Why Hackers Attack Healthcare Data, and How to Protect It

by   |   August 12, 2016 5:30 am   |   0 Comments

Harish Pai, CTO, Infinite Computer Solutions

Harish Pai, CTO, Infinite Computer Solutions

Remote patient monitoring technologies are forecasted to dominate the future of healthcare systems. Consisting of devices such as connected heart monitors, implanted sensors, and wearables, these technologies are designed to simplify and transform the way patients currently approach, access, and receive care. These technological advances are set to lead to the prevention of disease and early diagnoses.

However, with great advances come great challenges. The increase in data liquidity has brought one particular challenge to the tipping point: security. This liquidity means patients’ data is flowing over the cloud, from provider to clinician and back to the patient.

One challenge of protecting patient data is that journey the data must take. Recorded on wearable devices and implanted sensors, highly personalized and comprehensive data of a patient’s basic health indicators first will go through secure home networks, from devices to apps over the internet, and then begin a more precarious journey through cloud or central repositories to reach physicians and payers.

Another challenge is the nature of the data itself. The personal nature of this information, along with its long shelf life, makes health records highly valuable to hackers. Health records contain policy numbers, medical history, billing information, and Social Security numbers. Bank accounts and credit cards can be shut down at the first sign of fraudulent activity, but changing your Social Security number or address is a bigger challenge. Patients’ health records and prescription records are permanent and can be sold on the sold on the black market for a premium. In addition to allowing a hacker to use the information for identity theft and fraud, this data is valuable because of the social stigma that patients may feel if their health information were to be leaked. For these reasons, medical data are more sought after than financial data.

Risk Points

In theory, breaches have the potential to occur at any point along the journey. However, the breaches that will pose the greatest threat are those that occur when data is being relayed over the internet to cloud or centralized “safe keeping” database systems. Hackers looking for patient data on the cloud need only exploit one vulnerability on a network to bring that network down and compromise millions of patient records. The Office of Civil Rights under Health and Human Services reported last year that more than 113 million medical records were compromised.

Related Stories

Through the Healthcare Industry, a Look at Digital Transformation.
Read the story »

How to Address Security Needs in Heterogeneous IT Environments.
Read the story »

Playing Catch-up: Healthcare Grasps for Advanced Analytics Value.
Read the story »

Boost Security Compliance with Big Data in the IoT Era.
Read the story »

This is where payers and physicians will be hardest hit. According to McKinsey, nearly 45 percent of U.S. Hospitals are participating in local or regional Health Information Exchanges. Standards to protect data security have been established as part of the Health Insurance Portability and Accountability Act (HIPAA), but that can change and businesses are hard pressed to keep up. In fact, a recent study done by Infinite Convergence found that 92 percent of healthcare institutions are not HIPAA compliant. Standards are rapidly changing based on needs and new threats, and companies unable to operate by those standards are left all the more vulnerable to attacks.

An emerging danger facing physicians and payers is malicious hacking through programs like ransomware, software that blocks an organization’s access to its own computer system until a sum of money is paid. Ransomware already has demonstrated the ability to install on wearable devices as well as laptops, systematically eating away stored data. According to a study conducted by the Institute for Critical Infrastructure Technology, “Ransomware attacks on healthcare organizations will wreak havoc on America’s critical infrastructure community.”

Hollywood Presbyterian Medical Center paid nearly $17,000 in ransom to re-obtain access to its computer systems after a ransomware attack. There is a direct correlation between the growth of healthcare technology and ransomware attacks, and the pressure to keep information secure and private will continue to increase. In May, the Medical Colleagues of Texas, an 11-physician practice in Texas experienced a breach, exposing 50,000 patient records.

While patients risk personal data hacks, payers and providers risk potential lawsuits and backlash from the public and the government if data is compromised. The cost of securing data on your networks is far outweighed by the costs of multiple lawsuits that arise from breaches and non-compliance – as evidenced by the Hollywood Presbyterian attack.

Technological Countermeasures

One of the more sophisticated technologies we have seen to protect data is encrypted enterprise platforms that provide 256-bit AES encryption to ensure that all data are exchanged safely and according to standards. These platforms also help to expose existing threats on the network. Backing up your data occasionally might be simple, but there are companies dedicated to securing and backing up medical records in real time. With patient records backed up, organizations have less exposure to ransom demands, and hackers have less motivation to pursue them. Beyond backing up data, hospitals would be wise to back up their systems and configurations as well. That additional backup, known as a “gold image,” resembles a bare-bones model of the system before patient information was added. Both the backed-up data and the “gold image” should be kept in a fully secure environment with physical and IT safeguards for ensuring privacy.

Biometric authentication technologies are another safeguard against data breaches. Software that can identify physical features of an individual, such as fingerprints, retinal patterns of the eyes, and voice, can help organizations control access to labs and records.

Payers and providers should be ensuring end-to-end encryption and security of their patients’ data on all devices 24/7. Device-management systems protect phones in the event of theft. Security features monitor existing data for traces of suspicious activity, and wipe-and-lock systems keep unauthorized users out. There are also platforms that prevent untrusted, non-compliant file-sharing apps from accessing patient data, further protecting application data.

Beyond Technology

Technology is not the only way to keep healthcare data protected. Hospitals, payers, and providers should be developing not only preventative steps toward keeping hackers out, but also an action plan for all employees should their systems suffer any kind of hack. An action plan should have explicit, step-by-step procedures for both pre-breach and post-breach, and work against past data breaches. Such plans should include setting up notifications when an employee has sent data outside the network and regular risk assessment. Companies then need to regularly test these plans to eliminate weak spots and ensure employees are following protocol. Trained employees are the first step toward protecting patients’ data, and action plans act as prevention and as remediation for past breaches. It is the organization’s obligation to make sure their employees understand training protocols and to understand where weak spots exist, so they may correct immediately. Limited employee access, disallowing USBs, deleting phishing emails, and avoiding virus-ridden websites may seem like obvious steps, but they must be stated policy, and policies must be enforced.

It is easy for hospitals to feel exposed in this era of breaches and ransomware attacks. However, with the right combination of technologies and training, they are already on a safer path.

Harish Pai is CTO at Infinite Computer Solutions and has over 25 years of experience in the technology and analytics landscape. He started his career at Microsoft and moved to NIIT, Tech Mahindra and, most recently, Infinite Computer Solutions. At Infinite, he is responsible for creating and defining Infinite’s healthcare service offerings, mainly focusing on big data, analytics, security, and compliance. He is responsible for ensuring big data is safely and securely shared across platforms throughout all relevant geographies.

Subscribe to Data Informed for the latest information and news on big data and analytics for the enterprise, plus get instant access to more than 20 eBooks.

Tags: , , , , ,

Post a Comment

Your email is never published nor shared. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>