Healthcare Breaches from Cybercrime

In my last couple of blogs, Healthcare Breaches from Loss or Theft of Mobile Devices or Media and Healthcare Breaches from Insider Risks: Accidents or Workarounds, I looked at breaches resulting from loss or theft of mobile devices containing sensitive patient data, and breaches resulting from healthcare worker accidents or use of workarounds respectively. In this blog I build on these with another common type of breach that results from cybercrime hacks of healthcare organizations.

In the Ponemon 2015 Cost of Data Breach Study, 47 percent of breaches resulted from malicious or criminal attacks. In these kinds of breaches the attacker is a remote hacker that is often part of organized cybercrime, or even a nation state. The target is the healthcare organization backed database containing all patient records. Since the cost of a breach depends on the number of patient records compromised, and the backend master database contains all patient records, this type of breach is usually much more impactful that one resulting from loss or theft of a mobile device which often contains just a small subset of the overall number of patient records. According to this research study, the total average cost of a single data breach event is $6.53 million, or $398 per patient record (the highest across all industries). This is inclusive of all types of breaches. Cybercrime breaches tend to be even more impactful and costly since they often involve all the patient records, and can run into the tens of millions of dollars and even north of $100 million per breach event.

An example of this type of breach is shown in the infographic below, and involves a series of failures, starting with ineffective security awareness training for healthcare workers. The next failure involves a spear phishing email being sent to a healthcare worker and the healthcare worker clicking on a malicious link in the email, resulting in drive by download of malware. The malware, now installed behind the firewall of the healthcare organization, proliferates and key logs, all the while looking for privileged credentials to use to access all patient records in the master database. Once DB administrator credentials are captured the malware then begins to exfiltrate patient records “low and slow” covertly to avoid detection, resulting in a breach. Many organizations lack the ability to detect such intrusions. As a result this type of breach can often go undetected for months or years before a watchful administrator happens to notice suspicious activity on the database. The huge delay between intrusion and detection with these types of breaches often results in much greater breach impact to the healthcare organization since the longer the breach goes on the more patient records are compromised.

David_Cyber attack.png

Security is complex, and there are many safeguards required to effectively mitigate this type of breach. Maturity models have achieved wide adoption and success in healthcare, for example the HIMSS EMRAM (EMR Adoption Model) has been used by 5300+ provider organizations worldwide. Maturity models are a great way to simplify complexity and enable rapid assessment of where you are and what you need to do to improve.

In the infographic above, beneath the sequence of events leading to this type of breach, is a breach focused maturity model that can be used to rapidly assess your security posture and determine next steps to further reduce residual risk. There are three levels in this maturity model, Baseline includes orange capabilities, Enhanced adds yellow capabilities, and Advanced adds green capabilities. Only safeguards relevant to mitigating this type of breach are colored in this maturity model. Other grayed out blocks, while important in mitigating risk of other types of breaches, do not play a significant role in mitigating risk of breaches from cybercrime hacks. There are many risks in healthcare privacy and security. This model is focused on breaches. A holistic approach is required for effective security, including administrative, physical and technical safeguards. This maturity model is focused mostly on technical safeguards. Risk assessments are required by regulations such as HIPAA, and standards such as ISO27001. The ability to rapidly assess breach security posture using a breach security maturity model is complementary and not a replacement to risk assessments. Below I briefly review each of the safeguards relevant to cybercrime breaches.

A baseline level of technical safeguards for basic mitigation of healthcare breaches from insider risks requires:

  • User Awareness Training: educates healthcare workers on how to be privacy and security savvy in delivering healthcare, and avoid clicking on spear phishing emails
  • Anti-Malware: detects and remediates malware infections of healthcare worker devices, including malware employees may accidentally encounter through drive by downloads
  • Vulnerability Management and Patching: involves proactively identifying vulnerabilities and patching them to close security holes before they can lead to a breach. This is particularly important with healthcare worker devices used to access the Internet and at risk of being exposed to drive by downloads of malware
  • Penetration Testing / Vulnerability Scanning: involves proactively testing IT and scanning for vulnerabilities to identify security holes and vulnerabilities that can be remediated proactively to reduce risk of these being used in exploits
  • Email Gateway:  helps defend against malware attached to emails, and phishing attacks
  • Web Gateway: can detect malware from healthcare workers web browsing the Internet, and defend against attempted drive-by-downloads that may otherwise lead to data loss and breach
  • Firewall: malware used in cybercrime attacks attempts to make contact with C&C “Command & Control” servers to receive instructions and exfiltrate patient records. A good firewall can help defend against this.

An enhanced level of technical safeguards for further improved mitigation of risk of this type of healthcare breach requires addition of:

  • Secure Remote Administration: enables healthcare IT to efficiently, securely and remotely administer endpoint devices so they are up to date with the latest patches and safeguards to defend against breaches from accidents and workarounds
  • Intrusion Prevention System: can detect and defend against anomalous activity on the healthcare organizations network such as would occur with malware communicating with C&C servers

An advanced level of security for further mitigation of risk of this type of breach adds:

  • Client and Server Application Whitelisting: block unauthorized executables on clients and servers and can stop even the most sophisticated zero day attack malware
  • Network DLP Prevention: ensures that sensitive healthcare data only leaves the healthcare network when appropriate, and can help defend against loss of sensitive healthcare information being exfiltrated as part of a cybercrime breach
  • Threat Intelligence Exchange / Collaboration: connects your security IT together with external threat intelligence for improved detection and response to malware and cybercrime attacks
  • SIEM: integrates and analyzes event, threat and risk data for improved detection of malware, intrusions, and cybercrime breaches
  • DB Activity Monitoring: improves your ability to detect malware attacking your database, as in the case of a cybercrime breach. This safeguard also enables you to define policies that can help defend against this type of breach
  • Digital Forensics: enables you to determine in the event of a cybercrime intrusion whether a breach actually occurred, and if so the nature of the breach, and exact scope of patient data compromised

Healthcare security budgets are limited. Building security is an ongoing process. The maturity model approach discusses here can be used in a multi-year incremental approach to improve breach security while keeping within limited annual budgets and resource constraints.

What questions do you have?