It’s worth remembering that 2016 was dubbed the “year of data security” after 90 percent of healthcare providers suffered data breaches in the previous two years. In particular, the Anthem breach of late 2014/early 2015 got everyone’s attention for the sheer magnitude (around 80 million records) of the hack.
Looking back, we can say 2016 lived up to its name as the number of records accessed was significantly lower than the year prior. But IT security is a game of whack-a-mole, so if fewer patient records were lost, malevolent forces simply found other ways to make the lives of healthcare CIOs very difficult.
Ransomware, for example, became the dominant security issue of 2016 and made everyone aware that hackers can always just hold your files hostage if they can’t steal them.
So, does 2017 look like more of the same or will hackers conjure up something new? Sitting here in January, the expectation is that the same security issues will endure, but they will also be accompanied by more challenging and complex concerns.
The Internet of Things (IoT): The difficulty of IoT security is represented by the numbers: There are tens of thousands, if not hundreds of thousands, of IoT devices connected to healthcare networks and the security on all of them is not iron clad.
“Internet-of-Things devices lack some of the most basic cybersecurity protocols,” writes Jessica Davis in Healthcare IT News. “As a result, these devices can be weaponized en masse – and in as little as three minutes.”
The hacking potential of IoT devices was made clear last October when domain name services provider DYN was breached via webcams and digital recorders, knocking Twitter, PayPal, Spotify and other internet behemoths offline for hours.
In a recent survey of healthcare executives conducted by Healthcare IT News, 52 percent said security was the highest IT priority for this year, with 58 percent elevating IoT devices to the top of the list of security concerns.
Ransomware: Hackers require access, and unsecured IoT devices give them that access. Once inside, they can continue the breakout year that ransomware had in 2016. In 2017, however, there may simply be more players in the game because the internet is an ever-evolving amusement park of wonders and horrors.
“There is already a ransomware as a service [RaaS] model, which provides automatically generated ransomware executables for anyone who wants to get rich by infecting potential victims,” Ondrj Vlcek, CTO for security firm Avast, explained to ComputerWeekly.com. “The bottom line is that creating or buying your own ransomware has never been easier.”
A panel of security experts speaking with Health Data Management said they expect extortion attacks to increase and become more sophisticated. The solution? According to David Finn, health information technology officer for Symantec, hospitals and health systems must have robust backup systems so they don’t have to pay for extorted patient data.
Data-integrity Attacks: You may have heard of the Stuxnet worm the U.S. government used in 2010 to infiltrate and sabotage Iran’s nuclear program by engineering minor changes in targeted devices. That’s an example of a data-integrity attack. The not-so-good-news is that the technology has filtered down to black-hat hackers who can access hospital and health system networks through … wait for it … IoT devices.
"IoT is a massive attack surface that allows people to touch systems that for previous decades haven't been available to be interacted with," Daniel Miessler, director of client advisory services for security firm IOActive, told CNBC. "This is increasing exponentially.”
Instead of taking data or holding data hostage, hackers can manipulate data in subtle and often unnoticed ways so, for instance, payments don’t go where they’re supposed to. That’s one example of the potential data-integrity attacks offer to hackers.
Cloud Infrastructure: There is no shortage of articles touting the benefits of moving to the cloud, even if insufficient attention is paid to the attendant security risks.
As CynergisTek CEO Mac McMillan told Health Data Management, the cloud is “the proverbial double-edged sword. It’s an absolute necessity for advancement, but security continues to lag further behind, which ultimately risks the advancement.”
Extensive due diligence on your cloud services provider is essential, as is a contract that establishes responsibility, reaction and culpability in the event of a breach.
Artificial Intelligence: It would be difficult to imagine that most hospitals and health systems will have the resources to maximize the value of artificial intelligence and machine learning. Unfortunately, that won’t keep hackers from using AI and machine learning as a tool on their side of the security battle.
“From a hacker’s point of view, AI will power malware, and use data from the target to send phishing emails that replicate human mannerisms and content,” said Capgemini UK cyber security chief Andy Powell. “… these AI-powered attacks will resonate with the target better than ever before, meaning they’ll be more likely to fall victim.”
People: As always, there is no more enduring risk to your facility and organizational security than the people who work there. Thorough preparation of your staff is the best defense against the most common forms of hacking and data theft.
But, as Kasey Panetta of Gartner describes in a recent paper on 2017 security trends, it is only one component in an “adaptive security architecture.”
“The evolution of the intelligent digital mesh and digital technology platforms and application architectures means that security has to become fluid and adaptive. Security in the IoT environment is particularly challenging. Security teams need to work with application, solution and enterprise architects to consider security early in the design of applications or IoT solutions. Multilayered security and use of user and entity behavior analytics will become a requirement for virtually every enterprise.”
Does this sound like more technical sophistication and cost than your small or medium size healthcare organization can handle? That’s bound to be a common complaint. While all hospitals could potentially fall victim to the security breaches described here, not all hospitals can properly defend against them.
This common vulnerability calls for extensive sharing of knowledge and affordable strategies that guard against loss or manipulation of data. An ongoing Health and Human Services initiative and grant program endeavors to gather and disseminate the most current information on cyber threats, but it may take a few years for that effort to yield actionable information.
It may also call for smaller facilities partnering with those that are larger and more resource rich. We’re seeing relationships between large and small organizations develop in other areas of healthcare IT such as EHR implementation. Getting to the point where healthcare is not such an attractive hacker target may require the same with regard to security.
D'Arcy Gue is Director of Industry Relations for Medsphere Systems Corporation.