By John Southrey, CIC, CRM
I write regularly about cyber risks in health care. So it was no surprise when I was recently notified of a ransomware attack at a medical practice where I’m a patient. The provider’s notification letter cautioned:
“We are writing to inform you of a data security incident at _________ that may have resulted in the potential disclosure of your medical and personal information . . . Our investigation indicates that your personal information may have been impacted by the ransomware, including your name, address, date of birth, Social Security number, and medical information . . . we have taken steps to prevent a similar event from occurring in the future, including improving our network security, updating our system backups, and retraining our employees regarding suspicious emails and patient privacy and security.”
Lost or stolen health care data can be compromised for years. The data could be used for medical identity theft or the alteration of patient data, so protecting it is critical. However, for many medical practices, the extent of their cyber security is limited to updating their computer hardware and installing critical software patches.
Doing more to protect patients’ health information may be considered unnecessary (“I’m too small to be a target”) or too expensive and disruptive to the practice. So discussions about enhancing data security best practices — such as using endpoint encryption and application control along with workforce security training — may go unheeded.
So how can a practice know what their actual cyber risks and vulnerabilities are? Without a comprehensive risk assessment, they can’t. In such cases, a practice’s cyber security often becomes an idiosyncratic configuration constructed from disparate sources. And without any external assessment, there is little opportunity for an advanced understanding of the broad attack surface in health care and the need for a multi-layered security approach to combat emerging cyber threats.
The usual malware entry point is through social engineering techniques that use phishing emails designed to trick users into providing system access. Unfortunately, these types of ploys have a high success rate because the health care industry is known to be behind in cyber security and because employees are known to be the weakest link.
Attackers use a broad range of vulnerabilities and exploits. Simply installing the latest software patches to prevent exploitation is not enough. The URL (web link) filter installed on the practice’s server might block an employee from visiting a malicious site. If this layer of security fails, the practice’s system is exposed to the exploit.
Sometimes a practice’s system is not equipped to detect certain threats. More sophisticated attacks look for unknown vulnerabilities in a software program — a “zero day vulnerability” — that can go undetected before the vendor can fix it.
According to the Ponemon Institute’s research, 90% of health care organizations have experienced a data breach involving the loss or theft of patient data in the past two years. (1)
To proactively mitigate data breaches, medical practices need up-to-date policies and procedures and robust cyber security protocols. These include the ability to block exploit-based attacks and make any detectable cyber threat go through layers of protections, including a “human” firewall of trained staff who can react to social engineering ploys.
Ultimately, practices must accept cyber threats as a serious business risk and dedicate resources to mitigating them. The clinical dependency and interconnectedness in modern health care has created a digital quagmire — and regardless of how strong a practice’s cyber security defenses are — cyber criminals will always seek a way inside.
1. Ponemon Institute. Sixth annual benchmark study on privacy and security of healthcare data. May 2016.
For further reading
Office of Civil Rights. My entity just experienced a cyber-attack! What do we do now? A Quick-Response Checklist from the HHS, Office for Civil Rights (OCR). Available at https://www.hhs.gov/sites/default/files/cyber-attack-checklist-06-2017.pdf. Accessed June 28.
Department of Health and Human Services. Cyber attack quick response. Available at https://www.hhs.gov/sites/default/files/cyber-attack-quick-response-infographic.gif. Accessed June 28.
Health Care Industry Cybersecurity Task Force. Report on improving cybersecurity in the health care industry. June 2017. Available at https://www.phe.gov/Preparedness/planning/CyberTF/Documents/report2017.pdf