how to improve security. However, we quickly discovered that we agreed on the necessary approaches more often than not. A key point from our discussion was focusing on the right level of security for healthcare entities, while ensuring that we do not make it overly complicated for patients to access their health records. We also discussed the challenges faced by health delivery organizations in hiring security personnel, handling security incidents, and sharing and using threat intelligence.

These significant issues were also identified by the Department of Health and Human Services (HHS) Healthcare Industry Cybersecurity (HCIC) Task Force, of which I was a member. The Task Force was a collaboration of leaders in the public and private sectors brought together to address cybersecurity issues in healthcare, and represented hospitals, patient advocates, payers, health tech, security researchers, laboratories, pharma and security vendors.

The creation of the Task Force was outlined in the Cybersecurity Information Sharing Act of 2015, which required members to examine best practices for organizations to keep data and connected medical devices secure. The Task Force delivered their report to Congress in June 2017. The report noted that “over the last year we saw vulnerabilities in medical devices released in order to manipulate the stock market, an explosion of ransomware taking entire hospitals offline at NHS and impacting delivery of care and access to information in the US, and countless other breaches.”

The HCIC Task Force report listed six imperatives and each contained multiple recommendations and associated action items for implementation:

  • Define and streamline leadership, governance, and expectations for health care industry cybersecurity.
  • Increase the security and resilience of medical devices and health IT.
  • Develop the healthcare workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities.
  • Increase health care industry readiness through improved cybersecurity awareness and education.
  • Identify mechanisms to protect research and development efforts, as well as intellectual property, from attacks or exposure.
  • Improve information sharing of industry threats, weaknesses, and mitigations.

As noted in the Task Force report, there are still significant foundational security issues to be addressed in healthcare. Many healthcare organizations still lack comprehensive access control, authentication, change management and secure development lifecycle (SDLC) programs. Further, medical device vulnerabilities don’t just lead to device compromise; they often allow an attacker to pivot to other systems in the environment.

The healthcare industry faces profound cybersecurity workforce challenges, and none more so than among small and rural organizations. Lack of qualified security personnel in healthcare is an issue, at both technical and executive levels. The majority of healthcare services in the US are delivered by practices with 9 or fewer people, and these small organizations frequently lack qualified security personnel. Truly this is a call to arms to all cybersecurity practitioners. What can you do to help? Volunteer at your local hospital, medical practice, doctor’s office. Band together with other small healthcare organizations to share security best practices and to leverage shared services. Implement workforce development plans to bridge the gap between workforce competencies and present/future needs.   

The Department of Homeland Security (DHS) operates the National Cybersecurity and Communications Integration Center (NCCIC), a 24x7 cyber situational awareness, incident response, and management center of cyber and communications integration for law enforcement, the intelligence community and the US Federal government. HHS recently created the Healthcare Cybersecurity and Communications Integration Center, which utilizes threat intelligence and other real-time data to distribute warnings and coordinate a response amongst private and public healthcare entities. During the recent WannaCry attack, the HCCIC coordinated the response for healthcare. The HCCIC augments the NCCIC, and is not a duplicate agency, but rather, a healthcare-specific coordination between the NCCIC and the Healthcare-Public Health (HPH) sector.

The HCCIC has partnered with the National Health Information Sharing and Analysis Center (NH-ISAC), and coordinates and collaborates with ISACs and Information Sharing and Analysis Organizations (ISAOs). Information sharing, including threat intelligence and Indicators of Compromise (IoCs), is a critical function of the NH-ISAC. The NH-ISAC provides a community focused on sharing timely, relevant and actionable information with each other including threat intelligence, incidents and vulnerabilities that can include indicators of compromise, threat actor tactics, techniques and procedures (TTPs), best practices, mitigation strategies, and advice.

Many organizations, and not just smaller organizations without dedicated security resources, do not have the capability or expertise to develop their own threat intelligence. However, some of these organizations may be able to ingest and use threat intelligence if they have access to it. The NH-ISAC makes available threat intelligence in standard formats for utilization by members.

An additional member benefit of joining the NH-ISAC is the ability to participate in the CYBERFIT program. CYBERFIT is a group of security services offered to members aimed at reducing cybersecurity risks within the HPH sector. CYBERFIT provides the capability for organizations to determine their risk tolerance regarding internal and external vendor risk. Additionally, members can choose to purchase enhanced managed security services at lower rates since they have negotiated volume pricing, which can be particularly helpful to smaller organizations.

In addition, the Task Force report also recommended pursuing solutions designed to protect healthcare big data sets. These data sets can present a series of challenges due to volume of patient data. Many types of entities mange these big data solutions including government bodies, non-profits, and academic health care institutions. Specific recommendations include performance of thorough risk assessments and implementation of preventative security controls, such as continuous monitoring programs.

Finally, how do we know if we’re spending money mitigating the right risks in our enterprise? It is not possible for any organization to completely protect against all threats. Each organization needs to evaluate risk and its security needs in the context of its organizational and business requirements to determine where it makes the most sense to invest their people, time and financial resources.