By Axel Wirth, CPHIMS, CISSP, HCISPP, AAMIF, FHIMSS
The past 12 years I’ve spent working in healthcare cybersecurity (health IT and medical devices) have been equally rewarding, exciting, and frustrating. Although we, as an industry, have made progress in many areas, so have our adversaries. For the most part, it feels like we are running after a train that is leaving the station—we are certainly making the effort, yet we are not gaining as the train pulls away from us.
Over the past decade, we have seen significant changes in how the industry views cybersecurity. Prior to the introduction of the HIPAA Security Rule (2005), healthcare had little guidance on security and there was little incentive to prioritize security in budgets. After the Security Rule was instilled, the industry became more compliance-driven, yet most efforts remained superficial due to lack of enforcement.
This started changing in 2009 when the HITECH Act introduced a step up in HIPAA audits, steeper penalties, as well as the breach notification law, requiring notification to HHS of any breach affecting more than 500 patient records. In 2013, these changes were collectively rolled up into the HIPAA Omnibus Rule. Further regulatory and legal pressure was added through an increasing number of U.S. states introducing privacy laws (most famously the California Consumer Privacy Act, or CCPA) as well as, to an extent, international regulations like the General Data Privacy Regulation (GDPR) in Europe.
Early HIPAA audits conducted by the Office for Civil Rights (OCR) starting in 2012 generally gave the industry a poor report card and did not instill confidence in healthcare’s security capabilities. Nor did, unfortunately, the published breach statistics on the HHS “Wall of Shame” that showed an average increase of reported breaches by 7% year-over-year between 2010 and 2018 (excluding 2009 since it was only a partial reporting year); 2015 was the only year with fewer breaches than the previous one, but it had the highest number of breached patient records with 113 million (78 million in a single malicious attack), and it still holds this record.
Another change in awareness began in 2016 when healthcare providers started getting exposed to an increasing number of ransomware attacks. In fact, it appeared that some attack groups had started to focus on the healthcare industry, capitalizing on a weak security posture and high pressure to restore operations. In 2017, we experienced two security events that severely impacted the healthcare industry: WannaCry, which shut down 81 of 256 NHS hospitals in the United Kingdom, and NotPetya, which affected dictation services and caused shortages in drugs and vaccines.
Collectively, these trends have led to change in the healthcare industry and an improved approach to security, which includes:
- Moving from a compliance-driven to a security-driven culture
- Changing the focus from confidentiality (as emphasized through the HIPAA breach notification law) to understanding the impact of system and device availability as well as its impact potential on care delivery
- Beginning to understand the risks associated with data integrity risks in the care delivery environment
- Understanding the risk exposure due to an advanced malicious attacker as compared to a compliance auditor
Security efforts have certainly improved over the years. But, as kids embarking on lengthy road trips always ask, “Are we there yet?” Unfortunately, the answer is, “Not for a while.” And, in fact, the destination is still moving away from us.
You may be left wondering how I reached this conclusion. I recently downloaded the data reported to the HHS “Wall of Shame” through the end of 2019. As shown in the figure below, we can see the sharp (36%) increase in the number of reported breaches, of which the majority (78%) are now healthcare providers, with a 42%, year-over-year, increase.
In addition, 2019 had the second-highest number of breached records (41 million, second only to 2015), as well as the second highest number of breaches over one million records (five, again, second only to 2015).
There are also changes in the types of breaches reported. We can see that 59% are now classified as “Hacking/IT”, up from 4% in 2010, and 29% are “Unauthorized Access/Disclosure,” up from 5%; whereas “Theft” (typically theft of computers, laptops, storage devices, and documents) is now only 8%, down from 66% in 2010. This clearly shows a trend from petty and opportunistic theft, that was most likely focused on the device rather than the data on it, towards deliberate and targeted attacks on health data.
Another indicator for the challenges in healthcare was recently provided by German security researchers that scanned the internet for unprotected medical image (PACS) servers. Although they found that some archives had been taken offline since their first scan two months prior, they uncovered additional servers. During their latest data collection in November 2019, there were over 1.2 billion medical images exposed globally.
In the U.S., they found 22 million exposed studies, representing about 6 million citizens and 800 institutions. Of the total of 786 million images, 115 million were directly accessible, including patient demographic information. The state of cybersecurity in healthcare is, unfortunately, not strong. So what can the healthcare industry do better?
Without getting into too much detail, here a few useful suggestions:
- Healthcare leadership needs to recognize that their security risk is a patient safety as well as a business risk. Cybersecurity needs to become part of an organization’s strategic priority.
- Develop a security-conscious culture that includes all stakeholders, whether their role is administrative, clinical, or technical.
- Develop and enable security leadership across critical organizational groups, including, for example, a chief medical security officer.
- As an organization makes new technology decisions, be it a new EHR, develop a telehealth program, adopt cloud storage, or even venture into artificial intelligence (AI) for clinical applications, none of these decisions should be made without understanding and addressing aspects of security.
- Develop security partnerships and make security part of your vendor relationship. Your suppliers and partners need to take on their part of the responsibility, design proactive security into their products, and be by your side in case of an incident.
- Make meaningful investments into holistic security technology and take a “defense in depth” approach. Security talent is sparse; focus your technology priorities so to free up valuable talent.
- Keep an eye on, and invest when appropriate in, next generation security tools that can automate security tasks via AI and machine learning—event log review, incident detection and response, anomaly detection and behavior analytics. But, be conscious of the “next shiny object” phenomenon that, unfortunately, is prevalent in the security industry.
In conclusion, key statistics and recent discoveries by security researchers show that the industry is not getting ahead of cyber threats. Fortunately, by implementing some basic changes, organizations can take steps to improve their security culture and posture.
Axel Wirth, CPHIMS, CISSP, HCISPP, AAMIF, FHIMSS, is currently chief security strategist for MedCrypt. Questions and comments can be directed to 24×7 Magazine chief editor Keri Forsythe-Stephens at firstname.lastname@example.org.