Data stolen from a bank quickly becomes useless once the breach is discovered and passcodes are changed. But data from the healthcare industry, which includes both personal identity and medical histories, can live a lifetime.
Cyberattacks will cost hospitals more than $305 billion over the next five years and one in 13 patients will have their data compromised by a hack, according to industry consultancy Accenture.
And a study by the Brookings Institute predicts that one in four data breaches this year will hit healthcare.
The recent study by Brookings showed that since late 2009, the medical information of more than 155 million American's has been exposed without their permission through about 1,500 breaches.
Brookings' research demonstrates that the healthcare sector is uniquely vulnerable to privacy breaches. For one, government regulations forced healthcare operations to adopt electronic health records (EHRs), and other advances under the Patient Protection and Affordable Care Act (Obamacare) without being ready to adequately invest in security.
Healthcare data also contains the most valuable information available, including Social Security numbers, home addresses and patient health histories -- making them more valuable to hackers than other types of data, according to the study by Brookings' Center for Technology Innovation. Since cyber criminals can sell data for a premium on the black market, hackers have a big incentive to focus their attacks on the healthcare industry.
With the push toward more integrated care, "medical data are now being shared with many different types of entities in which many employees have access to patient records," the study said. "Extended access to medical records increases the potential for privacy breaches."
To comply with legal requirements, healthcare organizations often store detailed medical information for many years. The probability and consequences of a breach increase according to storage volume and duration.
A focus on regulatory compliance, not security
With the industry so focused on regulatory compliance as it moves to digital record-keeping, cyber security has largely been a secondary thought, according to Lisa Gallagher, vice president of technical solutions at the Healthcare Information and Management Systems Society (HIMSS) in Chicago.
"Enterprises with legacy systems are trying to connect to and integrate EHRs. Security is not always considered as a part of that, and patching systems is always fraught with peril. You're always a little behind with that," Gallagher said. "It's a formula for being behind."
Gallagher sees a healthcare industry facing ever more sophisticated and persistent threats from one-off hackers and nation-state attackers who stow patient data for future use.
"I don't think we were prepared," said Gallagher, who was formerly senior director of cyber security at HIMSS.
One of the more common attacks against healthcare providers involves ransomware, where patient records or hospital networks are hacked and subsequently locked down until a ransom is paid, typically in untraceable electronic currency, such as Bitcoin.
This week, for example, a hacker claimed to have stolen databases from three U.S. healthcare organizations and one insurer and is holding 10 million patient records for ransom by demanding as much as $500,000 in Bitcoin.
In February, an L.A. hospital paid nearly $17,000 in Bitcoin to hackers who disabled its computer networks.
Hackers don't focus solely on hospitals and insurers; they also go after affiliated vendors who service the industry.
Today, for example, Massachusetts General Hospital (MGH) announced almost 4,300 patients had their healthcare records exposed when "a trusted third-party vendor" that provides software to manage dental practice information for providers had its databases hacked.
CenturyLink, a worldwide communications company headquartered in Monroe, La., is currently tracking 150 variants of ransomware, the most common being large-scale email campaigns. Some reports indicate that they are more than 300 million malware strains.
"I really think in terms of ransomware, the stories of about hospitals paying the ransom are spreading among attackers, letting them know that they're a successful place to attack," said Cory Kennedy, lead information security engineer at CenturyLink.
Defending against ransomware can be relatively simple: healthcare providers, insurers or affiliated vendors need only keep current backups off line, Kennedy said. When an attack does occur, the backups can be used to restore the data.
Healthcare organizations have also been slow to educate employees about the dangers of cyberattacks or manage who in an organization has access to critical systems that store sensitive data.
However, while healthcare entities can become more proactive, cyberattacks will only grow more sophisticated. For example, hackers recently deployed a phishing attack against Amazon Prime users that was disguised as shipping confirmation emails.
Another new development came when hackers were able to disguise ransomware links so that when a victim hovered a mouse pointer over the link, it looked legitimate, Kennedy said.
"I think attackers will continue to do what they do, looking for holes," Kennedy said.
Not a matter of if, but when
The Institute for Critical Infrastructure Technology has determined that ransomware will wreak havoc this year. Cybersecurity experts agree that it's not a matter of if or when your data will be hacked, but whether you'll know your data was hacked.
Instead of focusing only on hardening parameter defenses such as firewalls and using rules to block outside PDFs or other documents, Kennedy and other experts believe detection and data encryption are the best cyber security techniques.
"Assume data will be taken, but make it useless," said Kevah Safavi, senior managing director for Accenture's global healthcare business.
The greatest threat to the healthcare industry today, Safavi said, is not from one-off hackers seeking a quick payday, but from foreign governments who can store intimate personal health data for future use against individuals.
For example, hackers last year stole the records of about 80 million customers of Anthem Inc., the second largest U.S. health insurer.
"The presumption was that they were state actors," Safavi said. "The purpose of the state actor was to harvest the database in order to create a dossier of individuals that they could use for social engineering for future attacks."
Foreign governments could use healthcare information to target government employees with emails containing notices related to a medical condition they may have. When the email is opened, malware infects that employee's desktop computer.
"There's nothing in a bank's data that will give [hackers] the answer to that question, but it is in your health records and [insurance] claims data," Safavi said. "They're trying to build a big database of Americans for some future purpose."
Is the cloud safer?
Healthcare organizations, Safavi said, can better protect data by first recognizing that they're not in the cybersecurity business. For example, a cloud storage provider is better qualified to do that, he said.
"There's a discussion going on right now about whether or not the public cloud is more or less secure than private. The traditional thinking was...'If I have control over data in my own private data center that'd be more secure.' The thinking is beginning to pivot," Safavi said.
"The argument is no individual company will ever have the level of security and keep up with the arms race the way Amazon or Microsoft can, for example," he added.
Never was that shift in thinking more evident than when two years ago, the Central Intelligence Agency signed a $600 million contract for Amazon Web Services to develop cloud service for the 17 agencies that make up the intelligence community.
"There's an evolving thinking among CIOs that one of the benefits of going to a public cloud is you avail yourself to state-of-the-art security that you could probably never replicate with your own IT organization," Safavi said.
Safavi said the healthcare industry is also looking at fighting fire with fire, so to speak, and using Blockchain technology -- just as Bitcoin does -- as a distributed, peer-to-peer database in which to store sensitive information.
"The nature of Blockchain...requires both a public and private encryption key that's virtually impossible for someone to get a nugget of data," Safavi said. "That's the reason why it's used for cryptocurrency."
With more than 175.5 million records lost in healthcare breaches and new threats emerging every day, the industry should act quickly to safeguard data that cannot be re-secured once it's stolen, Gallagher said.
Sharing is caring
One problem is that organizations may have no idea that data has even been compromised. That points to the need for intrusion detection systems (IDS) and security information and event management (SIEM) software, which can monitor networks for malicious activities and provide administrators with alerts.
Additionally, the healthcare industry needs access to better resources on threat data from local and federal law enforcement, Gallagher said.
"If I was asked by a healthcare CIO where to go for cyber threat data, I've got to give them a list of at least five or six sources, maybe more -- whether it's the FBI or homeland security...or some private companies; there are lots of different sources for the data," Gallagher said. "And sometimes it's in different formats."
There have been several efforts by Congress to push through a cyber information sharing act. The latest was the Cybersecurity Information Sharing Act (CISA), which was finally incorporated into an Omnibus spending bill and signed into law last December. CISA paves the way for sharing data on cyber threats among seven government entities and local police.
Rod Piechowski, senior director of Health Information Systems at HIMSS, said the problem of data security, however, goes beyond what the government or sophisticated software can do and said healthcare organizations must focus on educating medical and administrative staff.
All it takes is one person opening up an email attachment for hackers to gain access to hospital systems. Educating employees on how to detect and report suspicious emails is crucial, according to Piechowski.
"I would reiterate that security is everybody's business. It's not just up to the IT department,"Piechowski said. "If you work with electronic devices it's your responsibility too."