[BreachExchange] What keeps CIOs & CISOs up at night

[Audrey McNeil]

http://www.healthcaredive.com/news/what-keeps-cios-cisos-up-at-night/434998/

>From a cybersecurity perspective, November 2016 wasn’t a good month for the
healthcare industry. According to Protenus, there were 58 health data
breaches in November, the highest number of such events in 2016. Come to
think of it, 2016 wasn't a very good year as a whole. An average of at
least one health data breach occurred every day in 2016 affecting
27,314,647 patient records, according to Protenus. "We’d love to tell you
that by the end of the year things were starting to improve, but
unfortunately that wasn’t the case," the data protection company stated.

If these trends continue (and it looks like it may), hospital CIO and CISOs
will certainly have their work cut out for them in 2017. As hospitals and
health systems continue to build on their cybersecurity strategy, focus
should highlight workforce training, access management, device encryption
and a willingness to engage in proper cybersecurity best practices. "As
healthcare providers, we owe it to patients to protect their data," Daniel
Barchi, CIO at NewYork-Presbyterian (NYP) in New York City, told Healthcare
Dive.

A quick year in review

Notable cyberattack highlights last year included Hollywood Presbyterian
Medical Center paying $17,000 to hackers making ransomware a lunchroom
topic across hospital executive offices everywhere. Banner Health won the
unfortunate award for Most Patients Affected by a Cyberattack last year by
disclosing in August an incident that compromised 3.7 million patient
records.

Preventing and managing cyberattacks has become an everyday task for CIO
and CISO's job descriptions as bad actors seek to access protected health
information. Still, the majority of data breaches come from inside the
hospital. Out of the 450 incidents Protenus analyzed, 192 of them (43%)
were an inside job, compared to the 26.8% of breaches accredited to hacking
and ransomware. However, hacking and ransomware account for larger breaches
that affect patients. "For the 120 hacking incidents included in our
analyses, we had the number of records affected for 99 incidents; those 99
incidents resulted in a staggering 23,695,069 breached records, or 87% of
all patient records included in the analyses," Protenus stated.

HHS' Office for Civil Rights (OCR) in the latter half of 2016 put the
industry on the defensive as it gently reminded healthcare organizations to
reassess their electronic authentication methods as well as direct its
regional offices to increase investigations of smaller breaches. Such
efforts can be seen culminating in one example where Children's Medical
Center of Dallas in February was fined $3.2 million after HHS investigating
multiple breaches and determined the organization had failed to take
actions to prevent such events until 2013, despite being aware of the
risks. The news underscores just how such an event can cost an
organization: About $7 million is the average total cost of a data breach,
a June 2016 Ponemon Institute study conducted for IBM found.

Top leadership needs to be involved and invested

Cybersecurity's importance can be a hard message for hospital executives at
times because when organizations don't experience an attack, it's out of
sight, out of mind, according to Dr. Robecca Quammen, CIO at Howard
University Hospital in Washington, DC, and CEO at MyConsultQ. However,
forward-looking health organizations should be ready to react to breaches.
"It's not if you get breached, it's when," Arthur Ream III, director of
applications and CISO at Cambridge Health Alliance, a three-hospital system
in the greater Boston area, told Healthcare Dive.

One of NYP's cybersecurity's strategies is to first acknowledge that it's
important. "We have an environment where we want to get issues on the
table" to discuss the organization's skeletons in the closet, Barchi told
Healthcare Dive, adding that top executive brass needs to think about what
the real risks can be when some organizational secrets are revealed in
print.

Noting healthcare has been clearly targeted over the last five years by bad
actors, one of the best prevention methods is to invest in people and
tools, David Finn, health IT officer for Symantec and former CIO and vice
president of information services for Texas Children’s Hospital, told
Healthcare Dive. "Healthcare historically hasn't invested in security."
Ream agrees, "Hospitals and health systems have yet to embrace the full
funding of a security team." To Ream, healthcare data is becoming more
valuable than credit card data where bad actors can siphon health data from
organizations and sell it piecemeal over a long period of time.

"We frequently talk about information security being an existential threat
to healthcare in general and as a result our leaders have given us the
freedom to hire people and implement the tools we need to," Barchi stated
adding that sometimes the benefits can be seen near immediately. For
example, a new email system was recently implemented that identifies when
emails are coming from inside ([INT]) or outside ([EXT]) the organization.
According to Barchi, the system was installed at 10 a.m. on a Friday
morning and by 11:30 a.m., the security team identified a suspicious
message marked [INT] that was in reality an [EXT] email.

"Healthcare should not be focused on some kind of crazy or exciting threat
as much as we should be focused on basic blocking and tackling," Jennings
Aske, vice president, CISO at NYP.

Workforce education is important

Quammen acknowledges CEOs' desire to have ubiquitous data with high
liquidity and easy access can go against cybersecurity initiatives to
protect patient data. "Pressures to succumb to convenience and ease of use
are the biggest killers of security," Quammen told Healthcare Dive.

Appropriate access levels and measures of authentication among workers are
essential efforts, according to Quammen. "Convenience can't trump
security," she stated.

In addition to locking down access (some workers may want to read a
celebrity's file, for example), cybersecurity education should be deployed
across an organization. Ream puts it a bit more bluntly: "Your employees
are your biggest risk."

Judging from the stories Healthcare Dive heard, Ream's not wrong. Finn
noted in phishing attack trials, he typically sees a clickthrough rate of
20% across industries, meaning someone clicked on a link containing a
virus. In healthcare, the range is much broader from 20-60%. "The single
highest clickthrough rate I've ever seen was a healthcare provider with 92%
of people who got the phishing email clicked on it," Finn told Healthcare
Dive.

Quammen shared a story from a previous hospital where she was only made
aware of and prevented a virus from infiltrating a system because an
employee couldn't open an infected file on a shared folder housed on the
system's network and called the organization's help desk to request the
file be opened who fortunately reported it to resources able to isolate it
after identifying it contained malware.

In his experience, Finn found hospitals frequently rehearse hurricane or
chemical spill reaction plans but many hospitals lack cybersecurity
rehearsals much less employ a chief information security officer (CISO), a
role he feels should be in a position of authority and able to manage a
budget.

Cambridge Health Alliance also runs phishing campaigns. Individuals that
click on the "bad" links are sent to an educational page to complete before
being able to return to the fun portions of the internet like cat GIFs and
Kermet the Frog memes. In addition, twice a year Cambridge Health Alliance
runs breach drills that starts at the CEO and runs its way down the
organization. Through this process, the organization adapts and changes its
security policies.

While there are a lot of technologies on the market for cybersecurity,
"it's all about the people," Barchi said noting educating workforce and
making them aware of and alert to threats will make them better respond to
such threats when they present themselves.

On roaming devices and log management

In 2010, you couldn't not fire up your internet browser of choice and not
read about a stolen or misplaced laptop or USB drive from a healthcare
organization that resulted in notifying x number of patients their health
data may have been compromised.

As more records are moving to the cloud and workers are getting smarter
about encrypting such devices, you see less of these breach notifications.
"It's still happening but pales in comparison to the more exciting
breaches," Barchi said who added the move to clinical storage digitally has
spurred the sea change to larger breaches occurring as a result of hacking.

Quammen notes unencrypted laptop breaches may be down but attacks occur in
ways many administrators may not expect. For example, biomedical devices or
movable carts can come equipped with unencrypted laptops housed in
unsecured offices and clinical areas. Such laptops need to be encrypted,
tethered and secured in locked rooms, Quammen said, because patient data is
often manually keyed in and sometimes the unprotected laptops can be walked
out the door. She described one instance where such a laptop was stolen and
reviewing billing records for specific CPT test codes was the only method
available to identify a patient cohort list to notify patients of a
possible breach.

"Encryption requires management of all devices and maintaining currency in
an enterprise-level encryption software contract and being vigilant you
don't deploy a device without it," Quammen said. The clinical areas where
laptops come with diagnostic testing and biomedical devices that are not
controlled by IS are on the table for a potential HIPAA breach.

On the cyberattack side, every device on the network generates an activity
log that provides information that can be analyzed to understand an attack,
Aske noted. "Log management is a real driver in terms of security posture,"
he said.

What's next?

Hackers are getting faster and smarter and realizing how to enter
healthcare's wall. Healthcare IT News recently reported 48% of successful
cyberattacks from bad actors involve using malware. “The thing to realize
is that securing PHI or any type of protected information is not a one-time
task, it is an everyday task that requires staying one step ahead of the
creativity of bad actors,” Quammen said.

For example, Quammen offered a story where she and her team had to manually
thwart about 7,000 hits from a Zepto virus over a 24 hour period. "There
was a moment in time when machine learning got bored and morphed the
attacks to a different address format as the technical team was watching
its behavior," she said. "I had never experienced that before."

Ream shared the trend toward the Internet of Things (IoT) can open up
cybersecurity threats that may not be top of mind in security officers. For
example, with smart buildings, networked water pipes hooked up to report
volume is another avenue into an organization's information system.

He sees a trend occurring where vendors are beginning to market themselves
as one-stop security solutions to capitalize on the fact that building out
an internal security team is expensive. Solutions such as security
operation centers (SOCs) and network operation centers (NOCs) will likely
be attractive to healthcare organizations in the future.

"AI technologies incorporating forensics are growing in popularity. Right
now the best defense security officials can provide is strong protection
that focuses on the EHR," Santosh Varughese, president at Cognetyx, said.
"This only makes sense since that is where the data is stored as opposed to
protecting the network. Why guard the entire road leading to the castle
when you can keep the gold in a safe?"

One question Finn often gets is "when is ransomware going to end?" The easy
answer is to respond "when people stop pay for it" but he also believes in
late 2017 there will be a decline in ransomware as enough prevention best
practices information will be shared and end user staff receive training on
the attacks. Barchi told Healthcare Dive one of the most effective means to
reduce ransomware is through outstanding storage management, including
investing in simple storage backups that help to keep from losing health
data or obviate the need for paying ransomware attackers. "We've been able
to take affected computers offline and move to back-ups and quickly restore
the data and keep going"using such an approach, Barchi said.

What Finn does worry about for the future of cybersecurity is attacks
moving into the cloud. If one big cloud provider is successfully attacked,
it could in theory shut down many subscribing organizations, according to
Finn, noting many small providers use cloud-based EMRs or hosted EMRs.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170227/a6b1e2b7/attachment.html>