Lagging Cyber Security in the Healthcare Industry

It is common knowledge that the healthcare industry has been facing a series of condemnatory cyber security issues – whether it is about a lack of funding for cyber security protection, or the effects of yet another breach on an unsuspecting hospital’s data, the deluge never seems to end. This most recent report not only adds another chapter to this unfortunate saga, but it showcases the lag between healthcare and every other industry in the greater economy.

UpGuard publishes a report every year detailing over 7,000 results from cross-industry company audits on their current cyber security standing. Through their CSTAR scoring system, the company’s cyber security protection is ranked on a scale from 0 – 950. For the purpose of this report, the healthcare industry firms investigated range from insurers to hospitals to pharmaceutical companies. The average score landed at 420, showcasing the very obvious vulnerabilities within many of the industry’s subsections.

The unfortunate part about this report is that not only does it further cement the cyber insecurities of the healthcare industry within the mind of the consumer, but the solutions listed are fairly simple to implement and yet these institutions don’t have the funds, manpower or time to do anything!

For example, healthcare networks are victim to a number of phishing attacks. An unsuspecting employee or administrator opens up an email that seems to be from a legitimate source and suddenly they are thrust in the middle of an unfortunate breach where data has to be replaced, recreated, or returned in exchange for a ransom payment. And, even if these firms do have security hardware in place, most of the time the necessary upgrade requirements are never met and the once protective hardware becomes a huge paperweight.

Mid-sized hospitals seem to be targeted the most – smaller hospitals most likely won’t have the funds to pay a ransom even for their most vital data, and larger hospitals have security protocols in place that creates a harder breach topic. With estimates that the 2015 breaches in this sector alone – with 113 million medical records stolen – could cost the industry as much as $6.2 Billion, something needs to be done within these organizations and the healthcare industry at large to not only protect these vital services but the data they hold as well.

Healthcare Fraud & Cyber Security: Is Your Data Safe?

Healthcare fraud is a booming business, especially considering over 80% of healthcare providers have been the unlucky victims of a cyber attack within the last year. KPMG’s “Healthcare and Cyber Security: Increasing Threats Require Increased Capabilities” sheds some light on the healthcare industry’s current cyber security actions, or lack thereof, and how they intend to stem healthcare fraud. Specifically, the survey findings highlight concern for the number of attacks experienced by hospitals and health insurance providers alike, the low level of detection and prevention, and the increased awareness for cyber security (while action is still not taken in a timely manner). As the relationship between the increased number of cyber threats and the limited ability to handle them evolves, the silver lining is that the healthcare industry seems to be making a bold effort to increase security.

Some other key facts found in the report:

  • 13% experienced more than one cyberattack a day at their organization
  • 16% say they cannot detect an attack in real time
  • 15% do not have a leader with the responsibility of information security
  • 23% said they do not have a security operations center to detect threats
  • 55% said they have trouble finding staff for their security positions
  • 86% have increased cyber security spending
  • 85% have discussed cyber security in the past year

Of course, we can’t make excuses for these organizations. These healthcare organizations and insurance companies hold very private information, and while spending has increased from previous levels, the numbers are well below what they should be. A few options to bridge this gap could be:

There is no cookie cutter response to provide protection from malicious hackers; however, each industry needs to face the demands of ever-evolving technological connectivity and the potential threats that come with it. Fortunately, expert cyber security professionals like Neovera are able to provide assistance along the way if the need should arise. With 24×7 cyber security management and monitoring of protected data from both patients and employees, healthcare providers can rely on Neovera for expert service.

Are You The Next Medjacking Victim?

IoT-connected devices are in the news for all the wrong reasons lately – and this particular one is a doozy. “Medjacking” isn’t a term often found in the day-to-day lexicon but it should be, especially since it could become a matter of life or death.

Potentially affecting devices like pacemakers and x-ray machines, medjacking is defined as hacking into a device with the express intent to harm the patient being treated. Once a tall tale, it has become a serious concern to the point that the FBI issued a warning this past year to current and future patients, along with medical facilities utilizing these IoT-connected devices. Still not convinced? Imagine that a hacker weaseled their way into your loved ones pacemaker, an instrument essential to their livelihood. In exchange for releasing their control, they demand an exorbitant amount of money for the ransom payment. This situation could easily become a reality if proper security protocols are not taken by device companies, the hospitals that use them and the patients that rely on them every day.

After receiving a heart defibrillator, former Vice President Dick Cheney immediately had the wireless option disconnected and cited medjacking as his reasoning for doing so – keep in mind that was in 2007. Considering the leaps and bounds both hackers and cyber security protection options have taken, now is the time to consider the options organizations and patients have to protect themselves before it’s too late. On the patient side, knowing whether the device has wireless capabilities is half the battle. If that is the case, understand whether that feature can be turned off, or if it can’t, how to properly safeguard the device. For larger medical organizations dealing with IoT-connected devices within their office walls, having a managed and monitored cyber security services provider will not only allow for a fully secured environment, but lends itself toward the ideal of a firm that is able to grow and expand without the hinderance of a possible cyber attack.

Hackers Put Your Health At Risk

Banner Health is the latest in a string of healthcare organizations to feel the wrath of a cyber attack. A recent data breach put close to 3.7 million records at risk due to vulnerabilities exploited and ultimately discovered by experts over the course of this summer. Is this just another hole punctured in the facade of the healthcare industry’s attempt at cyber security, or will changes actually be made that can guard sensitive customer and business data from future attacks?

The two attacks that took place over the course of a month affected two different groupings of information from customers in the Banner Health Network. First, there were the affected users who interacted with Point Of Sale systems in Banner Health-affiliated cafeterias and storefronts – consider this the crack in the glass ceiling. Second, that ceiling shattered when hackers were able to infiltrate the network further and obtain everything from social security numbers and the names, addresses, and health plan numbers associated with each user in their path.

Hackers have slowly shifted their concentration from obtaining financial data to that of the healthcare variety – think about all of the health industry organizations that have been attacked over the past year. The popularity shows on the Dark Web as well; while the financial data duo of name and SSN may go for $1/record, health information fetches at least $75/record or more. Researchers liken the latter as a credit card with no spend limit, not to mention that insurance fraud is much more lucrative.

Once a breach occurs to a group in the healthcare industry, the way that many experts suggest dealing with future issues is to completely wipe the database and start from scratch. Reason being is that even if they find the vulnerability, there’s no real way to tell how deep it went and how long it went on for. The quick fix is to just start from scratch, which is a project that would take months to complete and affect user accessibility on a variety of levels. This is where a partnership with an MSS/MSSP like Neovera comes in to save the day – if an attack comes out of nowhere, your company isn’t stuck in the dark without a plan to immediate put into place. Plus your organization can rest assured that their protected data is secure, 24x7x365.

Hacked Hospital Equipment: Is Your Health at Risk?

Hacked hospital equipment: the immediate assumption is that it’s a reference to the computers that store medical data, and not the machines controlling the amount of anesthesia given to a patient. In this increasingly interconnected world, where remote surgeries are fairly commonplace, the latter option is becoming more and more of a concern for healthcare providers. Who is to blame for this severe oversight, what can healthcare providers do to protect patients, and how can patients educate themselves about the potential threats?

Billy Rios, the expert in the field of hacked hospital equipment, demonstrated for a local ABC7 affiliate exactly how easy it was to hack into a hospital-grade x-ray machine, but to reconfigure and control it remotely. Considering their “white hat hacker” status, they just installed Donkey Kong onto the machine to prove their point; in real life, the situation could be much worse. To further show the high stakes associated with this vulnerability in the healthcare manufacturing industry, Billy explains, “‘We demonstrated that someone could take over an infusion pump and essentially change the dosage of medicine that’s being given to somebody…We’ve shown that we could crash the patient monitor or modify the data from a patient monitor so the data that’s going to the physician isn’t the right data.'” These examples paint a terrifying picture of the potential future of medical care if something isn’t done to fix these gaping cyber security holes.

So what are manufacturers doing to make their products safe? Not much, unfortunately – though Rios did mention Hospira’s (of Pfizer) newest product included cyber security protection (after initial warnings from the FDA), manufacturers aren’t held accountable for not incorporating cyber security safeguards. Something as simple as spending a few thousand dollars to patch these vulnerabilities could save hospitals tens of millions of dollars. But until their hands are forced, these products continue coming off the line without cyber security protection.

Currently, the only real patient protection is hospitals spending above and beyond to protect machines that should be protected in the first place. However, as we have always reiterated throughout these posts, it is imperative to protect every single entry and exit point within a network. Just as you would with a secure building, if one door is left unlocked that’s the only thing a burglar needs to steal anything at their disposal. Until manufacturers heed the calls of both hospitals and patients, these gaps will continue to be pervasive throughout the healthcare industry.

Ransomware Attack Hits Los Angeles Hospital Hard

Ransomware, a newer type of cyber attack, is becoming increasingly popular. A virus that infects a computer or computer system and then locks all the files and programs, hackers using ransomware are typically the only ones with the “key”, or code, that can unlock the victim’s data. Unfortunately, that key normally comes with a steep price that can range from hundreds to thousands of dollars. While some are able to escape scott-free since their data is backed up in a separate area, many are not as fortunate, as the news has recently been flooded with a number of high-profile ransomware horror stories.

According to various reports, a Los Angeles hospital noticed inconsistencies in their network, which soon led to a system-wide shutdown due to a crippling ransomware virus. Since the problem was reported on February 5, doctors have been unable to access any stored medical data or even cross-check their facts, leaving them to deal with faxing information or communicating via telephone and face-to-face interaction. The hackers originally demanded $3.6M in Bitcoin and facility staffers are working with both local law enforcement and the FBI. While they have maintained that patient care has not been compromised, a number of patients have been transferred to nearby hospitals due to the inability to access treatment records, X-rays, CT scans and other data.

At least 4 out of 5 healthcare institutions have reported some type of cybersecurity breach in the last two years, according to a study by KPMG. While ransomware attacks are mostly random – generated through mass emailings that are easily interacted with through any employee at the institution – the money that is demanded increases significantly if the hackers realize they have landed a big name, so to speak. Individual attacks can see demands of a few hundred dollars; unfortunately, once the attackers realized the group they had in their hands, the asking price greatly increased.

Ransomware attacks don’t have to completely level an individual or company – simply becoming more aware of suspicious emails or webpages is a major step in the right direction. Above all, backing up your priority system data is imperative; if the hackers hold your data hostage but you have another copy in a separate, safe location, paying them any kind of money becomes moot since the data they hold is obsolete and of no further value. However, this is absolutely the case for a regular ransomware attack – if the hackers were also going after the information itself it would be far more egregious.

Update: With the hospital reportedly paying $17,000 to release the network from the ransomware attack, it is safe to say that ransomware attacks aren’t losing popularity with hackers, especially since they may be buoyed by this particular outcome. Until the potential victims and organizations educate themselves on best practices for spotting questionable online activity, as well as creating a plan to protect and store their key data, ransomware attacks will continue to be a major weapon in a hacker’s arsenal.

Is Paying the Ransom in a Ransomware Attack the Right Move?

There has been some debate recently about what to do if you are attacked with ransomware. Ransomware is a form of cyber attack that loads malware into computer systems that encrypts the files. The only way to break the encryption is with a “key”. The only way the key can be obtained is to pay a sum of money, or ransom.

Those that perpetrate ransomware often threaten that if the ransom is not paid within a certain timeframe all the files we be deleted permanently.

For many businesses or other entities losing all of their files would be debilitating, causing many to fold up shop. For them the only recourse is to simply pay the ransom. This brings up another problem though.

If you pay the ransom, what is stopping another attacker from exploiting you, especially now that they now you’ll pay up when asked?

In 2015 a Swiss-based company called ProtonMail was the victim of a ransomware attack. What did they do? They paid the ransom. What happened next? Another attack.

ProtonMail stated they made a mistake paying the first ransom and put out a statement saying they would never pay another ransom to future attackers – “it was clearly the wrong decision,” they said.

Recently, another organization paid a hefty ransom to release their systems from the grasp of ransomware. Hollywood Presbyterian Medical Center was the victim of ransomware that crippled their systems. The attackers wanted 40 Bitcoins ($17,000) for the decryption key. Just as ProtonMail did, Hollywood Presbyterian paid the ransom.

So far Hollywoord Presbyterian has not reported any additional attacks, but it’s only been a short time since they paid.

Ransomware attacks have become more prevalent in recent years as traditional cyber attacks have become more difficult to perpetrate – although that hasn’t stopped them from occurring, of course.

Thwarting ransomware attacks isn’t as tricky as it might seem though. The best way to guard against a ransomware attack is to keep offline or separate backups of your files and data. If you are the victim of a ransomware attack you can avoid paying the ransom and restore your data using your offline backups.

Of course, having a full suite of defenses against cyber attacks is a great strategy. Focusing on one aspect is sure to open you up to attacks in other areas. Having a full plan of attack – no pun intended – against ransomware and other methods is sure to set you up for success.

A Security Breach Affects 4 in 5 Healthcare Institutions

A recent report by KPMG surveyed 223 senior IT and security executives from different healthcare organizations and institutions and found that 81% of those questioned – all of which claimed more than $500M in annual revenues – experienced a security breach in the last two years. In other words, four out of every five people surveyed had experienced a security breach of some kind since 2014.

More unsettling was the number of participants that said they weren’t prepared for a security breach; to be specific, 66%, of insurance executives and approximately 53% of hospital executives admitted as much. Finally, and these are other unfortunate statistics, 13% experienced more than one cyberattack a day at their organization and 16% said they could not detect an attack in real time.

Some other key facts found in the report:

  • 15% do not have a leader with the responsibility of information security
  • 23% said they do not have a security operations center to detect threats
  • 55% said they have trouble finding staff for their security positions
  • 86% have increased cyber security spending
  • 85% have discussed cyber security in the past year

The survey findings highlight concern for the number of attacks, the low level of detection and prevention, and the increased awareness for cyber security. Furthermore, it’s disconcerting to watch the relationship between the increased number of cyber threats and the limited ability to handle them, though it seems like they are making a bold effort to increase security (financially at least).

Though spending has increased from previous levels, the numbers are well below what they should be. Many organizations spend so little on information security in the first place, even if the expenditure doubled it may still fall behind many other organizations’ levels. And while we can’t necessarily expect 100% of these organizations to do things perfectly, we should expect more as a whole. These healthcare organizations and insurance companies hold very private information, and their actions aren’t showing that they take this responsibility to heart.

It will be interesting to see the trends these kinds of surveys show over the next few years. Cyber attacks and security breaches aren’t necessarily new, but are becoming bigger problems at a quicker rate. Plus, it’s difficult for large organizations to be agile when it comes to changing and implementing policies and new staff quickly.

Of course, we can’t make excuses for these organizations. We can only assert that they need to do something about the holes in their security tiers, whether that’s starting with a cyber security audit, hiring more staff, or simply addressing their compliance standards. Fortunately, there are expert cyber security professionals out there to help along the way if your company is not equipped to handle the added IT workload.

Cyberattack Alert: Excellus BlueCross BlueShield

Sadly, it wouldn’t be a complete week in the cyber world without news of another cyber attack or security breach. This time the victim was 10 million people insured by Excellus BlueCross BlueShield.

The major insurance carrier said this week they were made aware of a cyber attack that apparently occurred in December of 2013. What’s most unsettling though is the fact that the company did not know about the attack until last month – almost two years later.

It was reported the attackers stole information such as names, addresses, SSN’s, financial and medical account information, as well as member ID numbers.

While the information was encrypted, the hackers somehow gained administrative access to the IT systems allowing them to access the information.

The company claims that the information that was taken has not yet been used maliciously, at least to their knowledge.

So, what is Excellus doing to notify its customers of the breach? Sending a letter by standard mail, of course. I mean, who can trust e-mail after this little debacle, right?

In all seriousness, this is another set of unsettling news. Our personal information resides with so many different entities with much different levels of security for their (our) data. We have our information with credit bureaus and credit card companies, our insurance providers, banks, social media outlets, monthly services, and much more.

It is becoming almost impossible to predict when and where a cyber attack will occur, and it’s becoming increasingly more difficult to ensure our personal data is safe.

We need to continue to be diligent from both sides of the spectrum, as companies and as consumers, as we strive for better overall security and privacy for our personal information.

Healthcare IT Scrambling to Implement New Medical Code Systems

A new medical coding system is mandated for October 1, 2015. New medical record requirements already have healthcare IT departments scrambling to update systems and procedures. Now, with the new coding system set to replace the old one, IT departments have even more in their plate.

At the surface, a new medical coding system sounds great. Sure, who wouldn’t want an easy, standard way to identify diagnoses and to submit claims to insurance companies? In the end it should make things easier for everyone involved. Well, the ease that the new systems hope to provide is further complicating things for healthcare IT departments, and costing millions of dollars in the process.

The deadline for the mandate has already been delayed twice due to the complexity of the new codes and the lack of readiness from healthcare institutions throughout the country. But why is it taking so long, what’s the problem? One of the main issues is the amount of new codes that will be implemented. The current code standard, known as ICD-9, uses about 14,000 medical codes. The new standard, known as ICD-10, will have nearly 65,000. Implementing 50,000 new codes is certainly not an easy task.

Adding to the complexity is the fact that insurance companies will be using the coding system to settle claims. If a code is wrong, mistyped, or omitted by the system, whether by user error or system error, it could mean physicians and hospital systems lose out on money from claims. Furthermore, the old coding system only required numeric codes, which is now being switched to alphanumeric. So, in essence, everything about the system is changing, and medical systems around the country need to be in compliance by the date mandated.

There are many operations or applications that may need to be changed in order to comply. For instance, if the billing department uses some sort of automated billing system, the new codes will need to implemented into this system. This also means growing your database capabilities quite a bit. Not only will databases fields need to be increased, but the size of the fields as well.

Of course, the system is meant to do a lot of good and to hopefully save time and money while creating a standard. However, the costs of upgrades to comply are in the millions of dollars. Several insurance companies including United have spent over $100M in systems upgrades. Hospital systems may need to boost resources in order to manage and keep up with the coding process. Currently, there are under 200,000 medical coders working in the U.S. With the number of codes growing by about 400% one must believe that more resources will be needed to handle the growing list. Not only that, but the costs of upgrading systems for private physician practices could prove daunting and expensive. Many physician practices don’t have nearly as robust a system as hospitals do, and upgrading to systems that can handle the new codes is proving difficult.

It’s currently estimated that only about 10% of providers and payers have completed testing their systems with the new codes. Given these are only a few short months left to do so is proving worrisome for many. Should these providers or payers not comply by the mandate it could mean significant delays for healthcare transactions leading to financial disorder and ultimately less access to healthcare for citizens.

Sometimes you need to completely overhaul something. Tear down the walls and start a new. But at what cost? Surely we’ll see the benefits of these upgrades and standards down the road, but hopefully it won’t disrupt an important part of every day life for many people around the country.