Guest Column | November 9, 2016

Patient Data Breaches And Healthcare Cyber Risks

Ellen Fischl-Bodner

By Ellen Fischl-Bodner, Healthcare IT security subject matter expert, Tufin

Healthcare organizations are a treasure trove of personally identifiable information (PII), making them very lucrative targets for cybercriminals. Databases of stolen medical records are being sold on the black market for as much as $200,000. As data breaches become a more regular occurrence throughout the industry, it’s important for IT teams to understand the various methods cyber attackers use to infiltrate healthcare network, and how to best protect against them. Two of the more popular approaches involve third-party breaches and ransomware.

Two recently disclosed patient data breaches have been traced back to the same vendor, highlighting the risk of allowing a third party to handle sensitive patient data. The data breaches occurred at Bon Secours, a not-for-profit Catholic healthcare system based in South Carolina, and at Washington-based CHI Franciscan Health Highline Medical Center (Highline).

Healthcare has made great strides to reinforce best cybersecurity practices and encourage stronger network protection. However, that protection doesn’t always extend to third-party vendors that have access to the same information. As healthcare organizations get serious about securing their networks, cybercriminals will seek out other ways to gain access, creating potentially unforeseen threats to their data.

This problem of third-party vendors mishandling patient data is not unique to these recent breaches. Research from the Ponemon Institute and security firm ID Experts revealed third-party vendors pose an increasing risk to healthcare organizations, with 41 percent of healthcare organizations blaming third parties, such as business associates, for causing their data breaches. These data breaches have gained more than just media headlines: federal regulators have taken notice of the increase in patient data breaches as well, and they are levying fines against healthcare organizations and business associates for poor IT security.

Significant Fines Levied
In August, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) levied its largest fine ever against a single healthcare entity — $5.55 million against Advocate Health Care Network for three patient data breaches that affected around four million individuals. It has also levied substantial fines against business associates, including a $650,000 fine against data management and IT services provider Catholic Health Care Services.

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule requires healthcare providers to negotiate business associate agreements for their vendors. According to the rule, healthcare providers must “obtain satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties” under HIPAA.

But even with business associate agreements in place, patient data can be exposed by these third parties, whether intentionally or, more often, inadvertently. When considering third-party vendors, the strength of their security posture should be a top concern for any member of the executive team. Cybersecurity is a joint effort; it’s imperative that third-party vendors are as committed to network security as the healthcare organization itself. For guidance, the U.S. Department of Health & Human Services recently updated its considerations on HIPAA and cloud computing.

Ransomware: To Pay Or Not To Pay
Ransomware has also become an increasingly popular tactic for cybercriminals looking to make a quick buck, and no industry has been more deeply impacted than healthcare. Back in February, Hollywood Presbyterian Medical Center paid a $17,000 ransom to hackers to re-gain access to its own data. A couple of months later, a similar attack hit MedStar health where hackers demanded payment in the form of Bitcoin. MedStar didn’t pay the ransom and eventually regained access to their data; however, it’s clear that these types of attacks will continue.

For a healthcare organization, network downtime is unacceptable given that lives are potentially at risk. That means it’s far more likely a healthcare organization will pay the ransom. But this is a highly risky strategy, since there’s no guarantee paying the ransom will restore access.

To reduce the risk of ransomware, healthcare networks should be segmented then layered with security policy and threat detection. This way, should a machine be compromised — whether by ransomware or some other failure — the IT team can remove it from the network and replace it in minutes. Service restoration is the primary goal; network triage can be done later.

Three-step Process To Security
Healthy IT security is a three-step process entailing proper network segmentation, security policy compliance, and proactive risk assessment. Although there is no magic prescription to fully prevent breaches, security policy orchestration and automation can eliminate some of the more manual aspects and proactively assess potential risks, such as network misconfigurations that could expose sensitive data or increase the attack surface.

Understanding the nature and severity of threats is a start, but being able to proactively identify the outcomes of making a change to the network is a necessity to prevent breaches.

About The Author
Ellen Fischl-Bodner focuses on cybersecurity at Tufin where she is the healthcare IT subject matter expert on network security policy orchestration, compliance and solutions for industries such as healthcare and energy. She also blogs and presents webinars on hot topics in cybersecurity. Ellen is enthusiastic about innovation and has enjoyed key roles and publications that brought medical breakthroughs to main-stream adoption. Feel free to connect with Ellen on LinkedIn.