How HHS Says Health Systems Can Manage Cybersecurity Threats

Samara Rosenfeld
JANUARY 04, 2019
laptop, macbook, cybersecurity, apple, privacy

With cybersecurity threats putting patients’ data and health information technology (IT) at risk, the U.S. Department of Health and Human Services (HHS) recently released cybersecurity practices to manage hazards and protect patients.
 
Cybercrimes happen in every industry, but they are even more concerning when the repercussions can directly impact the health and safety of patients.

And the need for healthcare to defend itself has never been clearer.
 
Four in five U.S. physicians have experienced some form of cybersecurity attack, and according to a study from IBM Security and the Ponemon Institute, the health sector has the highest cost per breached record at $408. The price climbed from $380 in 2017.

>> READ: A Curious, New Hardware Fix for Cybersecurity Vulnerabilities
 
In 2016, the U.S. healthcare system lost $6.2 billion due to data breaches, according to the HHS report.
 
So, the HHS developed a task force in 2017, comprising more than 150 healthcare and cybersecurity experts through the Health Sector Coordinating Council and its government partners.
 
The group had three core goals: to cost-effectively reduce cybersecurity risks for a range of healthcare organizations; to support the voluntary adoption and implementation of its recommendations; and to ensure that content is actionable, practical and relevant to healthcare stakeholders of every size and resource level.
 
The group focused on five threats: email phishing attacks; ransomware attacks; loss or theft of equipment or data; insider, accidental or international data loss and attacks against connected medical devices that may affect patient safety.
 

Email Phishing

Thought phishing was dead? That’s dead wrong. Phishing emails, of course, include links or files that appear to come from a legitimate source, but clicking the link may result in malicious software being downloaded. Phishing attempts can also provide access to information stored on a user’s  computer or others within a network.
 
Lack of awareness for what to look for when opening emails is a big vulnerability when it comes to email phishing. Health systems often don’t have software that scans and detects malicious content.
 
Attacks like these can result in stolen credentials, which can be used to access sensitive data, fueling patient safety concerns and loss of trust and brand reputation.

>> READ: Phishing Emails Play on Our Fear of Failure
 
Health executives can train their staffs to know what to look for when opening emails and where to send suspicious messages when they are received. It is also important to implement advanced technologies for detecting malicious content.
 

Ransomware Attacks

If a hospital is buying bitcoin, this is probably the reason why. Ransomware is a type of malicious software that attempts to deny access to a user’s data by encrypting the information with a key known only to the hacker — until ransom is paid.
 
Most ransomware attacks are sent in phishing emails that require the user to enter their credentials. Vulnerabilities that lead to such attacks are similar to those that enable  phishing, including lack of anti-phishing capabilities, unpatched software and lack of anti-malware detection and remediation tools.
 
These attacks can be very costly for companies and could lead to partial or complete clinical and service disruption.
 
It is important to understand authorized patching procedures, use strong and unique usernames and passwords, limit users who can login from remote desktops and implement a backup strategy and secure the backups, so they are not accessible on the network they are backing up.
 

Loss or Theft of Equipment or Data

If a mobile device like a laptop, tablet or smartphone gets lost or stolen, it may end up in the hands of hackers. From January through August 2018, the HHS Office for Civil Rights received reports of 192 theft cases affecting more than 2 million individuals. And if these devices were not safeguarded or password-protected, the loss of the device could result in unauthorized or illegal access and dissemination and use of sensitive data.
 
A lack of asset inventory and control, physical security practices and simple safeguards make a user or network vulnerable.
 
Inappropriate access to or loss of sensitive patient information can lead to a damaged reputation. Health systems are also in jeopardy of losing unencrypted personal health data.
 
Encrypting sensitive data is one way to potentially mitigate this problem. Health systems can also implement proven and tested data backups with reliable restoration of data. Additionally, health systems can define a process with clear accountabilities to clean sensitive data from devices before they are retired, refurbished or resold.
 

Insider, Accidental or Intentional Data Loss 

Accidental insider threats are unintentional and caused by honest mistakes such as being tricked, negligence or procedural errors. Being a victim of email phishing is one example of an accidental insider threat.
 
An intentional insider threat is malicious loss or theft by an employee or any user of the organization’s technology infrastructure, network or databases with the objective of inflicting harm to the organization or another individual, or for personal gain.
 
Negligence is a big part of this problem, and files containing sensitive data being emailed to incorrect or unauthorized addresses puts a health organization at risk. Lack of monitoring and tracking access to patient information on electronic health record systems can also be a vulnerability.

>> READ: Healthcare System Neglect Is Top Cause of Data Breaches
 
Incidents such as these can expose personal health information in data breaches. These incidents are also costly, as hackers can swipe banking and routing numbers.
 
HHS recommends training staff and IT users on data access to lessen procedural errors and implementing data loss prevention tools that could detect and block the release of personal health information.
 

Attacks Against Connected Medical Devices that Risk Patient Safety

Medical devices are intended to be used in the diagnosis or treatment of a disease. But if a cybercriminal gets access to a provider’s network and has control over a server that a medical device is attached to, the attacker could then take control of all similar devices. This could be life-threatening for many patients.
 
It is important for health systems to make sure their network’s patches are implemented properly, otherwise the servers are at greater risk.
 
Employees need to know their organization’s protocols in case of an attack against medical devices, like how to notify patients. IT experts need to be available to help employers with any issues regarding their technology.
 
Communication with the medical device manufacturer’s product security teams could also be beneficial to provide answers to health organizations.

Get the best insights in healthcare analytics directly to your inbox.

Related
Yes, Healthcare's Data Breach Problem Really Is That Bad
What to Do Before and After a Data Breach
5 Data Breaches That Show How Cybersecurity Must Evolve

SHARE THIS SHARE THIS
16
Become a contributor