Incidents of hacking and cyber-breaches are on the rise and several confluent factors spell trouble for the Healthcare Industry. Grid32, a cyber-security provider, has seen this issue first-hand. We have been performing security assessments and penetration tests for certain forward-thinking hospitals and healthcare providers over the last several years. This case study seeks to outline the issues we have found and bring further attention to both the gravity of this situation and the need for action by those organizations who are not fully cognizant of this risk or who falsely assume they are safe.
In performing our security assessments and tests, Grid32 has found that, almost uniformly, our clients in the Healthcare Industry have had vulnerabilities in their systems that would allow malicious attackers to gain access to a dangerous set of data and capabilities, including:
- Access to medical records, including patient data, social security numbers, names, addresses, etc.
- Ability to prescribe medications and alter existing prescriptions via e-Prescriptions.
- Ability to change patients’ diagnoses, such as ‘Non-HIV Positive’ to ‘HIV-Positive’, or ‘Allergic to Penicillin’ to ‘Not Allergic to Penicillin’, or ‘Amputate Right Arm’ to ‘Amputate Left Arm.’
- Access to doctors’ records, including DEA licenses, badge photos, and personal identifiable information (PII) allowing malicious entities to steal their identities and impersonate them.
- Access to all hospital records, including financials, payroll records, and employees’ social security numbers and confidential information.
- Ability to access banking and financial accounts, transfer money out, and re-route inbound funds.
- Access to IT administrator accounts, allowing full control of networks and all resources.
- Access to all user accounts, including emails, network access, and all assigned capabilities.
- Full control over networks, devices, phone systems, and security systems
Having access to all of these items at once is obviously troubling and it could be severely damaging in the wrong hands. Damages could include financial losses, government-imposed HIPAA fines, embarrassment, and job loss. It could even cause death due to the ability to alter diagnoses, medications, and surgical procedures. All of this access and information was gained remotely, without our attack team ever setting foot in the facilities. Thankfully, we are trusted professionals and we were able to provide remediation steps to our clients to close the security gaps and limit the likelihood that these attacks would occur in the real world. Unfortunately, we are concerned that far too many organizations are not taking the proper steps to prevent similar attacks. In 2014 alone, over 30 million patient records were breached in the U.S. as incidents splashed through the headlines. These incidents led to massive fines for the providers who were breached and unquantifiable damages to affected individuals. The issue looks to only be getting worse as attackers recognize the pervasiveness of vulnerabilities and caches of valuable data in this industry.
The Source of the Problem
The perfect storm that has led to such an ominous situation is caused of several factors. Firstly, Healthcare Organizations have recently been pushed into mandatory use of electronic medical records, requiring extensive expenditures and speedy adoption of technology platforms to house these sensitive records. Deadlines and pressure are sure-fire ingredients for creating lapses in security. At the same time, hacking and data breaches have been occurring in record numbers as criminals take advantage of the anonymity of the internet and the prevalence of easy targets. On top of these two factors, the target of choice for digital thieves is no longer credit cards, but rather medical records, which now fetch up to ten times what a credit card account does on the black markets of the dark web. All combined, these factors add up to a dangerous situation for the Healthcare Industry, who now faces increasing attacks on weakened systems, all while the government is strengthening already strict accountability laws in the face of consumer outrage from repeated data breaches. It is not a nice picture, and it is one that demands our attention.
What can be done?
There are a few basic steps that Healthcare Organizations should be taking to help mitigate this risk:
- Have an Information Security Committee that meets regularly and includes key personnel and staff from relevant departments.
- Have a written Information Security Program, with documented policies and procedures, as well as risk analyses and contingency plans.
- Have a Penetration Test performed annually by an independent security firm and ensure the remediation steps that come from the test are actuated.
- Train staff on Cyber-Security Awareness.
- Use strong and unique passwords and enable two-factor authentication whenever possible.
- Encrypt data when transmitted and when stored, especially data that resides on mobile devices such as laptops.
- Allocate the proper funds for cyber-security.
What is a Penetration Test?
A Penetration Test is a security exercise where a team of highly-trained security experts attempt to hack into the client’s network in order to find security weaknesses. The intent is to discover ways that a real-world attacker might be able to compromise the system. The highly-trained security team is careful not to cause any actual harm and a report is provided detailing all of the vulnerabilities and weaknesses found and recommending what needs to be done to fix them.
In-house I.T. staff are usually pressured to make things functional and easy-to-use, which diametrically oppose security. Also, it is difficult for an organization’s own IT staff to objectively look at their own systems from an outsider’s perspective. Just like a CFO needs a CPA firm to review their financials, senior IT leadership benefits from having a team of certified security experts independently test their system to give them valuable insight.
HIPAA, HITECH and Future Legislation
The Healthcare Industry has several laws and regulations regarding the privacy and security of the data they hold, as well as mandates on when and how they are allowed to share it and what must be done in cases where these policies are violated. These laws are only getting stronger as the government looks to clamp down on the ballooning problem of medical record data breaches. The most notable of these laws is the Health Insurance Portability and Accountability Act, commonly referred to as HIPAA. HIPAA is a far reaching bill that covers many topics, but it includes regulations regarding the privacy and security of medical records. It has numerous administrative safeguards, such as requiring that covered entities protect technical systems from intrusion and have documented risk analyses conducted for their systems. HIPAA fines are steep, often soaring into the millions. To further strengthen HIPAA, the HITECH Act was subsequently enacted. It mandates breach notifications and extends the privacy and security provisions of HIPAA to business associates of covered entities who also come into contact with their medical records. With more breaches occurring constantly, there is continued talk in Washington to further strengthen cyber-security legislation. Also, in addition to expanding Federal Laws, many states are passing their own laws to create even further requirements. For example, New Jersey recently signed into law a bill that will go into effect in the second half of 2015 requiring health insurance and care providers to encrypt patient information and healthcare data.
Why are medical records worth so much on the dark web?
As stated, stolen medical records are currently being sold for ten times the amount that stolen credit cards are sold for on the black market. The reason for this is simple. Credit card companies have invested heavily to protect themselves, and a stolen credit card number very quickly becomes useless when fraud is detected and they close the account. Medical records cannot be “closed” and shut off. Once in possession of these records, which contain all of a person’s important details, a malicious entity can perpetrate a large number of identity theft attacks, such as opening a new credit card, filing for tax returns, or applying for loans. This new demand places the healthcare industry directly in the crosshairs of malicious hackers and criminal organizations.