by John Moore, iHealthBeat Contributing Reporter
The health care sector is in for more targeted attacks next year, as cyber assailants increasingly prize the data providers maintain.
That’s the analysis of industry executives who contend the information security threats facing health care institutions will only intensify in 2015. They say attackers believe hospitals and health systems hold a wealth of data, from credit card information to demographic details to insurance beneficiary data. The notion that health care trails other industries in IT security may encourage attempts to seize those data.
But while attacks are on the rise, health care budgets aren’t quite as buoyant.
Phyllis Teater, CIO and associate vice president of health services at the Ohio State University’s Wexner Medical Center, said, “The threats continue to mount … at a time when all of health care is looking to reduce the cost of delivering care.”
Earlier this month, Art Coviello — executive chair of RSA, the security division of EMC — predicted that “well-organized cyber criminals” will ramp up their efforts to steal personal information from health care providers. Coviello, in what has become his annual security outlook letter, described health care information as “very lucrative to monetize” and “largely held by organizations without the means to defend against sophisticated attacks.”
Some health care providers, however, plan to strengthen their defenses. Health care organizations’ expected security priorities for 2015 include:
- Encryption and mobile device security;
- Two-factor authentication;
- Security risk analysis;
- Advanced email gateway software;
- Incident response management;
- Expansion of IT security staff; and
- Data loss prevention (DLP) tools.
Uptick in Attacks
Lynn Sessions, a partner with the law firm BakerHostetler, cited an uptick in cyber-attacks targeting health care. Sessions, who specializes in health care data security and breach response, said much of her firm’s activity once focused on unencrypted devices that were lost or stolen, unencrypted backup tapes and email delivered to the wrong recipient. Those incidents were typical of the years immediately following the passage of the HITECH Act, which in 2009 established a breach notification duty for HIPAA-covered entities. But since the beginning of 2014, the rise of hacking and malware attacks has become “very noticeable,” Sessions said.
That trend seems likely to carry over into 2015.
Scott Koller, a lawyer at BakerHostetler who focuses on data security, data breach response and compliance issues, said he believes two types of attacks will see increased prevalence next year:
- Phishing; and
- Ransomware.
Phishing attempts to convince users to give out information such as usernames and passwords or credit card numbers. In settings such as health care, phishing may also provide a stepping stone for more advanced attacks, Koller noted. For example, a user could open an attachment in a phishing email that installs malware on the user’s device. From that foothold, an attacker could then infiltrate the enterprise network.
“Phishing emails often provide the entry point,” Koller said.
Attackers, he added, have become adept at disguising their phishing emails.
“They are much more sophisticated in terms of crafting them and targeting them to users and making them more difficult to detect,” Koller explained.
Phishing emails can also serve as a vehicle for ransomware attacks, which encrypt the data on a computer’s hard drive. Cyber criminals demand payment from users before they will provide the means to unlock the data.
CryptoLocker and CryptoWall are examples of ransomware. In August, the Dell SecureWorks Counter Threat Unit research team reported that nearly 625,000 systems were infected with CryptoWall between mid-March and late August 2014. The researchers called CryptoWall “the largest and most destructive ransomware threat on the Internet” and one they expect will continue expanding.
To further complicate matters, ransom may be demanded in the form of bitcoin, a digital currency. The use of bitcoin makes the perpetrators a lot harder for law enforcement to track down, Koller said. He said he anticipates that ransomware will see greater prevalence and use in the future.
Tightening Security
Against the backdrop of increasing attacks, health care organizations are taking steps to boost their IT security.
Ohio State’s Wexner Medical Center, for example, plans to make staffing a focal point of next year’s IT security investment. It expects to fill three openings over the next few months.
“Much of our investment is in recruiting top talent and growing the team by adding” full-time employees, Teater said.
Technology adoption is also in the works.
“We are deploying a new mobile security tool that has better capabilities,” she said. “We are also starting down the road to deploy data loss prevention” in conjunction with the Ohio State University.
In addition, Ohio State’s medical center is looking at how to enable two-factor authentication for use cases such as remote/mobile access and e-prescribing, Teater noted.
Koller said two-factor authentication will rank among the top IT security measures health care organizations take on in 2015. Two-factor authentication typically involves a traditional credential, such as user name/password and adds a second component such as a security token or biometric identifier.
Two-factor authentication does a good job of counteracting phishing emails, Koller said. If an attacker obtains an employee’s username/password via phishing, it will still lack the additional authentication factor, he noted.
Koller also cited encryption as another security measure health care providers should look to deploy next year. He said that larger institutions already recognize encryption as an issue but that smaller practices still struggle to find ways to implement encryption for laptops and mobile devices.
“Encryption very much needs to be on everybody’s radar,” he said.
To date, it hasn’t been. Forrester Research in September reported that “only about half” of health care organizations secure endpoint data through technology such as full-disk encryption or file-level encryption.
Health care providers next year may also invest in incident response management, as well as prevention.
Mahmood Sher-Jan, vice president and general manager of the RADAR Product Unit at ID Experts, said most people accept that security incidents are a certainty, which places the emphasis on risk reduction and response. ID Experts provides software and services for managing incident response.
Chief information security officers and health care IT security personnel “recognize now that their success is going to be measured on how they manage incident response and minimize the impact on reputation and churn,” Sher-Jan said.