Why Hackers Are Targeting Health DataCIO: 'Today It's a Totally Different Kind of Attack'
Last month, the Montana health department confirmed a server breach impacting up to 1.3 million individuals.
And now the State of Vermont confirms that a development server of the Vermont Health Connect, the state's health insurance exchange under the Affordable Care Act, experienced a cyberattack last December, in which hackers allegedly accessed data 15 times. The attack, which was tracked to a Romanian IP address, went undetected for about a month.
In this latest case, because the server was only a development system that did not contain any production data, there was no breach, Lawrence Miller, Vermont's chief of healthcare reform, tells Information Security Media Group.
Still, the incident was a wake-up call to Vermont, and technology services firm CGI Group, which developed the state's exchange and hosts it. "We're constantly evaluating and improving security," Miller says. "I can't speak for the hackers' motives, but anytime hackers attack it's usually because they're looking for something of value, or are doing it for the sport of seeing what they can do."
Combined, these incidents represent a trend that has caught the attention of healthcare security leaders nationwide. External attacks are on the rise, and healthcare organizations need to be prepared to defend against more than the more common threats they see - i.e. lost laptops and unauthorized access to records. They need to defend against sophisticated cybercriminals who seek critical medical data to commit fraud or turn a profit.
In the past, "hackers were MIT freshman who attacked the Harvard network for fun," says John Halamka, CIO at Beth Israel Deaconess Medical Center in Boston. "Today it's a totally different kind of attack - highly sophisticated, organized criminals attempting to get medical Identities."
While a stolen Social Security number might sell for 25 cents in the underground market, and a credit card number might fetch $1, "A comprehensive medical record for me to get free surgery might be $1,000," Halamka says. "It is a commodity that is hot on the black Internet [market]."
Tracking the Hacks
The healthcare sector, as well as government sector systems handling health-related data, are increasingly targets of cybercriminals because of the information those systems contain, which ranges from Social Security numbers to health insurance identification numbers.
The FBI estimates that $80 billion of the $2.2 trillion a year spent on healthcare in the United States is associated with fraud, with half of that fraud tied to medical ID theft, says Bill Barr, a development director at the Medical ID Fraud Alliance.
The number of known medical and healthcare-related breaches is steadily increasing year over year, according to research by the Identity Theft Resource Center, which monitors breaches reported by state attorneys general and other credible sources.
Healthcare-related hacking incidents in 2013 grew to 28 incidents affecting nearly 1.1 million records; up from 23 incident affecting 879,179 records in 2012, ITRC found. Those numbers are also up from 2011, when ITRC identified only eight healthcare hacking breaches affecting about 400,000 records.
According to the 2014 Healthcare Information Security Today survey of about 200 respondents from healthcare organizations, 11 percent reported having a hacker-related breach in 2013.
"The facts are that Web attacks against information systems in the healthcare sector are increasing at an alarming rate," says David Holtzman, vice president of compliance at security consulting firm CynergisTek.
Equally alarming, Holtzman says, is that healthcare organizations have not ramped up security to respond to these increased threats.
"The reality is that the healthcare sector as a whole has devoted inadequate resources to safeguarding information systems," he says. "More than half of all healthcare organizations spend less than 3 percent of their IT budget to protect data, and almost half do not have a full-time CISO or information security manager."
The appeal of health data to cybercriminals also presents increasing risk to segments of the government sector - like public health department systems that contain health-related data.
"Government computers are a particularly interesting target for two main reasons," says Rob Barnes, director of public sector at security consulting firm Coalfire. "First, they are generally more vulnerable, as they are older systems running older, less secure software. Second, they are rich in data like Social Security numbers, personally identifiable information, healthcare, financial information and data that can be used for identity theft."
Steps to Take
How do healthcare organizations prepare to defend against this new and growing threat? Experts and practitioners recommend critical steps to improve defense and detection of external attacks.
"Deterrence, prevention, detection and response all have their place," says security expert Brian Evans, senior managing consultant with IBM Security Services.
Prevention is preferable to detection and reaction. But without data collection, an organization cannot successfully detect or react to anything, Evans says. "Alarms, audit and investigation all require underlying information to detect bad actors and to determine the effectiveness of controls," he says.
Alerts or alarms should be designed to detect event sequences with potentially negative consequences. Statistical and anomaly-detection methods are particularly good for these purposes, as are rule-based detection mechanisms, Evans says.
But alerts must be set only for "actionable items" that IT or security teams can follow up on. Too many alerts can have a counter-effect on detection of breaches and intrusion. For instance, if the "noise level" is too high, alerts indicating possible breaches can be overlooked among alerts for non-actionable events.
Security information and event management or log management tools can augment data collection efforts. "In order to be effective, audit logs should be at an appropriate level of detail to the loss thresholds being detected," Evans says.
In addition to deploying technology tools to help defend against and detect intrusions, Evans says it's important to formally define roles and responsibilities for incident response. "I still come across informal and untrained teams," he says. Organizations need to document procedures that specify what the response team should do if there's an incident and test those procedures periodically, he notes.
From the practitioner's perspective, Halamka of Beth Israel Deaconess recommends responding to healthcare breaches as one would to financial fraud attacks: with a multilayered approach to defense.
"It's not just one technology, it's multiple technologies in order to repel these highly sophisticated and organized attacks." That includes deploying SIEM, as well as multifactor authentication to enter critical systems.
"The Internet is increasingly a swamp," Halamka says. "It's no longer sufficient to just look at standard security logs. You need integrated security information event management that brings together network logs, users logs, application logs and server logs, and looks for non-obvious associations."