Cyber Risk to Healthcare Sector Continues to Grow, FBI Says
Hackers are targeting the healthcare industry because of the abundance of personally identifiable information and protected health information, as well as inherent cybersecurity vulnerabilities, and the trend will continue to grow.
That’s the assessment of Donald Good, deputy assistant director of the Federal Bureau of Investigation’s cyber division, which considers the healthcare sector to be a “Tier 1 highly targeted industry.”
When it comes to cybersecurity, Good believes that some industries such as the financial services sector are more progressive than the healthcare industry. Among healthcare’s challenges: older/legacy systems, a transition from paper to electronic medical records, Bring Your Own Device policies, and a high payout for protected health information sold on the black market.
Good told an audience on Monday at the inaugural HIMSS Connected Health Conference in Washington, D.C., that healthcare executives at the CEO and boardroom level must be made to understand that cyber threats to protected health information are a real concern with real consequences.
While it’s often difficult to determine where stolen PHI goes and how it is being used, he called it a “treasure trove” of information for cyber criminals and bad nation-state actors.
“For a number of years, folks I think realized there was a threat out there, but it wasn’t as pervasive as it is today,” Good said. “It’s not a question of whether or not you’ve been compromised. You will be compromised at some point. I don’t care what you do or how much money you throw at the problem. When the information is gone, it’s gone. I don’t think people really understand how grave the threat is until they actually experience it firsthand.”
He sees what’s occurred in healthcare in the last 18 to 24 months as a wake-up call for providers and payers, referring to the attack on Anthem that exposed 78.8 million records, Premera Blue Cross that affected 11 million individuals, and Community Health Systems in which information for 4.5 million patients was compromised. And, most recently Excellus BlueCross BlueShield suffered a major cyber attack, affecting as many as 10 million individuals.
Yet, smaller healthcare organizations are also at significant risk, Good contends. “I wouldn’t assume that because you’re a smaller provider or payer that you’re not a target,” he warned. “The bigger organizations oftentimes have more resources that they can put against the threat. They’ve got the funding and personnel to harden their networks a little bit better. These smaller organizations are perhaps at just as great a risk—if not more—because they don’t have some of those resources.”
At the same time, Good warned that many of the healthcare breaches go unreported by organizations who don’t want the negative publicity. The large-scale health data compromises “get all the media attention” but he argued that the problem is more widespread than what’s being reported.
“Oftentimes when we have a foreign actor, you have somebody in your network for probably six to eight months before you realize that they are there,” said Good, who called the current cyber threat environment the “most dynamic and complex that we have ever seen.”
Adding to the threat vector, the FBI in September issued an alert warning about the cybersecurity risks that networked medical devices and wearables pose to consumers. According to the law enforcement agency, Internet of Things (IoT) devices—which connect to the web automatically sending and/or receiving data—include medical devices such as wireless heart monitors and insulin dispensers as well as wearable fitness devices.
“Unfortunately, after you’ve been breached or compromised, we can come in and investigate but the damage is done at that point,” Good lamented. According to Good, healthcare organizations are never going to totally eliminate the risk of cybersecurity vulnerabilities and threats. But, he advises, they can do a lot to mitigate their risk. Good recommends practices such as strong passwords and two-factor authentication, which he acknowledges can be “a little bit more laborious but it’s worth it if it saves you from a major breach.”
Another common pitfall that the FBI sees in healthcare organizations is having “elevated privileges” for personnel that allows them to go everywhere on a network, or an employee no longer works for an organization but their network access is not terminated, Good cautioned. “If we can, we’d like to get out in front of the threat and help you prevent something from happening,” he said, noting that email spoofing through spear phishing is an all-too-common way for hackers to gain access to networks when people click on an email and open an attachment.
However, he also recommended a number of additional best practices for incident preparedness in the event that something does happen including: network topography maps to understand how networks and systems are set up, incident logs, archived network traffic, and operations contingency planning and disaster recovery procedures.