Medicine’s symbol — two snakes spiraling around a staff — has morphed into a bull’s-eye, thanks to health care’s growing reliance on the internet.
Cybercriminals, bent on exploiting security gaps in computer networks, electronic health records, storage in the cloud, medical devices, email, and commercial operations, have made the industry their No. 1 target. The criminals are after intellectual property, patient and provider information that enables health care fraud and identity theft, and data they regularly encrypt with ransomware that allows them to overtake entire computer systems.
Unless the hacker can be discovered, the only other way an affected hospital or health care provider can regain access to their digital operations is to pay a ransom.
Helping the cyber criminals is a medical device industry that can take security for granted, the naiveté of human nature, and a federal law meant to help patients and their health providers — the Health Insurance Portability and Accountability Act of 1996.
The federal government contributed to the current tsunami of cybercrime 20 years ago when lawmakers pushed for digitizing health information. Their goal was a noble one: The use of electronic health records was meant to improve efficiency and quality of care, and reduce costs.
In turn, the law included a security rule that requires health care organizations to undertake a comprehensive risk analysis, formulate risk management and data-breach remediation plans, and use physical, technical, and administrative security measures to ensure that electronically protected health information, or PHI, is secure.
Unfortunately, even as health care groups embrace the advantages of digitization, they don’t always comply with the security rule and, even when they do, criminals intent on breaking into electronic networks and devices connected to the internet of things often are able to bypass any roadblocks.
As a result, nearly 90 percent of health care organizations represented in the Sixth Annual Benchmark Study on Privacy and Security of Healthcare Data, published in May by the Ponemon Institute in Traverse City, reported a data breach in the past two years.
Oakland Family Services, in Pontiac, is one of them.
In 2015, responding to what looked like a legitimate email, an employee at the human service agency’s Pontiac administrative offices re-entered her username and password for the Gmail-based account, intending to access a Google Share document. Her response to the trick email potentially exposed the personal health records of more than 16,000 patients, and also sent similar so-called phishing emails to other employees.
Dave Partlo, Oakland Family Services’ information technology director, was immediately alerted, and was able to stop the attack 23 minutes after it started. “We really don’t believe anybody’s health information was viewed,” says Kathleen Lynd, vice president of planning and communications at Oakland Family Services, who worked on the breach response.
After the incident, Partlo switched the organization to a Microsoft email program with more access controls, required employees to use stronger passwords and change them every 90 days, and stepped up the frequency of his reminders to staff to be vigilant.
The mistake was expensive. In addition to the many hours of staff time spent on the problem, the agency had to hire a firm to manage the remediation. Hiring the firm cost $10,000 — and the agency was already paying up to $10,000 a year in cyber insurance premiums for a policy with a $10,000 deductible.
“The (most valuable) thing I learned is you can never train enough,” Partlo says.
The expenses the agency incurred is another painful lesson, and it’s a widespread occurrence. In its latest report, the Ponemon Institute estimates the cost of health care industry breaches at more than $6 billion. Last year, Accenture, a professional services consultant, projected provider losses of $305 billion in revenue through 2019 resulting from patients switching caregivers due to breaches.
The costs are about more than lost revenue, however. Expenses include the technology to protect data and detect intrusions, remediation measures when a data leak occurs, and possible fines if the government finds the proper precautions weren’t in place.
Mistake vs. Malice
The costly threats Partlo and others in health care face range from mistakes and negligence to criminal behavior.
For example, the Detroit Department of Health and Wellness reported the theft of a portable electronic device in December 2009 with 10,000 patient records on it, while patient loan firm HELP Financial Corp. in Plymouth reported in December 2010 that a contractor sent the personal health records of nearly 9,500 people to the wrong patients.
More recently, the network server of the FireKeepers Casino Hotel in Battle Creek was hacked, exposing the medical information of almost 8,000 employees.
One reason, in part, is that a lot of criminal attacks start off as an act of negligence. — Dr. Larry Ponemon
Sometimes the breaches are downright shocking. At the Newaygo County Medical Care Facility in Fremont, north of Grand Rapids, a nursing assistant took invasive and embarrassing photos of residents in September 2013 and posted them on Snapchat, a photo-sharing app.
Opinions of what the biggest cybersecurity challenges are seem to differ from reality. In the Ponemon report, the top three breach-related concerns among respondents were: a negligent or careless employee (69 percent), cyber attackers (45 percent), and insecure mobile devices (30 percent). The percentages add up to more than 100 because survey-takers could make more than one choice.
The reality, according to Ponemon, is a bit more ominous. Fifty percent of health care organizations report the root cause of actual breaches was a criminal attack; only 41 percent report it was from a business associate’s error and 39 percent found it was due to a stolen device.
Dr. Larry Ponemon, founder and chairman of the Ponemon Institute, thinks he knows why the results show such a disconnect between perceived and actual threats. “One reason, in part, is that a lot of criminal attacks start off as an act of negligence,” he says.
For example, a careless employee who clicks on a link in a phishing email, accesses a public Wi-Fi network, or visits a fishy website unwittingly plays into the hands of a criminal.
Bring-your-own-device practices pose risks, too. Employers save money when employees use their own smartphones, tablets, and other devices for work, but companies give up some control over security with the practice.
For example, in December 2013, a third-party snafu at RevSpring in Wixom, which handles billing, appointment reminders, and other health care communications, triggered the accidental disclosure of 3,000 patient records at the University of Pennsylvania.
The error happened during printing, says Analiese Fusner, RevSpring’s chief compliance officer. Information for the recipient appeared on the front page of billing statements, but details belonging to another patient were printed on the back. The error improperly disclosed procedure descriptions and owed balances.
Cybercriminals also have repeatedly hit Henry Ford Health System in Detroit. It reported thefts of a laptop in November 2010 with 3,700 patient records and a desktop computer in October 2011 with 520 records; a lost flash drive in November 2012 contained 2,777 records.
But it was a Henry Ford employee at its hospital in West Bloomfield Township who caused the system’s most notorious breach, which also included patient information taken from Harper Hospital at the Detroit Medical Center.
In 2014, when law enforcement officers raided the Farmington Hills home of Henry Ford employee Markitta Washington, who had also worked at Harper, they found information from 1,400 patients. They also discovered copies of driver’s licenses, bank account and credit card details, patient records, and notebooks with handwritten entries including names, dates of birth, and Social Security numbers.
The federal government subsequently charged Washington and co-defendant Martez Lear with identity theft, using information from 305 patients to file false tax returns, and receiving government checks totaling almost half a million dollars. They’re both currently in prison.
Meredith Phillips, chief information privacy and security officer for Henry Ford, says of people like Washington, “We’ll never be able to eliminate bad actors.”
As a result of the breach, the organization now screens prospective employees’ backgrounds more closely, and asks managers to better supervise their staffs. The health system also provides encrypted flash drives to employees, requires staff identification badge-access to about 20 percent of its facilities, and asks home nurses to keep portable electronic devices with them at all times, Phillips says.
In addition, Henry Ford uses social engineering techniques to see who among its 27,000 employees will disclose their access credentials to a caller, respond to a phishing email, or let an unauthorized person into a restricted area.
And, Phillips says, she’s sending out a bid for behavioral analytics software, which she hopes to implement this year. The technology learns a computer user’s typical behavior, and issues an alert if his or her habits change. “It gives us the ability to identify a potential bad actor before they become a bad actor,” Phillips says.
Money and Common Sense
As health care organizations — as well as companies like banks and construction companies that handle employees’ health records through wellness programs or self insurance — become more connected and vulnerable, their mandate to keep data safe raises information technology, security, and compliance-related questions: Are they making the right choices? Are they spending their money wisely? Are they focusing on the right things?
In 2015, the Medical Identity Fraud Alliance in Washington, D.C., a nonprofit organization that includes such members as Aetna, AARP, the Blue Cross Blue Shield Association, the Henry Ford system, and others, surveyed its members and found that while 72 percent of respondents ranked personnel and human resources/talent highest in priority, the organizations generally spent more on IT systems.
Within the IT spending category, nearly half of the respondents said breach detection technology ate up 50 percent or more of their annual budget. Just 23 percent allocated half or more of their budget to breach prevention. The group drew a clear lesson from its study.
“It’s the deployment of technologies, along with the investments in expert personnel who are properly educated and trained to protect PHI from fraudulent use, that will help reduce the incidence of medical identity fraud,” the survey concludes. “The health care industry cannot have tunnel vision and invest in only one area.”
Spending within IT departments covers technology like firewalls, anti-virus and malware detectors, biometrics, data encryption software, and email filters.
But the best and lowest-cost defense is a habit experts have been preaching for many years. Back up your data, says Martin Nystrom, director of operations for Cisco Security Solutions at the Research Triangle Park in North Carolina. That practice not only defeats those hackers who are asking for ransom, but it also guards against hard drive failures. “That’s actually one of the most important things you can do,” Nystrom says.
Despite all of the high-tech precautions, fooling an employee into falling for a phishing attack — typically in an email that asks the recipient to click on a link or open an attachment — is the most common and effective way to get into a network, Nystrom says.
“That’s the softest spot in the network — the users who already have privileged access,” he says. “Awareness is one of the key things, so you’re not falling for these phishing attacks.”
Experts also advise using strong passwords, but some think even those aren’t enough, and favor two-factor authentication like that offered by Duo Security in Ann Arbor. One common use of double authentication is at ATMs, which require not only the user’s card but also a PIN. To access electronic health records protected by Duo’s technology, the user enters his or her password and then receives a second code to use with a cell phone.
“The way to think about it is there’s no method an attacker can’t get around,” says Umang Barman, Duo Security’s product marketing manager. “But they’re going after low-hanging fruit. When you add two-factor authentication, they move on.”
The U.S. Drug Enforcement Agency requires two-factor authentication for electronic prescribing of controlled substances, and the Social Security Administration began requiring it in August for beneficiaries who want to access their personal information online.
In terms of employee awareness and vigilance, Linda Bailey-Woods, a principal for Plante Moran’s IT consulting service in Southfield, says annual employee training isn’t enough to create a security culture. “It has to be constant,” she says. “You have to have indications that your company thinks this is a significant risk and you (the employee) have to pay attention.”
For example, Bailey-Woods says her company requires a minimum 16-character password as a way to thwart a computer breach.
To keep data security on the minds of its employees, Bailey-Woods advises using data kiosks for those who aren’t regularly on computers; having some version of a SharePoint, Microsoft’s collaboration and document management platform, to post information; and publishing articles in the company newsletter. “There should be an article on security every month because the data is getting so big and there are so many threats out there,” she says.
Even with expert advice, along with regular news reports of hacker breaches, health care groups still don’t do enough to protect themselves, according to the Ponemon report. The study found that many organizations lack the money and resources to manage data breaches caused by evolving cyber threats, preventable mistakes, and other dangers.
“With the growing number of fines and the exorbitant costs, they can’t not afford it,” says Bailey-Woods, “because the fines are so huge.”
She cited a $2.8 million fine on the University of Mississippi Medical Center in Jackson for multiple federal law violations, which was imposed in July. Shortly afterward, the federal government announced a record $5.5 million settlement with Advocate Health Care Network in Chicago for potential violations involving electronic patient records.
Closer to home, Blue Cross Blue Shield of Michigan fell victim to a cybercriminal last year.
At the time, then-employee Angela Patton printed screen shots from her work computer with the personal information of more than 5,500 clients. Patton and 10 co-conspirators used the personal information for identity and credit card fraud, according to the U.S. Attorney’s Office. The types of information disclosed included names, dates of birth, insurance plan identifiers, Social Security numbers, and more.
Since that time, Patton pled guilty to a conspiracy charge and was sentenced to 41 months in a federal prison.
Following the breach, the insurer improved safeguards by masking Social Security numbers, removing members’ dates of birth, limiting search results to 25 records, and installing new devices that require employees to scan their identification badges when printing.
Given the battle between everyday operations and hackers, is it time for a cyber security moon shot — an all-out campaign for a quantum leap in technological defenses? At least one expert thinks the best solution will be to anticipate what’s next.
“I just think that information and data governance is key to surviving in this whole cyber security threat world that we’re currently living in, because you can’t just be compliant,” says Plante Moran’s Bailey-Woods. “You have to be forward-looking.”
Internet of Medical Things
When former U.S. Vice President Dick Cheney had a pacemaker-defibrillator device implanted to help his ailing heart, his doctor had the manufacturer disable its Wi-Fi capability. The doctor feared a hacker might tap into the device in Cheney’s chest if it were connected to the internet, and give him a heart attack.
Cheney may not have intended to educate Americans about the risks posed by medical devices that are part of the internet of things, but that’s exactly what he did when he went public with his heart story.
In a hospital, medical devices that make up the internet of things include infusion pumps, remote patient monitoring systems, and intensive care unit machines. At home, baby monitors, weight scales, blood pressure cuffs, and glucometers may also provide an inroad to a hacker, especially with a weak Wi-Fi password.
While electronic devices are a boon to medical care, each one becomes an additional entry point for hackers. Even when turned off, if the device has a battery as a backup in case of an emergency, it can be turned on remotely and potentially used to infiltrate the connecting network, says Tatiana Melnik, principal of Melnik Legal, which specializes in data security.
“Medical providers need to be more cognizant and … ask questions about security (for the devices they buy),” says Melnik, who practices in Michigan and Florida. “Devices may have flaws in their firmware (embedded software) that allow an experienced hacker to get into the device. Most people don’t think, ‘Hey I need to update my firmware periodically.’”
Unfortunately, most device-makers don’t think about updates, either.
“A lot of the problem with the internet of things is that when these systems are built they’re not maintained,” says Craig Williams, senior technical leader and global outreach manager for Cisco Talos in Austin, Texas, which does threat intelligence for Cisco Systems, “so they’re slowly becoming more and more vulnerable to known issues. That’s why the internet of things is dangerous.”
Williams says vendors need to take responsibility for their devices by publishing security advisories and updates to firmware, much like companies do for computer software and applications. “Right now I would say internet of things vendors are operating in the security posture from the 1980s,” Williams says. “The upside here is it’s not a doomsday scenario.”
Williams cites Nest as a company that operates in a 21st-century security posture; for its home thermostat, updates are automatic when the device utilizes Wi-Fi.
Until medical devices become more like the Nest thermostat, Melnik advises using vigilance, educating staff and consumers about system vulnerabilities, implementing security controls, changing default passwords, and using encryption and two-factor authentication. “There’s a saying I like: I don’t have to be the fastest runner in the world,” she says, referring to keeping ahead of hackers, “I just have to run faster than you.”