Healthcare IT Security: Can We Turn the Corner?
IT security in healthcare is unique because healthcare organizations cannot improve security on their own
According to the Breach Level index, the healthcare sector has experienced a higher number of data breaches than any other sector for the last five years. While the records breached in 2017 constituted only one percent of the total number of records, that number represents a 27.4% percent increase compared to 2016. A relatively low number of compromised records can be explained by high data fragmentation, meaning that the data accessed by attackers was not highly centralized and only a relatively small number of records were vulnerable to each attack. By Egor Kobelev
The causes of an astonishing number of data breaches, on the other hand, are less clear and far more intriguing. Perhaps discovering why healthcare is the number one target for cyberattacks will help us understand what it is so unique about IT security in healthcare and how the security strategy in the sector might differ from those in other industries.
Let’s step back for a second and think about the attackers’ motivation. Hackers’ primary motives, according to the 2018 Verizon Data Breach Investigation Report, include financial gain, espionage, ideology, fun, and grudge. Financial gain leads by a huge margin, and although it went down slightly in recent years in favor of espionage, it would still be fair to say that financial interests directly or indirectly influence most breaches.
Hackers’ three major revenue-generating channels are ransomware, cryptojacking, and identity theft. Ransomware and cryptojacking attacks are typically large scale but not targeted. Cryptojacking steals the victim’s computational resources – CPU, GPU, and electricity – so the aim is to infect as many computers as possible, whether personal or business, at home or in the office. Ransomware also works best at scale. Even though it poses a substantial threat to companies and institutions, it is more of a side effect than the ultimate goal. Moreover, the victim is more likely to pay attackers if a lifetime collection of photos is at stake, whereas business documents are almost certainly backed up in the corporate network.
Identity theft is a very different story. While identity theft through phishing websites and emails is still somewhat effective, these types of attacks capture personal data in small increments. By contrast, breaching an organization that stores millions of personal records often gives attackers access to a vast dataset at once. Since the value of the data diminishes rapidly, it is more financially advantageous to steal a large dataset, split it into batches, and sell it as quickly as possible while the data is most valuable. As time goes by, the likelihood increases that the incident will be reported, and people will change their passwords and block their credit cards, reducing the black-market price of the data.
Hacking a large organization requires a lot of time, patience, and resources. Unsurprisingly, organizations with large, heterogeneous IT infrastructures are among the most tempting targets because they offer the greatest reward for the effort. Another key factor is whether an organization or industry considers technology an important part of business operations. In general, companies running business models that existed long before recent technological advancements tend to think of technology as merely a nice complementary tool or a necessity for compliance.
Now, let’s think of who was the latest to the party? Travel, retail, entertainment, and financial services companies employed the widest range of technologies to compete and retain clients in a rapidly changing environment. Healthcare has been an outlier all along. What is the point in having an EHR when paper charts are so much easier? Why use medical billing software if you could call the insurance company and handle everything over the phone? This way of thinking led to a much slower adoption of technology in healthcare than in most other markets. Often driven primarily by regulatory pressure, the introduction of technologies in healthcare has not yet fundamentally changed healthcare executives’ mindsets. Technology is still an afterthought, and, unfortunately, so is IT security. This is certainly one reason healthcare organizations have been victimized more frequently. It is an issue of mindset.
Let’s examine IT infrastructure. Large healthcare organizations seldom rely on a unified technology stack. More commonly, they utilize an array of different hardware, operating systems, and off-the-shelf software solutions built on different platforms. A lot of data is stored, often redundantly, across multiple heterogeneous systems, while new vulnerabilities in operating systems, content management systems, and web servers continue to emerge. The extreme difficulty of managing security in such an environment leaves healthcare organizations especially vulnerable to criminals. This is an IT issue.
It is not simply about changing executives’ mindsets and better managing IT security. Even technology giants like Facebook get hacked. Like healthcare organizations, financial services firms often run on hundreds of (often outdated) software and store millions of sensitive client records that hackers could potentially access at once. What makes healthcare special is the nature of the data. Tech companies store logins and passwords, perhaps DOB and gender, some photos, and a credit card number. Financial organizations store clients’ credentials, credit cards, and account numbers. Credit card info is perhaps the most sensitive. However, if you have ever lost a credit card, you know the drill; right? You call your bank and block your card. If it has been stolen, you get a new one. One number, one call, one minute, and your money is safe. In some instances, you can even get your money back if a criminal used your card before you realized that your card information had been compromised. Of course, it is an unpleasant problem but easily solved.
Now, when was the last time you called your insurance company to ask them to block your current account and issue a new one? Have you called the government to get your passport number changed? Unfortunately, it doesn’t work that way. You cannot easily block or change your social security number or other national ID, your insurance account number, or other personal information that healthcare organizations store! There is no phone number to call and no clear procedure to follow. Even worse, if a criminal had enough time to impersonate you and execute fraud then proving it wasn’t you and trying to rollback whatever the criminal did is not an easy task often taking months of your time and legal costs. This is way more than just a technology problem. There is simply no easy damage control if this kind of data is compromised. Apparently, this is not only the healthcare industry’s problem. It is a very complex issue that must be resolved through the collaborative efforts of governmental agencies, regulatory bodies, insurance companies, and healthcare associations and institutions.
There is no security strategy that healthcare organizations could employ to reduce their attractiveness to criminals. The data that healthcare organizations store must become cheap on the black market and lose value to hackers. Data security is the responsibility, not just of the entity that stores the data, but also of the entity that creates the data. It is critically important that healthcare executives change their attitude toward IT security. It is also critical that healthcare organizations maintain a coherent IT environment and security strategy. But this is not what makes IT security in healthcare different from IT security in other industries. IT security in healthcare is unique because healthcare organizations cannot improve security on their own.
ABOUT THE AUTHOR
Egor Kobelev is a Vice President of Healthcare and Life Sciences at DataArt. With over 15 years in the IT industry, 10 of them in the healthcare sector, Egor brings a wealth of industry expertise to the company, advising major U.S. clients on technology approaches in research, regulation and security. Prior to DataArt, Egor worked as a software developer and software architect for a number of technology firms. He holds MS in Statistical Radiophysics from Voronezh State University.