That’s according to “Hacking Hospitals,” a two-year study by Independent Security Evaluators of 12 healthcare facilities, two healthcare data facilities, two healthcare technology platforms and two medical devices.
The study concluded healthcare has two major problems when it comes to digital security: a near-exclusive focus on defending patient records, and measures that target unsophisticated adversaries and blanket attacks.
“One of the biggest things we took away from our Anonymous attack was that in the past, I had always thought about cybersecurity related to health IT as safeguarding data ― but our experience made us understand it is more than that,” said Daniel Nigrin, MD, CIO at Boston Children’s Hospital, which was attacked by the hacker group Anonymous in 2014. “These cyberattacks can be disruptive to the routine daily operations of a hospital. One can argue these kinds of attacks are even more significant than the breach of data because at the end of the day we are taking care of patients who are sick, and that has to be Priority No. 1.”
Recent events emphasize this point. For example, in February, hackers launched a successful ransomware attack against Hollywood Presbyterian Medical Center, holding the hospital’s data and normal operations hostage until the hospital ultimately paid the hackers 40 bitcoins (about $17,000). Others followed in rapid succession: Hackers struck Los Angeles County Department of Health, Chino Valley Medical Center and its sister site Desert Valley Medical Center, Methodist Hospital in Kentucky and MedStar Health in the nation’s capital.
Today in healthcare, provider organizations should not fool themselves: It’s not as much about preventing intrusions as it is managing intrusions, said Elliott Frantz, founder and CEO of Virtue Security, a security technology company that conducts ethical hacking to help protect clients.
And healthcare organizations, by and large, are not prepared. More than 80 percent spend less than 6 percent of their IT budgets on security, and more than 50 percent say that figure is less than 3 percent, which is alarming given the significantly higher percentages spent on security in other industries such as government (16 percent) and finance (between 12-15 percent), according to a recent survey of more than 100 health IT decision-makers by HIMSS Analytics and Symantec titled “Addressing Healthcare Cybersecurity Strategically.”
Nearly 75 percent of survey respondents say security ― be it a strategic plan, metrics, status or incidents ― is only brought up at board meetings some of the time or upon request, which shows the lack of strategic importance healthcare organizations give security, the study says. And cybersecurity training and education for end-users ranks very low in the survey when it comes to the amount of importance it is given by healthcare organizations.
Overall, most provider organizations have a tactical approach to security rather than a strategic approach, the study says, reacting to immediate threats rather than deploying a comprehensive strategy.
On that note, Healthcare IT News interviewed a variety of cybersecurity experts to determine the most pressing issues today. The experts pointed to five things every healthcare C-suite should understand: Ransomware attacks will get worse; whaling is a major threat; the need to educate C-suite executives on security has never been greater; application security should not be overlooked; and medical devices and the Internet of Things open an endless number of new doors that can threaten not just security but patient safety.
1. THE RANSOMWARE THREAT IS GROWING. This style of attack does not require an unusual amount of hacking skill or resources to successfully pull off. And because other industries have already have gone through the wringer with hacking and subsequently invested quite heavily in security, healthcare is a sitting duck.
“Health systems have the money and they’re willing to pay it, especially if they are behind the times and do not have the technology to undo a ransomware attack,” said Erik Devine, chief security officer at Riverside HealthCare, an Illinois health system. “Ransomware attacks will continue to happen until the reward for the hacker is less than the risk and effort to do the attack. Ransomware attacks in healthcare will increase in the years to come.”
Devine said Riverside is regularly hit with minor ransomware attacks that he calls “annoyances” because they only hit files of minimal importance. He is not as concerned about ransomware as other CSOs might be because he is confident his health system is prepared.
“We have excellent backups, which are a must, and we have the right access control list, which only occasionally allows minor threats to hit minor files,” he said. “Access lists, control lists, permissions ― these are a huge step you have to make sure you assess at least once a quarter; we do so once a month. We go through all users and make sure they have appropriate permissions. And backups are huge ― without them, you’re up a creek and you end up paying to get data or control back.”
Riverside HealthCare also has invested in application white-listing, a security service that only allows software handpicked by information security staff to run within a network. That way, if a ransomware strike is activated and an application trying to run is not on the white-list, it cannot infect.
“Application white-listing was a huge initiative for Riverside ― we used to do it only at the edge of the point of entry and to the LAN, but now we do it everywhere,” Devine said. “It’s been a huge success, but a huge initiative with a lot of painful steps back and forth until we got it right.”
Another way to combat ransomware is to ensure all systems and patches within a network are up to date.
“If you look at health IT infrastructure overall, it’s alarming how many organizations have not been refreshing systems, making patches and updating OS versions,” said Ryan Witt, vice president and managing director of the healthcare industry practice at Fortinet Inc., an information security technology vendor. “Organizations need to be much more vigilant keeping systems up to date; it is an easy step healthcare can take to better secure the environment.”
And if a system that’s running is not necessary? Turn it off.
“Technical assessments often show many unnecessary services running throughout a network,” Virtue Security’s Frantz said. “Every unnecessary service is a ticking time bomb because, in general, there are more and more vulnerabilities released in software. A healthcare organization can significantly reduce exposure simply by shutting down all of the unnecessary software and services that are running.”
2. HACKERS ARE PHISHING FOR WHALES. Phishing remains a common way for hackers to infiltrate healthcare organizations. And members of the C-suite need to understand the different forms of phishing, especially whaling, where criminals have been much more successful than Captain Ahab.
“2015 was the year of healthcare attacks, when healthcare became the prime target, and on that note, there needs to be a robust discussion of phishing,” said Karl West, CISO at Intermountain Healthcare. “The attacks that have been occurring, like at Anthem, UCLA and Hollywood Presbyterian, these are phishing attacks, and our C-suite executives must understand the different types of phishing.”
West describes three basic kinds of phishing attacks: blanket, spear-phishing and whaling. A blanket attack hits perhaps thousands of users within a network with malicious e-mails. A spear-fishing attack targets a group of individuals. Whaling, however, aims for just a few members of a C-suite ― the big fish.
“Healthcare has become better at identifying blanket phishing and a little better dealing with spear-phishing, but whaling, those are much more sophisticated attacks,” West said. “With whaling, someone is doing a kind of social engineering: Who is the CFO? Who is the CIO? Who is the CEO? It is a derivative of phishing that can produce far greater risk to an organization, and the industry is seeing quite a bit of it today.”
Whales, in fact, have greater security permissions. A chief medical officer, for instance, will have greater access to medical records, and a chief financial officer can authorize payments. If a hacker can correlate even two whales, the attacker could, for instance, make it appear that the CEO sent an e-mail to a CFO requesting a confidential transfer of funds.
“We’ve had these kinds of attacks attempted, but these e-mails are spoofed ― if you hover over the e-mail address, you can see it is not the CEO but a Gmail address or similar,” West explained. “At Anthem, that whaling campaign was all about trying to get a database administrator who had the ability to transfer large amounts of data.”
How has Intermountain successfully fought back the whaling attacks it has seen ping its network? That leads right into point No. 3.
3. SECURITY EXECS MUST CONSTANTLY EDUCATE THE C-SUITE. Many health IT security experts say that healthcare C-suite executives ― and board members, for that matter ― do not receive sufficient education and updates on security matters. As a result, effective security is not sufficiently prioritized.
“Attacks create fear and anxiety, and if we’re educating executives at the C-level appropriately then we can take appropriate actions as opposed to reactions,” said West of Intermountain. “After the Hollywood Presbyterian attack, I was called up to visit with our C-level within a few days to explain what we are doing. I told our C-level executives Hollywood needed good end-point protection and good anti-phishing software, and shared what we already had been doing to protect against such attacks. We have a strategy around phishing, we have an end-point protection tool, and they will protect us against ransomware.”
West sends a daily security operations center report to the C-suite, letting them know what he observed the day before and what, if anything, needs to be done about it. The daily report includes a threat level indicator. If the threat level changes, then he outlines, for example, what the chief medical officer and the chief nursing officer should be doing.
“We elevated the threat level because of the Hollywood Presbyterian ransomware attack, and since then we’ve seen six instances of that kind of ransomware attack within Intermountain ― but the hackers have not been able to penetrate. We captured and removed the threats,” West explained. “I just had a C-level executive send a message asking me to look at an e-mail. I replied, ‘You are No. 6.’”
It is the responsibility of the executive in charge of information security at a healthcare organization to help C-suite executives understand and digest technical and threat assessments, which can be quite technical, and properly prioritize security, said Devine of Riverside HealthCare.
“The chief security officer is the interpreter of the documents that say what is needed for a health system, who then translates that into an actual strategy with a vision, a budget and a three- to five-year outlook,” Devine added. “Healthcare organizations must find someone in the health system who can interpret assessments and execute a strategy ― this is key ― and then develop a relationship of trust with the C-suite.”
Devine added that if there seems to be a need for cultural change around high levels of security, then work to change the culture should happen first, and as quickly as possible, before a strategy and a vision can successfully be undertaken.
“I have explained to C-level executives and others that at the end of the day, an organization is merely an IP address, and IP addresses all look identical to hackers,” he said. “Hackers don’t care who you are or what size you are, they simply will go for the easiest target. So if you continue down a route of poor security or poor security education, it’s inevitable you will get hit.”
On the subject of educating the C-suite, David Finn, health IT officer at Symantec, points back to the results of the HIMSS Analytics/Symantec security study as clear evidence much more education is needed.
“One of the stats I got excited about, at first, because it looked so good, was a big percentage of organizations, 54 percent, that report on security to the board,” Finn said. “But when we read into the survey details and the analysis of interviews, that really only happens when the board requests it. When you start digging into organizations that routinely report on security to the board, that number drops off very quickly.”
That shows that security is not a strategic function of the board, Finn said.
“You do not go to a board meeting and not get a financial report, and most hospital boards get a quality report, but they only get a security report if they see a headline and ask,” he said. “If you really are going to make security a strategic function of an organization and show a proper level of concern, security has to be at every board meeting, and the board has to understand the risks, not just your degrees of compliance.”
4. APPLICATION SECURITY SHOULD NOT BE OVERLOOKED. Some security experts add that if healthcare organizations are really going to make security a high priority, they cannot ignore what is known as application security. Application security is the use of hardware, software and processes to combat external threats from endangering applications.
“There is a big deficiency in healthcare with application security,” said Frantz of Virtue Security. “The knee-jerk reaction is to conclusively say, ‘Data is encrypted in transit and at rest.’ But there is the runtime state, when an application is handling data and that data has to be decrypted. That is where we find the most vulnerabilities. We see a large number of applications that expose data to unauthorized users or the general public.”
Many healthcare executives said they are not ready for application security simply because it is a more advanced level of security technology — but it is an enormous focus in the financial world, Frantz said.
“It’s definitely an area where healthcare is lacking, where healthcare executives say they’re not ready for it because there are so many bigger problems, because they’re getting phishing attacks and network attacks, all of these low-skill attacks that everyone is battling,” he said. “So a lot of organizations are not tackling application security. But it is inevitable; you cannot put it off forever.”
The fact that healthcare is lagging behind with application security actually gives the industry one big advantage: It does not have to reinvent the wheel.
“There are so many security frameworks that exist for application security; it is easier than ever to build applications that are secure,” Frantz said. “From a process standpoint, healthcare really has an opportunity to build an application security process right the first time.”
5. Medical devices and the Internet of Things mean trouble. The U.S. Food and Drug Administration and the MITRE Corporation are working together to foster a more collaborative approach to address the sometimes abject vulnerability of critical medical devices to cyberattack. Medical devices and the blossoming Internet of Things together are a virtual Pandora’s Box of security holes.
“MITRE is a federally funded research and development center tasked with helping us at FDA advance the medical device security vision,” said Suzanne Schwartz, MD, the FDA director of emergency preparedness, operations and medical countermeasures. “They’ll do so by evolving a medical device vulnerability ecosystem that will share relevant cybersecurity information among both government and private sector stakeholders.”
Medical devices and Internet of Things devices, such as smartwatches and web-enabled appliances, involve incredible security risks because in most cases manufacturers have not been sensitized to the issue of healthcare cybersecurity and have not embedded necessary safeguards, said Nigrin of Boston Children’s Hospital.
“Even if manufacturers of medical devices hardened their new products tomorrow, it takes a good amount of time for an organization to swap out all of its hardware with the new,” Nigrin said. “Organizations are thinking about segregation of networks for medical devices, for instance, and keeping tabs on the perimeter certainly is important. But there is no quick, easy solution to this problem; it’s pretty bad at this point.”
On the upside, Nigrin said, cybercriminals so far are not out to cause physical harm to individuals connected to medical devices; they’re just looking for financial gain or drawing attention to an issue important to them.
“Perhaps with terrorism, however, it will come to physical harm,” Nigrin added. “When it comes to criminals hacking in and fouling up an IV pump to kill someone, I don’t think we’re there yet. Though I know it’s probably just a moment away, looking at how society is these days. Hopefully the time we have before such risks become real is enough time to have the manufacturers improve their products.”
Nigrin makes an alarming point about medical devices, one that is near and dear to his heart — or, actually, his kidneys.
“I am a diabetic and I have an insulin pump,” he said. “There recently were proof-of-concept attacks on insulin pumps that were successful. Some enterprising diabetics not waiting for closed loop insulin pump devices to control the rate of insulin administration hacked up protection themselves. That is powerful and cool, but on the other hand, they should not be able to do that. That means there’s a hack people can come up with that allows for an insulin pump to be controlled by something other than the pump itself. We have to go into this brave new world with our eyes wide open.”