Healthcare Hacker Attacks: The ImpactSecurity Experts Offer a Call to Action
The recent string of major hacker attacks in the healthcare sector, including the cyber-attack on UCLA Health, calls attention to the urgent need for organizations to step up their security programs.
Security experts say healthcare organizations need to carefully reassess their risks and then take appropriate security measures, which, in many cases, will include implementing multifactor authentication; improving breach monitoring and detection; and ramping up staff security education, among other steps.
The sophistication of cyber-attackers is making defending against threats in the healthcare sector more challenging, says John Halamka, M.D., CIO of Beth Israel Deaconess Medical Center in Boston.
"Five years ago, external attacks on healthcare were most often from single actors or curious students. Today they are from organized crime, state-sponsored cyberterrorism and hacktivism," he says.
Healthcare is becoming a bigger target for hackers and other cybercriminals for three main reasons, Halamka contends. "One, healthcare has traditionally under-invested in IT compared to other industries, leaving it more vulnerable. Two, healthcare tends to aggregate a large amount of personally identified information in one place, making it easy to breach a large number of records in a single attack. Three, medical identity theft - fraudulently receiving healthcare services - can be more profitable than financial identity theft."
Even some well-meaning healthcare organizations are also realizing that the diligent efforts they've been putting into information security aren't enough, notes privacy and security attorney Kirk Nahra, a partner at the law firm Wiley Rein.
"Many healthcare industry organizations thought they had pretty good information security. But these attacks have been eye-opening to many companies, that 'we really need to beef up' in terms of protection against these external risks," he says.
Christopher Paidhrin, who recently became information security manager for the city of Portland, Ore., after 15 years as an information security leader at West Coast healthcare provider PeaceHealth, offers a similar assessment. "If CISOs are not now assessing their cybersecurity posture - and exposure - they soon will," he says.
"The scope of vulnerabilities is increasing, and the 'defensive' security program model is failing to meet the challenge of the threats," he says. "Surveys over the past few years indicate that more than 90 percent of organizations sampled have already been hacked. That is a startling number that requires a national emergency-level response."
The attacks on the healthcare sector will only worsen, Paidhrin predicts. "Cybercriminals are motivated by money, easy money. Healthcare offers one of the greatest return on investment efforts with the lowest level of detection and risk. Medical information is data rich, and durable. Credit card data lasts for a month or two, before a bank disables an account. Health information is much more durable, with much of it unchangeable for the life of the affected individual."
UCLA Health Breach
In the latest headline-grabbing hack attack in the healthcare sector, UCLA Health estimates that data on as many as 4.5 million individuals potentially may have been impacted by a cyber-attack that is thought to have begun last September and is "believed to be the work of criminal hackers." UCLA Health says it is working with FBI investigators and has also hired private computer forensic experts to further secure information on network servers.
"In today's information security environment, large, high-profile organizations such as UCLA Health are under near-constant attack," the organization said. "UCLA Health identifies and blocks millions of known hacker attempts each year."
As for who was responsible for the UCLA Health breach, and how the hackers gained access to the systems, "the cyber-attack on UCLA Health is still under investigation, we are unable to discuss particulars or provide further information regarding the attack," a spokesman for UCLA Health tells Information Security Media Group.
With the exception of UCLA Health, most of the largest hacker attacks so far this year targeted insurers, including Anthem Inc., which was hit by a breach affecting nearly 80 million inidividuals; Premera Blue Cross and CareFirst Blue Cross Blue Shield.
Will Spending More Help?
Some observers say all the recent headlines about hacker attacks could make it easier for CISOs and CIOs to win support from senior leaders for funding to ramp up information security efforts. But will increased spending make a difference?
"The argument for funding will be easier, because the frequency and size of healthcare sector attacks provide CISOs with mounting evidence to justify increased funding, but it will not guarantee action," Paidhrin says. "Funding generally occurs when the 'what, specifically, can be done?' question can be answered with a price tag less than the perceived cost of assuming the risk. ...Healthcare is struggling, as are all other sectors, to find affordable and effective technologies, skilled cybersecurity personnel and process maturity."
But technology investments won't necessarily stop hackers who rely on social engineering to scam users into providing their network credentials through phishing attacks. "Although spending increases on healthcare IT and cybersecurity will help, the most effective risk mitigator is education," Halamka says. "We are as vulnerable is our most gullible authorized user."
Paidhrin sees a "disturbing trend" toward advanced persistent threats and social engineering, which both largely bypass network perimeter defenses. "APTs are stealthy, very effective at exploiting under-the-radar vulnerabilities that do not trigger the alert thresholds of many security systems," he notes. "Social engineering, basically tricking an authorized user to assist an attacker into an action that exploits a vulnerability, is much simpler than a frontal assault on a network. Why break a lock when you can ask for the keys, and get them?"
The most significant impact the recent hacker attacks will have on the healthcare sector is "information security will need to be considered as an integral part of the security and operations processes of healthcare organizations," says Mitch Parker, CISO of Temple University Health System. "They will need to become more proactive and consider risk as equally as utility."
The hacker attacks should serve as a wake-up call for some organizations that have skimped on their information security risk management practices. "Organizations are supposed to re-assess their information security programs, processes, and technologies on a regular basis to continually improve," Parker says. "That is the purpose of risk management. Incidents such as these should be used to evaluate your organization's current practices and make changes or improvements beneficial to your organization."
Paidhrin says many organizations need to take four "not-so-easy steps" to bolster their security. Those include:
- Two-factor authentication. "Weak passwords, seldom if ever changed, are the bane of information security. Requiring a token, something other than a username and password - both things you know - is the cheapest big step up the security ladder," he says.
- Data segmentation. "Valuable, sensitive information needs to be segmented from general user access, not all accessible from one network or one level of user account."
- Proactive monitoring for unauthorized use. "When 90 percent or more of organizations are potentially compromised, real-time detection of threat actors is essential."
- Rapid response. "The meme of today is 'It's not if, but when we will be breached.' If an organization cannot respond to an attack and penetration, with effective countermeasures, all of the other information security measures, funding, planning and effort will be undone."
Organizations in all sectors, not just healthcare, need to up their game, says Nahra, the attorney. "It's a real challenge. The healthcare sector isn't alone in terms of facing weaknesses and threats."