[BreachExchange] Cybersecurity: What 2016 taught the healthcare industry

Audrey McNeil audrey at riskbasedsecurity.com
Tue Dec 20 19:49:15 EST 2016


http://www.fiercehealthcare.com/it/feature-cybersecurity-
what-2016-teaching-industry

One of the biggest developments in EHRs and health IT in
2016—unfortunately—was the rise of cyberattacks. It's the unintended
consequence of ditching paper records for electronic, on in-house systems
or in the cloud. It’s easier to steal or compromise a greater number of
records at one time when they're digital. And the records themselves are
lucrative (although the price for medical records appears to have dropped,
perhaps because they’re now flooding the dark web market).

The problem has become so pervasive that the Department of Health and Human
Services' Office of the Inspector General (OIG) has included in its
workplan for 2017 its intent to investigate how well providers are
protecting EHR information.

RELATED: Onsite HIPAA audits coming in 2017

In addition, the OIG has identified the privacy and security of electronic
information as one of HHS’ top management challenges for 2017, noting in
particular how difficult it is to protect the data due to the quick pace at
which technology is evolving, the expansion of the Internet of Things, such
as networked medical devices, and the rise of mobile health technology. The
report cited the continued weaknesses in healthcare organizations’ systems
despite the significant increase of breaches and ransomware attacks.

Here are some of the biggest cyber problems plaguing EHRs this year.

Ransomware

While ransomware has been around for years, in 2016, the sheer number of
incidents hitting the healthcare industry gave it a household name.

Some incidents have been widely reported. For instance, California’s
Hollywood Presbyterian Medical Center’s payment of 40 bitcoins (worth
$17,000 at the time) to override ransomware placed on its EHR system
garnered a lot of attention. The systems malfunction that halted operations
at Medstar Health was also determined to have been a ransomware attack.

But ransomware itself has evolved, according to government experts. While
most ransomware events are still due to phishing attacks that contain the
malware in an attachment to an email, ransomware is moving into more
targeted spear phishing, such as sending what appears to be an invoice to
the chief financial officer of an organization with a spoofed email address
that looks legit.

Criminals have become more sophisticated—you can't assume your employees
won't fall for their tricks.

Ransomware has also become more insidious, with some versions of the
malware able to infiltrate the data itself and enable the cybercriminals to
access or compromise it while encrypting it.

HHS’ Office for Civil Rights took a step toward addressing the problem in
July, releasing guidance explaining what ransomware is and offering tips to
avoid protect patient and other data.

The guidance also clarified that ransomware usually constitutes a breach
under the Health Insurance Portability and Accountability Act (HIPAA) and
so is reportable to HHS, patients and sometimes the media because. Even if
the data wasn’t accessed by the cyberattack, the provider had lost control
of it.

Hacking

Hacking by cybercriminals continues to plague providers. For example, in
March, Fort Myers-based 21st Century Oncology reported that the records of
2.2 million patients were breached due to hacking. A number of class action
lawsuits have since been filed against the cancer chain.

Athens Orthopedic Clinic in Georgia suffered a cyberattack compromising the
records of 200,000 patients in June, when the login credentials of an
outside vendor were used to access its EHR. The clinic also had to inform
its patients that it couldn't afford extended credit monitoring.

The Internet of Things

Insiders have warned for several years that networked objects, such as
smart TVs, baby monitors and medical devices were at risk of cyberattack.
This became a reality with Johnson & Johnson acknowledging this year that
one of its insulin pumps could be hacked because its communication system
was not encrypted.  This announcement came on the heels of a report that
St. Jude Medical’s cardiac devices are also vulnerable to hacking, an
allegation that St. Jude has denied.

Sloppy internet use

Good old-fashioned user error continues to be a cybersecurity threat. There
have been increasing reports of entities mistakenly exposing patient
records on the internet, such as St. Joseph Health, which bought a server
to store electronic patient records not knowing that it included a file
sharing application whose default settings allowed public access to the
records. St. Joseph never checked out the server to identify or correct
this problem and this year agreed to pay $2.14 million in settlement for
the alleged HIPAA violation.

LabMD continues to fight enforcement attempts by the Federal Trade
Commission, which has claimed that the provider engaged in deceptive and
fraudulent activities in violation of the Federal Trade Commission Act. A
health insurance computer file of LabMD’s containing patient information
had been exposed on the internet on a peer-to-peer file sharing network.

Lessons learned

There are several steps that providers can take to reduce the changes that
their EHRs will be compromised. These include:

Reviewing the security of any EHR or other product before using it. If
there’s a choice between options, choose the more secure solution and get
security assurances in the vendor contract.

Training employees to recognize cyberthreats and other risks, such as what
a phishing attack looks like, and warning them to be careful about posting
data on the internet.

Backing up EHR and other data responsibly so it’s available when a provider
needs it, such as when attached by ransomware. For example, the backup must
be offline so that it also doesn’t become compromised by the ransomware,
and test the backup to make sure it can be accessed in an emergency.

Following the security requirements outlined in HIPAA. Conduct a security
risk analysis of vulnerabilities of electronic patient information and
address any vulnerabilities found. Encrypt data. Keep security patches up
to date.

Using access controls. For instance, access to the EHR should be limited
and audit trails should be regularly reviewed.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161220/86ce9511/attachment.html>


More information about the BreachExchange mailing list