Hacker Attacks: Are You Prepared?Experts Say Healthcare Sector as Vulnerable as Other Industries
The recent hacking incidents affecting HealthCare.gov, Community Health Systems and other healthcare organizations illustrate the need to urgently ramp up defenses against emerging cyberthreats, two security experts say.
"When you look at the breaches we've had this year, we've seen twice as many breaches from hacks directed attacks at healthcare as we've ever seen," says Mac McMillan, CEO of security consulting firm CynergisTek, in an interview with Information Security Media Group at the recent Healthcare Information and Management Systems Society privacy and security forum in Boston.
"These are very sophisticated malware or phishing-induced attacks where a hacker has actually compromised the system, exploited their environment and [potentially] stolen data for one purpose or another, and that's not the environment healthcare was living in a few years ago," he says.
"Looking forward to next year, I think we're going to have to step up and become more sophisticated in how we approach protecting our data. It's not about compliance; it needs to be about security - securing the systems, securing the data and protecting the safety of the patient."
Heather Roszkowski, CISO of Fletcher Allen Health Care, who also participated in the interview with ISMG, says she's been frustrated that the risk of hacker attacks has been largely ignored in healthcare, until now.
"I've always known that outside threat existed," she says. "And it's been very difficult to get that across to a lot of folks in the healthcare industry because, up until now, we haven't seen a lot of actual hacks that we've been able to confirm. I'm trying to use some of these breaches to train my organization, and say, 'it can happen, we do need to protect against it.' Every bad incident, you want to try to get some positive out of it, and that's what I'm trying to leverage."
The U.S. Department of Health and Human Services recently revealed that malware was uploaded by hackers onto a test server of the Obamacare insurance marketplace website, HealthCare.gov.
In August, the Community Health Systems hospital chain revealed a hacking incident that compromised information on 4.5 million patients.
And in June, Montana Department of Public Health and Human Services reported that hackers gained access to a public health department server storing data on 1.3 million individuals, although there's no evidence that information on the server was used inappropriately, or was even viewed, state officials say.
All of these incidents are signs that the threat landscape is dramatically changing, McMillan says. Organizations must be vigilant in managing their environments, including keeping up with software patches and anti-malware updates, or risk falling victim to these external threats.
"The hackers only have to be right once," Roszkowski adds. "You could even be at the top of your game, and you still have risk and the opportunity someone will get in. You have to have a reaction plan so that if you get an alert, you can react to it quick enough so that you're not going to lose data."
In the interview, McMillan and Roszkowski also discuss:
McMillan is co-founder and CEO of CynergisTek Inc. an Austin, Texas-based firm specializing in information security and regulatory compliance in healthcare, financial services and other industries. He has more than 30 years of security and risk management experience, including 20 years at the Department of Defense, most recently at the Defense Threat Reduction Agency. He is also chair of HIMSS' privacy and security task force.
Roszkowski is CISO of Burlington, Vt.-based Fletcher Allen Health Care, a 562-bed academic medical center affiliated with the University of Vermont. Previously, Roszkowski served for 11 years in the U.S. Army in communications and computer information security positions. That included serving as a communications platoon leader, a communications company commander, and as the First Division Information Security Officer for the 25th Infantry Division.