Hospitals and medical centers face a panoply of threats and challenges around data security, yet the healthcare field has not yet responded as quickly as others, according to chief information security officers (CISOs) and others close to such institutions.
“On the black market, if you will, healthcare information is worth multiples of financial information because in order to do healthcare, I need to know a lot more than just your financial situation and data,” says George McCulloch, executive vice president of professional development and membership for the College of Healthcare Information Management Executives (CHIME), which has created an offshoot called the Association of Executives in Healthcare Information Security to focus on such issues. “There’s a lot more opportunity for fraud. The clinical information gives me background on you. I know billing, I know clinical data. It’s a target-rich environment.”
And broadly speaking, the healthcare field has not invested the resources it should have until this point, although it’s catching up to where it needs to be, McCulloch says. “It’s a cultural challenge due to the collaborative clinical environment,” he says. “That’s a challenge we don’t see in other industries.”
Leading-edge hospitals began playing catch-up earlier in the decade and started investing, but it’s still a challenge for institutions that in some cases have been around for a century or a century and a half, says James Carder, CISO and vice president at cybersecurity company LogRhythm.
“A lot of organizations are just getting the basics built in response to threats,” says Carder, former director of security informatics at the Mayo Clinic. “To understand what data you have, where it is, how it’s accessed and how it moves in your environment, it’s tough. Nurses and physicians have certain processes leveraging IT … and you have to take data, mark it as sensitive and say, ‘We’re going to protect it this way,’ all without disrupting the business of healthcare.”
Data from healthcare institutions is “more valuable in certain circles” than credit card numbers and can include information about employees, patients, healthcare processes and research innovations, says Keith Jennings, chief information officer at Massachusetts General Hospital. “In addition to being a world-renowned medical facility, we are a world-renowned research facility,” he says. “People invent stuff here all the time. People do try and poke in and see if they can steal what Mass General is cooking.”
Patient information can be used to commit identity theft, says John Houston, chief privacy officer at the University of Pittsburgh Medical Center (UPMC). “Somebody in front of a computer in a very short period of time could have stolen thousands of identities,” he says. “I have to worry about the fact that any member of my workforce who has access to the clinical system, if the wrong person gets access to those credentials, they could get into an enormous amount of data.”
Darren Lacey, CISO at Johns Hopkins Medicine, does not believe bad actors start out targeting healthcare institutions per se, and he believes medicine faces many of the same vulnerabilities as defense, intelligence, banking and other sectors. “My take on it, having seen a bunch of attacks, is that these are targets of opportunity,” he says. “We do have a few things that are different – we have a lot more data, more private data – than a lot of organizations.”
But healthcare institutions are probably a decade behind banking when it comes to cybersecurity, says Michael Meline, president and founder of the cross-sector Community Security Coalition in Spokane, Wash., and director of data security at a major medical center that he preferred not to identify.
“Most hospitals do not have a cybersecurity expert in their employ,” he says. “One of the biggest things hospitals need to be doing is to have somebody in a strategic position with the knowledge of how to build cybersecurity programs. … Hospitals need to develop better risk management programs and understand the threats coming at them.”
Medical centers must protect a wide array of computers and other devices, including Internet-enabled medical monitors, McCulloch says. “I’m only as secure as my weakest link,” he says. “If someone is sending glucose counts to me, what happens there? They’re under threat every day. The bad guys are faster and smarter, in some cases, than they are, and they’re just fighting an everyday battle to keep up and make it as level a playing field as they can.”
Potential bad actors include everyone from financial crime groups who want credit card or banking data from either patients or donors, to those looking to use medical records for identity theft, to those interested in pilfering research data, Carder says.
“Then you also have nation-state threat actors as well,” he says. “You get all the threat actors including terrorists and groups of that nature. I don’t think one outranks the other.”
Money and People
To combat these threats, broadly speaking, medical centers need adequate budget and personnel, which can be challenging in the midst of myriad competing priorities on both fronts.
Most IT security departments at healthcare institutions and in other sectors do not understand security well, and some organizations do not have sufficient executive-level support, Meline says. “If I can educate [executives] on security policies and procedures, I have a much better chance of success,” he says. “And we have to realistically show executive management what the risks are, so they understand. … If you can’t get executive management involved, you don’t have a risk management or cybersecurity program.”
CISOs need a combination of technical, communication and leadership skills, McCulloch says. “Recruiting is tough,” he says. “We’re finding a lot of folks going back to banking, or the military, who have been down the road longer than healthcare. And there’s not only finding the people but affording to pay for the skill sets – relying in some cases on consultants, outsourcing some of those functions, particularly when we get to smaller organizations.”
And people are not the only line item for which medical centers need to budget, McCulloch adds. “From an operational standpoint, CISOs are worried about, ‘Where is the business going to find the money to ramp up and build an effective program? How do I assess my risks? How do I get the tools and, more importantly, the people?’ ”
The board and leadership at Mass General recognize the importance of data security and have been making the necessary investments – while “holding our feet to the fire,” Jennings says. “One, it’s the right thing to do. Two, it’s the law, with HIPAA and other regulations. … We have to be the right place to come for all the reasons – we provide safe healthcare, and we protect your information.
“Most of these things take time and money. And while they’re important, they tend not to improve your healthcare,” he adds. “We are under cost pressure and layering on security components is expensive.” With 70,000 employees and thousands of offices, “putting in the network to do that, that’s not an afterthought. That’s a $20 million project. That starts to compete with, ‘Should I buy a new MRI machine?’ ”
Related to that, Jennings says that healthcare organizations need to realize that security is not a one-and-done proposition – it will still be competing with other budgetary priorities next year, too. “Anything you build, it’s more like a virus, they [bad actors] will adapt. And all the residents you brought in this year brought a new version of the Android phone – that’s another new vector you have to look at. It’s becoming a chronic condition, and an expensive chronic condition. You can never stop paying attention to it. It takes a lot of time and resources. And the other side is very crafty.”
The budgetary challenges are especially acute at smaller hospitals, many of which are struggling to stay open in the first place, Houston says. “If you need a new MRI, or a roof on your building, that’s going to compete with the dollars needed for security,” he says. “They don’t have the wherewithal to secure their environment the way they need to. A lot of them are more prone to being hacked – and hackers are opportunistic.”
Vendor tools to combat hackers continue to improve, McCulloch says. “The vendors are doing their best to keep up with the threats,” he says. “The federal government is trying to figure out its role, what it knows and what it can share. … It’s about working through the coordination of all those resources, trying to figure out which ones to watch, and who can help me.”
Mass General is investigating a unified access management suite to tie together its 11 hospitals and 70,000 employees “with a bazillion job codes,” Jennings says. “We should know what a cardiac nurse should have access to, we should know that upfront. It’s the same thing with a primary care physician. When we assign job codes, that should start feeding their access systems. Should someone leave, or change job codes, that should start waterfalling through the system. We shouldn’t have to rely on humans to [manually] do that.”
Houston figures that UPMC’s technology stack is typical of a $12 billion company in any industry. “We do all the same things that our peers do,” he says. “We certainly spend a lot of time and add a lot of focus on security. We’re constantly looking at tools and technologies to secure our environment.”
Medical centers need a solid risk management tool that can lay out for the executive team and line employees what are the organization’s major concerns, what it needs to concentrate on and where it needs to spend money, Meline says. “Organizations sometimes buy things that everybody is buying, but they don’t need,” he says. “They should have diverted money over here; they could have reduced their risks by 70 percent.”
Hospital CISOs and their staff need leading-edge tools to monitor their data and be able to detect and remediate intrusions.
Mass General has built out its network operations and security operations center to address these concerns, Jennings says. “Is there funny traffic that comes out of a segment that’s usually sleepy?” he says. “Has a bad actor grabbed a computer somewhere? … Does a user start grabbing more patients than usual? Has an employee turned [rogue], or is someone impersonating them?”
Mass General works to monitor not only where data is stored but where and how it’s used, Jennings says, noting that taking data out of a secure server and putting into an Excel spreadsheet, for example, is not that different from taking valuables out of a bank vault and putting them onto a table.
Another front that medical centers need to monitor is the proliferation of mobile devices and their user-friendly – but not necessarily secure – apps, Jennings says. “Depending on how they’re architected, you look to look at phones as if they’re mobile servers now,” he says.
Hospitals moving data and other information into the online “cloud” have multiple new fronts to monitor, Houston says, especially given that they don’t necessarily use the same vendor for each type of information they store in cyberspace.
"It’s not, ‘I’m going to go to Google and make sure they’re secure, and that’s going to be my only cloud.’ You need to worry about each vendor’s infrastructure,” he says. “It’s a challenge because of the number of vendors, and the fact that some are more savvy and more prepared to have a secure environment than others. They aren’t all the same. There are huge disparities between the really good ones and really bad ones.”
Whenever medical centers are dealing with vendors, they need to write into their contracts guarantees on what security they can expect, Carder says. “Healthcare organizations won’t buy from certain providers, or will force them to comply with certain security requirements before they write the check and make the sale,” he says. “Nothing will jump-start security getting put into a medical device like a multimillion dollar contract on the table, and the [healthcare] company insists.”
Culture of Caution
One necessary element of data security that’s not necessarily that expensive to build is a culture of caution in which employees know to be watchful for “phishing” scams that can compromise one’s financial data, medical records and more. Some CISOs test their employees to see how well they do with internal phishing, McCulloch says.
“Some organizations have gone so far as to tell managers how employees are doing,” he says. “The employee part is a critical piece. So there’s some internal communication needed. A lot of them are working inside their organizations on this.”
Jennings says Mass General is very mindful of such potential vulnerabilities. “You always have to remember that as good as your technology is, a key component is your people,” he says. “Social engineering is as much of a threat as your technical safeguards. You have to work on both of those components. You have to make sure the door is locked, but if somebody walks up and knocks and your folks let them in, all your work is for naught.”
When Jennings and his staff send out their own phishing e-mails, if employees click, a page pops up that says, “You should have noticed that there was a misspelling,” or, “We as IS staff would never ask for your username and password.” Sometimes staff ask them, “Why are you harassing me?” Jennings’ answer? “Because every now and then, you click on it.”
Houston figures that 85 percent of security breaches result from stolen credentials. Given that every nurse and doctor can look at any patient record, healthcare institutions have a lot of human territory to cover in ensuring that everyone is with the program. “I can have great technical security and great tools in place, but if I give a hacker a key to the front door, all my technical security tools are for naught,” he says. “I need to do a better job with my workforce to make sure they’re not giving up the keys to the kingdom.”
Researchers who handle data at Johns Hopkins are trained on what to do and what not to do, and the organization tries to ensure that doing the right thing to keep data safe is easier than doing the wrong thing, Lacey says. “I put a lot of my trust in educating people and giving them leeway in the security strategies they use,” he says. “Analysts do blue activities, which is protection, and red activities, where they test and poke around.”
In prior roles in security consulting, Meline says he was hired to phish people – sometimes simply by calling and posing as an IT staffer who needed their password – and he was successful probably 80 percent of the time. He also figures that about 80 percent of the e-mail comes into his hospital is filtered out as spam.
“Last month, our e-mail proxy filtered out over 9,000 viruses targeted at us,” he says. “End users are going to get tons of e-mails and other solicitations. I’ve contacted people [as a consultant] and had them say, are you that guy who’s supposed to give my password out? I convince them I’m not, and they give me four or five passwords.”
A frequent goal of phishing scams is to install “ransomware,” in which an organization’s data is effectively locked up until they pay up. While all types of organizations can be vulnerable to this, “There’s a concern from the healthcare standpoint that’s a little different,” McCulloch says. “When I talk to CIOs from other industries about the damage that could be done from scrambled data, the risks are a little higher for us as a consequence of the services we provide.”
UPMC has information security staff searching for ransomware, which is no different from any other malware except for its end purpose, on a continuous basis, Houston says. “The idea that a hospital can be taken down by a ransomware attack is shocking,” he says. “We see ransomware all the time, but we catch it before it becomes an issue. … When I hear about a hospital taken down by a ransomware attack, I worry because that tells me they don’t have basic controls in place.”