It seems that every month, another healthcare company is hacked. In fact, 1.13M records were exposed by 110 healthcare data breaches in Q1 2018 alone.
Why the constant parade of security flaws? Why is the theft of millions of health records so commonplace?
At Logicworks, we’ve spent the last 25 years helping companies prepare for – and defend against – potential attacks. Here are five reasons why this problem won’t just go away.
1. Systems are old and complex
The biggest reason healthcare companies are not paying more attention to cybersecurity is exactly what you’d expect: cost. The biggest reason security is so expensive is that most large health companies have hundreds or even thousands of legacy applications and aging systems.
IT staff are not given the resources they need to modernize these systems, and old systems break more frequently, are harder to patch and are easier to exploit. They are usually glued together with a thin veil of code or networking that is finicky and difficult to repair. Electronic Medical Record (EMR) systems are complex, with disjointed patient intake, billing systems, etc., and the quantity of data they store – including huge medical images – is costly.
On top of this, in some hospitals, separate departments are each procuring their own systems, leaving little or no central oversight to monitor where these systems interface with each other. Many hospitals are also in the middle of multi-year, extremely expensive contracts with large software vendors that they can’t get out of.
Cybersecurity efforts must first tackle complexity. This is a major reason why healthcare organizations are moving to the cloud; they take the opportunity to refactor or eliminate applications that are no longer necessary, and often combine several on-premises systems with a single cloud-based SaaS or PaaS offering. Despite the cloud being a less expensive option in terms of operational costs, deterrents such as inertia, long contracts and false concerns about cloud security keep companies stuck in their old solutions.
2. Health IT is 95% Manual Work
In the cybersecurity world, manual work is risk. One of the many symptoms of aging systems is that engineers do most of the maintenance work manually.
When engineers have to manually patch a vulnerability on hundreds of servers, the chance of them missing a critical update on server #305 is high. When they have to update network configurations manually, it’s easy to accidentally open a port to the wrong subnet. Each of these mistakes creates an open door to hackers.
The security of health records should not depend on the memory of a few engineers. They’re generally a smart crowd, but no one can remember everything.
At the end of the day, most security features come down to three basic principles: keep malicious users out, restrict user access to limit the impact of an insider hack and monitor the system constantly. All three of these principles are drastically improved through automation.
Automation guarantees that security policies are not only instituted, but maintained throughout the lifecycle of the infrastructure. As vulnerabilities are exposed, a single change to an automation script can patch hundreds or even thousands of complex systems without downtime. Automated security policies encourage the adoption of evolving standards and maintain a single record of network and access policies. Even the process of creating automated policies often exposes previously unknown system vulnerabilities.
Healthcare organizations need to dedicate time to building automated systems. If their datacenter is virtualized or they’re on the cloud, they should be automating:
- The provisioning of compute resources to support new applications
- The installation of the latest packages, and security updates
- The installation of security monitoring tools
- Standard naming conventions
- Analysis of security logs for compromised or exfiltrated data
Configuration management and deployment automation tools make this possible. Unfortunately, it often takes a major security exposure for organizations to take these steps when they’re doing so much manual work to just keep up. Legacy systems will often be harder to automate — and more expensive — and automation requires engineers with a specialized set of skills.
3. Disjointed Monitoring
What usually happens in the case of security threat is that system engineers dig through the logs of individual applications or worse, individual servers, to find the problem. This can take hours while the hacker is wreaking havoc in your environment.
A rapid response should isolate the attack, protect critical files and reduce the amount of information leaving the system. Healthcare companies very rarely have a critical response unit, although there are certainly hundreds of firms they could call for $30,000+ per incident.
All too often the failure is as much about lack of appropriate staff as lack of technology. The first step for healthcare companies is either outsourcing incident management or hiring a Chief Information Security Officer. This individual should be responsible for constructing a realistic, tactical incident response plan and leading the organization through any potential crisis. A consolidated monitoring interface is usually the next step – or automating log shipping to a central repository.
That said, it’s not just about a rapid response once you’ve realized you’ve been hacked. Many companies have the tools and resources, but lack a regular practice to monitor logs and catch attacks as quickly as possible when they first infiltrate a system.
4. “We’re already HIPAA compliant”
Although there are requirements in the HIPAA Security Rule’s Technical Safeguards section, the law in and of itself isn’t a prescription for keeping data safe. Healthcare organizations need to go above and beyond required functions in order to truly secure their environments.
Encryption is a good example of this. While not a requirement under HIPAA, encryption is considered an addressable specification. Many healthcare organizations mistakenly believe that HIPAA compliance is a checkbox, and once infrastructure is configured, it is “all set” or somehow guarantees the security of their environment. However, even following both HIPAA and NIST guidelines is not enough; these recommendations can take years to catch up to new technology shifts. HIPAA provides a set of best practices and implementation guidelines, but people responsible for the security of the environment need to continually reassess their environment. At the very minimum, healthcare companies should be encrypting data, or look to reengineer systems if encryption is off the table.
5. Healthcare data is extremely valuable
As If the factors above aren’t enough, hackers are constantly poking healthcare companies’ infrastructure looking for vulnerabilities. It is much more lucrative to go after health records, which are ten times more valuable than credit card records. When hackers are constantly knocking on the door to get those records, they usually find a way in sooner or later.
Even if healthcare companies can’t guarantee they will never have a security breach, they should work to ensure they’re doing everything possible to prevent one. Cyberexpert Jim Lewis from the Center for Strategic and International Studies argues that every company can manage (though not eliminate) risk by implementing cybersecurity best practices.
“Think of it as a continuum of risk,” Lewis says. “You can do nothing, and you’re at 100% risk. Or you can do a lot and you can get the risk down to 10% to 15%.”
Hundreds of millions of healthcare records have already been stolen in America. Healthcare companies have an uphill battle to modernize systems and reduce risk, and need to look beyond the law’s guidance towards automation, cloud technology and more stringent cybersecurity practices.
This article originally appeared in Becker’s Hospital Review.