Compliance with HIPAA, although vital, is not enough to ensure that customer data will be genuinely secure: Anthem was HIPAA-compliant, and yet they still suffered one of the biggest data security breaches in history. Often, the weakest link in a system is the people operating it. Whether by accident or design, it can be all too easy for them to allow threat actors access to your systems, giving them the opportunity to do what they want with patient data.
In this post, the first of a series, we’ll look at three data security threat vectors, against which HIPAA compliance provides little or no protection. Later in the series we’ll look at the measures which can be taken to minimize these threats and ensure genuine security for healthcare data.
One of the biggest recent threats to client data is ransomware attacks, which have grown substantially over the past few years - according to Cisco, nearly 4,000 such attacks occur each and every day. These involves hackers getting into a database, perhaps by exploiting a software vulnerability or out of date SSL, or by stealing a password from an employee or contractor (as discussed below). They then use their access to encrypt the data, before forcing the affected organization to pay them for the decryption key or suffer permanent deletion.
Last February, Hollywood Presbyterian Medical Center suddenly found itself without access to patient records or emails, and facing a demand for $3.6 million (of which they paid $17,000). In May, Kansas Heart Hospital faced a similar situation and paid the demanded ransom, only for hackers to turn around and demand more.
Most common data protection measures focus on preventing unauthorized data exfiltration, and provide little protection against ransomware attacks (since the perpetrators have no interest in extracting the data). Unauthorized encryption of your data provides threat actors with opportunities for blackmail and extortion, but even worse, it can have a devastating (and even deadly) effect on patient care. Hospital operations, such as surgeries and urgent care can be severely delayed due to the lack of access to medical information systems.
Encryption is only as secure as the password or encryption key used to access the data. Even if your passwords are too complicated to crack through brute force, threat actors still have many techniques for tricking people into sharing keys. These attacks, which rely on manipulating people rather than computers, are called "social engineering attacks".
One very common form is email scams. While standard phishing emails are sent out to huge numbers of people in the hope of tricking a few, these don’t tend to be the most dangerous for businesses. The real concern is “spear phishing”, which is ruthlessly targeted at a specific company, and often an individual or select few individuals at that company. Attackers will meticulously research the company employees and procedures. Targets will see an email that appears to come from a familiar colleague, following the standard company template, written in that colleague's usual style, asking them to perform a common and innocuous computer task. If one victim doesn't take the bait, attackers won't simply give up. They will try a different employee, or adjust their message. The intention of these emails may be to get the recipient to click on a link that installs malware (such as a keylogger) or captures the recipient’s credentials by displaying a fake login page.
Once threat actors have the credentials to access your database, it can be dangerously easy for them to exfiltrate vast swathes of data. And the consequences could be even more wide-ranging, especially if they manage to access a system administrator’s credentials. They could change settings, alter data, restrict your access, introduce serious malware or instigate a ransomware attack. Without careful planning and protection against this kind of incursion, you could lose control of your system and data completely.
As discussed above, the biggest risk with most employees and contractors is that they will accidentally give threat actors access to healthcare data. However, you also need to consider the possibility that some of them will deliberately act against your best interests.
Full-on corporate espionage aimed at healthcare data is rare (accounting for less than 18% of all confirmed breaches). However, the same cannot be said for employees simply being nosy or looking to make a little money on the side. There’s a long list of cases where healthcare employees have been suspended or fired for accessing the medical records of celebrities. Many of these cases have led to hefty fines and embarrassment for the organizations involved - in 2011, UCLA Health System had to pay $865,500 for infringements going back years.
Even more dangerous is the prospect of employees selling the information on to journalists. If such a data leak is traced back to your organization, then the whole world could come to know that your data security strategy is inadequate, potentially causing serious damage to your reputation.
HIPAA compliance may well protect against physical server theft and unsophisticated cyberattacks. But only implementing the legally required measures and treating compliance as a tickbox exercise will leave client data dangerously exposed to the threats set out above.
These attacks can cause serious damage to your brand, and in the worst cases, create major service disruption and even put patient lives at risk. Cisco’s 2017 Cybersecurity Report, drawing from the experiences of security teams from across the world, notes the following statistics:
22% of compromised organizations lost valuable customers (40% lost more than 20% of their customer base). 29% lost revenue (38% lost more than 20% of revenue), and 23% lost business opportunities (42% of which losing 20%).
Forbes
There is always a risk of software vulnerabilities. But as the above examples show, in general people are the weakest link. There will always be a human element involved in managing client data, and that creates weaknesses.
The truth is that real security requires expertise, investment, and ongoing efforts to ensure that systems are maintained and updated, and that people with access to data are monitored and protected from exploitation.
In this series of posts, we’ll be looking at a number of ways in which you can improve your security, in order to protect against the kinds of attacks described above and make your data truly secure.