Why Healthcare Is Heaven for Hackers
2014 was the year of the customer data breach. Consumers got a little too used to hearing that another company’s data had been hacked and personal information was compromised. According to a 2014 study published by Ponemon, and sponsored by IBM, the average cost of a data breach to a company was $3.5 million in 2013. That figure doesn’t account for the major breaches, which affected several household name brands in 2013–14. News outlets analyzing the fallout of such cyberattacks have reported the credit card data breach at Target cost the company north of $150 million dollars.
This year, the news of breaches has not slowed, but there’s a twist — this time hackers are focusing their efforts on healthcare companies.
Ailing Security in the Health Industry
Several major health companies have been the targets of cyberattacks since the start of 2015, with compromised personal records numbering in the hundreds of thousands. Healthcare breaches aren’t just a run-of-the-mill hack. Affected customers can’t simply have account numbers swapped and go on with their lives. The medical information compromised in these breaches has much higher stakes. It’s a triumvirate of health, personal and financial information; extremely sensitive for consumers and very valuable for thieves.
“Organizational leadership can no longer address security as simply an IT issue,” said Brian Cea, a healthcare business development manager at Insight. “This is now being driven by consumer sentiment, which means much is at stake for the business side of healthcare.”
The rash of healthcare data breaches is so concerning it has spurred a handful of lawsuits and congressional committees to address the matter. The results of litigation and regulatory scrutiny will take time — time that many healthcare affiliated businesses do not feel they have. Meanwhile, businesses that control health information are scrambling for proverbial Band-Aids as they look for long-term security management solutions.
The Root Causes
At least one of the recent health data breaches is thought to be caused by Heartbleed — the web server vulnerability that effected more than 60% of the Internet. There are other vulnerabilities, which if left untreated can result in regulatory non-compliance, and — perhaps worse — lead to a data breach.
End of Support for Windows XP
According to HIPAA compliance, if your operating system is at its end of support (EOS), then you’re out of compliance. Such is the case with Windows XP. Months after Microsoft ended its support for the OS, 1-in-5 small business users were still using the platform.
The once-widely-used operating system still has a lot of healthcare users in part because a lot of proprietary software was built with interdependencies on this Windows version. That makes it incredibly hard to update systems, because it doesn’t just mean upgrading the OS; it means re-working entire suites of software to keep things functioning.
Performing a mass upgrade — and the affiliated system and software updates that may be necessitated — often means coming off-line for a period of time. At a busy practice or at a major health management company this is a very big ask, so many organizations are still averse to tackling these projects.
Reticent or not, the vulnerabilities that exist for those still running on Windows XP a year after its end of support are great, and those risks go beyond compliance.
When Microsoft issues updates or patches to vulnerabilities on its operating systems, hackers make it their business to suss out the piece of code that addresses the issue. Once identified, all cyberattackers need to do is develop code to exploit the vulnerability. Each time a new security update is released, they’re able to go back to previous operating systems to see if the same vulnerabilities exist. This makes it more dangerous to be an XP user every time Microsoft releases a new round of security enhancements.
End of Support for Windows Server 2003
Technology refresh is an inevitable cycle. 2014 was the year that XP came to its end of support, and this year on July 15 Windows Server 2003 will do the same. Similar issues persist with this technology end of support; multiple application dependencies mean upgrading servers, which also means reworking a number of systems and software in order for everything to work efficiently.
“In general, everyone has been slow to migrate, especially those with servers that are running applications,” said Rob Helm, vice president of research at Directions on Microsoft consulting firm in a September 2014 Wall Street Journal interview.
It’s estimated that 39% of all Microsoft server operating systems are running 2003. That’s about 24 million servers globally.
Similar to the XP end of support, hospitals have systems with hundreds of applications running that require Windows 2003. Upgrading to a supported platform means overhauling a number of other applications. However daunting, this task requires a complete overhaul as even one server can compromise an entire network.
“If you have even one server in your environment that isn’t protected — in theory — you’ve kind of created an entry point … where somebody got into a specific port or a specific server and then they just went wild from there,” notes Insight Microsoft Practice Director David Mayer.
Big Data, Big Opportunities
Recent regulations and legislation have mandated the use of Electronic Medical Records. The digital enhancements have increased patient engagement and created more streamlined care and traceable outcomes, but they’ve also introduced huge opportunities for hackers with the personal data being collected.
According to Boston University health policy professor Alan Sager in ihealthbeat.com, “The ability of healthcare companies to compile data has grown far faster than their ability to protect it.”
Whereas financial institutions and company points-of-sale (both on and off-line) have had the opportunity to beef up their defenses, healthcare has had the challenge of competing priorities — such as those listed above. From industry mandates, like the HIGHTECH Act and ICD-10, to managing to keep pace with technology refresh, staying compliant and secure is a struggle.
Add to this the rising black-market value of patient information and the stakes get even higher. For providers, securing patient data isn’t just a regulatory requirement, it has to become central to the mission of care.
Planning for the Best Outcome
Where practitioners and patients are becoming partners in health, healthcare organizations and IT solution providers must do the same in planning to institute the most compliant and secure IT environment.
“We’re really focused on helping our healthcare clients assign the right priorities and tackle the projects that allow them to focus on providing quality patient care,” said Cea. “We see securing the infrastructure as a direct way of caring for patients.”
Not only are web server vulnerabilities and Electronic Medical Records opening doors for cyberattacks on healthcare networks, but mobile healthcare and the Cloud are providing pathways as well. Healthcare providers and technology resources need to partner in order to avoid security breaches, keeping patient information and business data confidential and available.