Ransom, implant attack highlight need for healthcare security

All healthcare data breaches are not equal.

They’re all bad, and reaching epidemic levels. The security testing company Redspin, for one, found that Protected Health Information (PHI) breaches nearly doubled from 2010 to 2011. The Department of Health and Human Services has reported 525 breaches of 500 or more records, involving 21.4 million individuals over the past three years, said Redspin president and CEO Daniel Berger.

But the raw numbers are only a piece of the story. Gienna Shaw, editor of FierceHealthIT, wrote in a post this week: “It’s not the numbers that interest me most. It’s the stories behind them,” she wrote. “And there are so many stories …”

One involved the Surgeons of Lake County, a small medical practice in Libertyville, Ill. Hackers broke into the system last summer, gained access to the names, addresses, Social Security numbers, credit card numbers and some medical information on more than 7,000 patients, then encrypted all the information and demanded a ransom.

Another involved medical students creating fake identities so they could post patient information on Facebook and other social media sites. A third involved malware infecting hospital equipment.

Shaw said the Veterans Administration reported “173 incidents of security breaches of medical devices from 2009-11 that disrupted glucose monitors, canceled patient appointments and shut down sleep labs.”

She also cited a 2012 report from the Government Accounting Office that said wireless implanted medical devices such as defibrillators and insulin pumps for people with diabetes were vulnerable to hacking.

No hacker with a laptop so far has delivered a fatal shock to a pacemaker patient. But just the possibility is “some serious freak-out level information,” Shaw wrote.

Why, when other industries — particularly the financial sector — have been able to curb the frequency of damage from data breaches, have things in the healthcare industry gotten worse? Bill Ho, president of Biscom, called it partly a Willie Sutton syndrome, named for the bank robber who said he chose that profession because, “that’s where the money is.”

“There is a lot of good information you can use [in health data],” Ho said. “[And] not just for money but for things like social engineering.”

Redspin’s Berger said records often include more than Social Security and credit card numbers. They also include, “personally sensitive information such as diagnoses, treatment plans, prescription information and complete medical histories,” he said.

The advantage of electronic health records is clear, but carried risk. Adam Levin, founder of Credit.com and former director of the New Jersey Division of Consumer Affairs, wrote in a Huffington Post blog post: “To have current, accurate, and reliable data about a patient’s medical history just a click away — whether the issue is urgent or routine — will save money, time, and, of greatest import, lives.” But attacks to steal and sell personal health data or hold it for ransom are also “ultimately made possible by the digitization of medical records and the placement of those records on networks — often unprotected ones,” Levin wrote.

To make that less likely, one obvious step would be to protect the network, according to experts including Robert Hudock, a lawyer and certified “ethical hacker,” who was profiled last year in FierceEMR.

Hudock’s first recommendation is to keep electronic health records (EHR) on a segregated network, if at all possible. Among others are to run risk assessments; conduct audits; run a data loss prevention software program on the perimeter server; apply all security patches to internet applications that are connected to the HER system; make sure firewalls are installed properly, and antivirus programs are operational; clearly delineate with any IT vendors who will be responsible for security patches and; make sure any medical software runs without super-user rights.

But that does not eliminate the human element. Danny Lieberman, CTO of Software Associates, said Hudock’s recommendations are common best practices, but noted that “the main source by far of PHI breaches is trusted insiders in hospitals, not malware.”

“Most hospital EHR systems use a flat permissions scheme, which means anyone can view a patient record. Putting an EHR on a separate network segment won’t mitigate trusted insider breaches with hospitals that don’t implement SOD (separation of duties), strong passwords and hierarchical access control,” he said.

And even best technology practices are not an automatic fix, he said. “The sheer number and diversity of information systems and medical devices that attach to a modern hospital network create a huge threat surface and gigantic maintenance challenge for the IT security and IT operations staff,” he said.

Lieberman said he believes the best protection for patients’ confidential information is “a serious software security assessment of medical device products and EHR systems before they get installed.”

He added that he would not be worried about hackers attacking the average patient with an implanted device. But he said it could be used as a deadly political tool.

“I would be worried about nation-states attacking heads of state who had an implanted cardiac defibrillator,” he said.