Despite the aggressive efforts of government regulators, the healthcare industry's reputation for security hasn't been stellar. Multiple breaches are reported on a weekly basis and with healthcare exchanges popping up under the federal Affordable Care Act, the situation could get worse before it gets better.
One way custodians of healthcare data might be able to better protect patient information is by integrating "big data" security solutions into their systems. That, however, can present healthcare organizations with even more security challenges.
"When you look at the known number of data breaches in healthcare, it's staggering," said Stu Sjouwerman, CEO of KnowBe4, a security awareness training company.
healthcare organizations have increasingly been targeted by hackers as more and more of their data becomes electronic. Since 2009, hospitals and medical practices have been under the gun by regulators to ditch paper for electronic records by 2015. "There's been pushback that timeframe is too ambitious for providers to properly secure their data," said Joan Walker, a senior consultant with TayganPoint, a management consulting firm.
Not only is more medical information being placed online, but those who have access to that data is also expanding. Consumers can view their medical information online and medical professionals can use electronic information for sharing and collaboration with each other. "More online sensitive data and more access to that data means more opportunities for hackers," said John Pescatore, director of emerging trends for the SANS Institute.
"healthcare has always been attractive to hackers, and it's even more attractive now," added Alan Brill, senior managing director for Kroll Advisory Solutions, a risk management firm.
Part of that attraction stems from a sort of "Perfect Storm" for data predators. "The transient nature of data and the porous nature of the network leads to hackers focusing on healthcare," said Ed Gaudet, general manager of Imprivata's Cortext products group, maker of authentication systems for medical personnel.
Adding to a healthcare organization's data security problems are medical devices -- such as MRI and CAT scan machines -- that connect to its networks. "They all connect to the network, all have Internet access and all have vulnerabilities that manufacturers have not been patching, which present a whole new set of security challenges to providers," Pescatore explained.
While healthcare organizations have always been concerned with preserving the confidentiality of patient records from unauthorized snoops, having that information targeted for financial gain by digital bandits is relatively new to them. "They're in the business to serve and treat patients," explained TayganPoint Senior Consultant Jay Stanell. "If they have a choice between spending their money on an imaging machine that saves lives and multiple tiers of security, that's not an easy decision for them."
Those decisions will have to be made, however, because their electronic information has the same appeal to hackers that all electronic information does. "healthcare is being targeted by a lot of the same kinds of attacks from anyone who's going after financial information, something that can easily be converted into credit card payments or Social Security numbers for identity theft or tax fraud," said Suzanne Widup, a senior analyst with Verizon's RISK Team.
"With all these healthcare exchanges coming online, that's something that I'm sure is going to get a lot of scrutiny by the bad guys," she added.
Those exchanges will be soft targets for net bandits, maintains Larry Ponemon, founder and chairman of the Ponemon Institute. "These exchanges will contain lots of facts about individuals, and those facts will be very helpful in creating false credentials and false identities," he said.
"They were a rush job and security wasn't a strong feature," Ponemon noted. "As these exchanges develop their data bases, there doesn't seem to be any extra special security effort being put into place."
healthcare organizations are also being attacked from the inside. "We're seeing people being recruited from inside the organization because they have access to the data and they can feed it to bad actors on the outside," Widup said.
What's more, healthcare organizations of all sizes are being targeted by hackers. Dan Edwards, president of PactOne, which provides consulting services to dental and orthodontic offices with anywhere from five to 120 computers, said a common attack on those healthcare providers is ransomware.
In a typical ransomware attack, malware encrypts all the data on a computer. Then the computer operator is informed they must pay a ransom to receive the key to decrypt the data. "That's really not true because after you pay them, they keep the money and never give you access to your data again," Edwards said.
In those cases, an organization learns quickly the value of good storage hygiene. If an office has been diligently backing up its data, it can restore the data that's been targeted by the ransomware from those backups and continue operations with a minimum of disruption.
As cyber attacks on healthcare providers increase, they, as have other industries, will begin to turn to big data solutions to protect their large stores of information. "It's impossible for a human to intelligently, accurately and reliably see unusual activity regarding access to electronic health records," said Lee Kim, director of technology privacy and security solutions for the Healthcare Information and Management Systems Society, a global not-for-profit organization focused on promoting better health through information technology.
Kim explained that network traffic can be analyzed using big data tools to establish baselines for usage by individual users. "When there is an aberration in activity, a heuristic analysis can be done to identify where the aberration might be and flag it, in real time," she said.
"That way," she continued, "if there is potential criminal activity or an insider threat, a security team can head that off ASAP."
A challenge to any big data security set-up is making sure that all relevant data is being scrutinized. That's becoming increasingly problematic as more and more devices are allowed to access a healthcare organization's networks. "They really need to know where their data is, because if they don't, then it's going to be hard to make sure it's secure," Verizon's Widup said.
Moreover, data that's attractive to hackers can be found in more places than just patient records and medical devices connected to networks. Any point in the payment chain that contains data can be a target. For example, some cafeteria point of sale and co-pay collection systems implemented by third parties have Internet connections that can be attacked by bad actors. "We've seen breaches there," Widup said.
When deploying a big data security solution, care must be taken not to add to an organization's vulnerabilities. "Most hospitals practice security by silo," said Phil Simon, author of Too Big to Ignore: The Business Case for Big Data.
"They have their data segmented," he continued, "and as that data is brought together to build bridges between data sources, then the bridges have to be properly tested."
"We live in a world in which there are data sources all over the place," Simon said. "There's a tremendous opportunity for organizations that take advantage of that, but if they don't watch what they're doing, there can be security issues and HIPAA violations and bad PR. That's one of the reasons that many healthcare organizations have been reluctant to do a lot with big data."
Since many healthcare organizations don't have the chops to deploy a big data solution, they often must rely on third-party contractors to do so. That can lead to problems if a contractor isn't familiar with the healthcare regulatory landscape. "Third-party organizations that specialize in big data are very familiar with dealing with that data, and I have no doubt that the majority of them really do understand how to secure that data appropriately, but they've probably never had to do a HIPAA high tech compliance review," Kroll's Brill explained.
"This mechanism that's been developed, which is a combination of HIPAA and high tech with an overlay of all the state privacy laws, becomes incumbent upon on you to follow even though you are not a healthcare organizations and don't ever see a patient," Brill added.
As with many new technologies, big data's current abilities to protect a healthcare organization's information from digital desperadoes can be exaggerated. "Big data solving security problems is a very much over-hyped term," Pescatore of SANS said. "Big data tools are useful for finding out where you went wrong, finding the paths of an attack that succeeded, but we're not seeing big data tools prevent attacks."
Nevertheless, those tools can increase the reaction time of an organization when it is attacked. "Security analytic tools can be used to more quickly notice the signs of a potential compromise and limit the damage from an attack," Pescatore added. "Rather than find out from a customer that your system has been compromised for six months, you can see a warning that an MRI machine is talking to the Internet and it never did that before."
This story, "Big Data Offers Means to Combat Healthcare Hacker Attacks" was originally published by CSO.