Will forensics thwart data thieves lurking in hospital EHR corridors?

As Halloween approaches, the usual spate of horror movies will intrigue audiences across the country, replete with slashers named Jason or Freddie running amok in the corridors of all-too-easily accessible hospitals. Unfortunately, this horror movie scenario is similar to how data thefts often occur at medical facilities.

Permission granter by Cognetyx.

In 2015, healthcare was one of the top three industries hit hardest by data vandals. Patients’ records, packed with a wealth of exploitable information such as credit card data, email addresses, Social Security numbers, employment information and medical history records fetch a high price on the black market.

Who are the hackers?

Approximately 45% of the attacks are from outside intruders looking to steal valuable patient data. However, “phantom” hackers are also often your colleagues, employees and business associates, careless in the use of passwords or duped by phishing schemes that trick them into opening the door for data thieves.

The problem is not only high-tech, but also low-tech, requiring providers across the continuum to simply become smarter about data protection and privacy issues. Medical facilities are finding they must teach doctors and nurses not to click on suspicious links.

Growing nightmare

Medical data theft is a growing national nightmare. IDC’s Health Insights group predicts that 1 in 3 healthcare recipients will be the victim of a medical data breach in 2016. Other research yields similar findings. For example, the Ponemon Institute’s Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data found that in the last two years, 89% of healthcare organizations reported at least one data breach, with 79% reporting two or more breaches. The Ponemon survey also found the number of healthcare attacks over the past five years has increased 125% and the average cost of a healthcare data breach is about $2.2 million.

At health insurer Anthem Inc., hackers stole up to 80 million records using social engineering to dig into the company’s network using the credentials of five tech workers. The hackers stole names, Social Security numbers and other sensitive information, but were thwarted when an Anthem computer system administrator discovered outsiders were using his own security credentials to log in to the company’s systems and to hack databases.

Healthcare hacks spread hospital mayhem in diabolical ways

Banner Health, operating 29 hospitals in Arizona, had to notify millions of individuals that their data was exposed. The breach began when hackers gained access to payment card processing systems at some of its food-and-beverage outlets. That apparently also opened the door to the attackers accessing a variety of healthcare-related information.

What makes this breach more concerning is the question of how did the hackers access healthcare systems after breaching payment systems at food-and-beverage facilities when these networks should be completely separate from one another? Healthcare system networks are very complex and become more complicated as other business functions are added to the infrastructure — even those that don’t necessarily have anything to do with systems handling and protected health information.

You’ve no doubt heard of ransomeware. The first reported attack was on Hollywood Presbyterian Medical Center, which had its EHR and clinical information systems shut down for more than week. The systems were restored after the hospital paid $17,000 in Bitcoins.

Taking healthcare security seriously

Healthcare is an easy target. Its security systems tend to be less mature than those of other industries, such as finance and tech. Where a financial services firm might spend a third of its budget on information technology, hospitals spend only about 2% to 3%.

Meanwhile, as the Ponemon Institute research shows, the number of healthcare attacks over the past five years has increased 125%. Personal health information is 50 times more valuable on the black market than financial information. Stolen patient health records can sell for as much as $363 a piece. 

Many healthcare executives believe that the healthcare industry is at greater risk of breaches than other industries. Despite these concerns, many organizations have either decreased their cybersecurity budgets or kept them the same. The healthcare industry has traditionally spent a small fraction of its budget on cyber defenses, and it has not shored up its technical systems against hackers.

Disrupting the healthcare security industry with behavior analysis

Common defenses in trying to keep patient data safe have included firewalls and keeping the organization’s operating systems, software and anti-virus packages up to date. This task of constantly updating and patching security gaps or holes is ongoing. However, with only about 10% of healthcare organizations not having experienced a data breach, sophisticated hackers are clearly penetrating through these perimeter defenses and winning the healthcare data security war. It’s time for a healthcare data security disruption.

Many organizations employ network surveillance tactics to prevent the misuse of log-in credentials. These involve the use of behavior analysis, a technique that the financial industry uses to detect credit card fraud. This technology relies on cloud technology to combine artificial intelligence (A.I.) with machine learning algorithms to create and deploy “digital fingerprints” using ambient network surveillance to cast a net over EHRs and other hospital data sanctuaries. It exposes user behavior deviations that humans would miss and not only stops outside hackers and malicious insiders, but also flags problem employees who continually violate cybersecurity policies.

The concept is simple. A pattern of user behavior is established, and any actions that deviate from that behavior, such as logging in from a new location or accessing a part of the system the user normally doesn’t access, are flagged. Depending on the deviation, the user may be required to provide further authentication to continue or may be forbidden from proceeding until a system administrator can investigate.

Some of those leading this effort include Cognetyx, which delivers ambient cognitive cyber surveillance technology to protect healthcare information assets against cyberthreats, data breaches and privacy violations. It uses a virtual intelligent eye that generates a digital “fingerprint” based on behavior for every log-in by any user in all applications, recording how data is being accessed within an organization. Once a baseline for behavior is established, the system can easily identify anomalies in user activity and send out the appropriate alerts immediately when there are deviations from normal behavior.

Hindsait is another healthcare organization, but not a security company, that uses artificial intelligence and predictive analytics in a software-as-a-service platform, enabling payers and accountable care organizations to identify potentially unnecessary services during the review process and improve quality of care.

The healthcare data security war can be won. The industry would do well to implement network surveillance that includes behavior analysis. It is the single best technological defense against the misuse of medical facility systems and the most powerful weapon the healthcare industry has in its war against cybercriminals.