Data Leaks in Health: The New Plague
IT security services in the healthcare industry face increasing challenges. The year 2015 turned out to be so bad in terms of patient data protection that the Department of Civil Rights at the US Department of Health and Human Services began publishing information about data leaks in the healthcare industry on the so-called “Wall of Shame”. Last year alone, 253 health leaks were recorded, each of which affected at least 500 individuals and as a result of which a total of more than 112 million data records were lost. In addition, the largest data leakage in the healthcare industry in the entire history was recorded - as a result of this leakage, the medical insurance company Anthem lost 78.8 million records of personal information of patients, and another 8.8 to 18.8 million records not related to to patients.
Regarding the situation in 2016, we still have to wait for it to end, but according to the forecast of Health Insights division of the research firm IDC, every third patient can become a victim of data leaks. Last year, the largest number of all leaks was classified as “receiving unauthorized access or unauthorized information disclosure”, however, 90% of the ten largest leaks were considered “burglary / incident in the field of IT security”. So far, in 2016, we are witnessing the emergence of another trend - and the main threats now include incidents involving stolen or lost devices and improper disposal of archival documentation. Here are the three biggest incidents of this year in this growing category (as of right now):
Since such large leaks are occurring today more and more often, and it is becoming more difficult to detect these incidents and counteract them, health organizations earn a bad reputation for not implementing IT security technologies quickly enough. As a rule, this is due to the fact that health care organizations do not receive sufficient funding to improve the security infrastructure, since cyber security issues, unfortunately, are not the main priority of the executive management of these organizations. On the other hand, attackers are well aware that such organizations are easy targets and their user data is poorly protected.
However, there are positive examples. For example, the Fraser Health Authority from British Columbia (Canada) differs markedly from traditional healthcare organizations. Thanks to the far-sighted actions of the management, a certificate-based authentication system was introduced here. All 26,000 employees and 2500 doctors were issued smart cards. Due to this, Fraser was able not only to significantly increase the level of security, but also achieved a number of other benefits, including lower operating costs, increased labor discipline among employees and improved quality of patient care. Fraser is an excellent example of how the implementation of reliable security protocols not only did not interfere with the work of employees, but also made it possible to optimize the performance of outdated systems.
Patient medical records are one of the most valuable and liquid goods for hackers. On the black market, cybercriminals can get the order of hundreds of dollars, even for a piece of electronic medical records. For comparison, a stolen social security number or credit card details on the black market are estimated at about one dollar. The reason why medical cards are such a valuable commodity is that these cards contain all the most important information, including the social security number, date of birth, etc. This allows the kidnappers to get a new credit card or even billing insurance companies or the state for fictitious medical services.
Another attractive feature of medical records, along with their high street value, is that they do not lose their value and relevance over a very long period of time. If, in the case of financial information, the possibilities for its use end at the moment when the victim becomes aware of fraud and the credit card is canceled or the bank account is closed, in the case of medical records the information may remain available on the black market for a long time. And this information can be sold or monetized in various ways, including through the purchase or sale of medical products of strict accountability or through fraudulent insurance activities — all of which are really voluminous markets.
The high value of patient medical records is the main reason why there are so many malware programs requiring ransomware in the healthcare industry. Ransomware programs that encode network data and require cash for decoding keys have a pronounced destructive nature, especially in the health care industry, where time sometimes plays a special role. According to a recent Quick HIT Survey survey conducted by Healthcare IT News and HIMSS Analytics, about 75% of all American hospitals that participated in the survey could be affected by such malware in 2015.
Security concerns in the healthcare industry are of increasing concern, especially given the fact that an increase in the number of data leaks is expected in the coming years. It has long been considered that, in terms of safety issues, the health care industry is left behind the rest of the world. In fact, many organizations in the field of health are limited to only fulfilling the requirements of the sometimes outdated regulations.
According to a study of IT security and risk management conducted by HIMSS Analytics in 2016, only a quarter of respondents implement in their organizations a coherent and uniform program for active risk management, and often the Old World companies are ahead in their overseas counterparts.
In particular, the Albert Schweitzer Ziekenhuis (ASZ) hospital in the Netherlands serves over 500,000 patients each year at its main hospital and polyclinic system. This hospital is a good example of an organization that successfully combines a high level of safety and convenience for patients. The hospital has over 4,000 employees, and ASZ uses a one-time token system and cloud authentication server. This guarantees a high level of safety of patient information, but it also provides access to the attending physicians and nursing staff to the necessary medical information, wherever they are - in the hospital building or outside it.
Sweden is another country with very advanced technologies that ensure the security and confidentiality of patient medical records. This is where the SITHS initiative operates, where smart cards are used to identify health care and social services, and a proper level of security is achieved through the use of logins and digital signatures. A key requirement of the system is to provide a high level of protection for digital accounts of practicing physicians through smart card-based two-factor authentication technologies, thereby improving patient safety and protecting their personal data. Employees of health care organizations use their SITHS cards to access the nationwide National Patient Overview portal, which stores all patient information online. Currently, 100% of all documentation in the implementation of primary care is stored in the form of electronic medical records (Electronic Healthcare Records, EHR). In addition, more than 95% of all prescriptions written in Sweden are transmitted electronically (ePrescriptions). Check out the digital solutions that are used in healthcare in Sweden.
Now that we have learned how to protect patients' medical records with electronic means, it is time to deal with mobile technologies. It is expected that by 2020, about 70% of the world's population will use smartphones, and more than 1.2 billion tablet devices will be in operation. The world is becoming increasingly interconnected, with the result that an increasing number of important transactions and an increasing share of information interaction now fall no longer on traditional paper workflow, but on electronic transactions. This is also true for the healthcare industry. Patient medical records will be stored electronically and medical personnel will be able to use tablet devices to access them. Such decisions will have to facilitate patient bypass in hospital wards or home care.
Electronic Identity Cards with Public Key Certificate (PKI) Authentication is still one of the most reliable methods to ensure the security of healthcare workers. These credentials allow logical, physical and visual identification of the individual and guarantee the protection of confidential patient data from unauthorized access. In addition, physically these credentials can be implemented in such a way as to implement the “follow me desktop” model (information is always with me), for example, the medical organization Sunrise Health Region in Saskatchewan (Canada) successfully implemented such a solution. Now the employee can simply insert the ID into the card reader to start the session and be able to view the patient’s medical records on the terminal screen. As soon as the certificate is removed from the reader, the session is closed and patient information becomes unavailable - in accordance with international standards of HIPAA, according to which leaving a workstation unprotected with a password unattended is a violation.
What happens in the case of mobile devices? Implementing the same security solution on tablet devices and smartphones that do not have a USB port or smart card reader slots can be a daunting task. Often, with regard to mobile users, the applicable security standards are not so strict, and sometimes they are completely neglected. This is due to the fact that on many devices such solutions simply do not work, and this is precisely what should not be allowed when it comes to confidential medical records and the protection of personal information about the state of health of individuals.
Bluetooth technology is the only communication channel that is implemented in a wide variety of end devices, so this technology can be used for authentication on almost any device. For example, a health worker can simply “tie” the adapter of an electronic identity card (badge holder) to his mobile device - just as we tie a mobile phone to a car. Thanks to MobilePKI, after establishing such a binding, the smart card will be recognized and processed as if it were inserted into a card reader on a laptop.
By implementing a Bluetooth solution, healthcare organizations can expand the capabilities of PKI-based protection tools, providing treating doctors and nurses with an additional degree of freedom and the ability to use mobile devices anytime and anywhere. In addition to the additional, second factor of PKI authentication, Bluetooth allows employees to digitally sign important documents, such as electronic recipes ePrescriptions.
Electronic ID adapters and tokens using Bluetooth Low Energy technology are a viable solution. It can be easily implemented by health organizations and implemented into the existing ecosystem of electronic certificates to achieve the necessary balance between security and mobility.
Thus, the "vaccine" from the "new plague", which in recent years has become a leakage of data in the field of health, is close to widespread use.
Regarding the situation in 2016, we still have to wait for it to end, but according to the forecast of Health Insights division of the research firm IDC, every third patient can become a victim of data leaks. Last year, the largest number of all leaks was classified as “receiving unauthorized access or unauthorized information disclosure”, however, 90% of the ten largest leaks were considered “burglary / incident in the field of IT security”. So far, in 2016, we are witnessing the emergence of another trend - and the main threats now include incidents involving stolen or lost devices and improper disposal of archival documentation. Here are the three biggest incidents of this year in this growing category (as of right now):
- Community Mercy Health Partners
What happened: Paper documentation was found in the trash can
Number of affected users: 113,000
') - Premier Healthcare, LLC
What happened: Laptops were stolen from a closed, protected administrative office (laptops were protected only with passwords, and the information was stored in unencrypted form).
Number of affected users: 205,000 - Radiology Regional Center, PA
What happened: Records on paper were lost on the way to the incinerator.
Number of affected users: 483,000
Since such large leaks are occurring today more and more often, and it is becoming more difficult to detect these incidents and counteract them, health organizations earn a bad reputation for not implementing IT security technologies quickly enough. As a rule, this is due to the fact that health care organizations do not receive sufficient funding to improve the security infrastructure, since cyber security issues, unfortunately, are not the main priority of the executive management of these organizations. On the other hand, attackers are well aware that such organizations are easy targets and their user data is poorly protected.
However, there are positive examples. For example, the Fraser Health Authority from British Columbia (Canada) differs markedly from traditional healthcare organizations. Thanks to the far-sighted actions of the management, a certificate-based authentication system was introduced here. All 26,000 employees and 2500 doctors were issued smart cards. Due to this, Fraser was able not only to significantly increase the level of security, but also achieved a number of other benefits, including lower operating costs, increased labor discipline among employees and improved quality of patient care. Fraser is an excellent example of how the implementation of reliable security protocols not only did not interfere with the work of employees, but also made it possible to optimize the performance of outdated systems.
Vulnerabilities when working with medical records of patients
Patient medical records are one of the most valuable and liquid goods for hackers. On the black market, cybercriminals can get the order of hundreds of dollars, even for a piece of electronic medical records. For comparison, a stolen social security number or credit card details on the black market are estimated at about one dollar. The reason why medical cards are such a valuable commodity is that these cards contain all the most important information, including the social security number, date of birth, etc. This allows the kidnappers to get a new credit card or even billing insurance companies or the state for fictitious medical services.
Another attractive feature of medical records, along with their high street value, is that they do not lose their value and relevance over a very long period of time. If, in the case of financial information, the possibilities for its use end at the moment when the victim becomes aware of fraud and the credit card is canceled or the bank account is closed, in the case of medical records the information may remain available on the black market for a long time. And this information can be sold or monetized in various ways, including through the purchase or sale of medical products of strict accountability or through fraudulent insurance activities — all of which are really voluminous markets.
The high value of patient medical records is the main reason why there are so many malware programs requiring ransomware in the healthcare industry. Ransomware programs that encode network data and require cash for decoding keys have a pronounced destructive nature, especially in the health care industry, where time sometimes plays a special role. According to a recent Quick HIT Survey survey conducted by Healthcare IT News and HIMSS Analytics, about 75% of all American hospitals that participated in the survey could be affected by such malware in 2015.
Security concerns in the healthcare industry are of increasing concern, especially given the fact that an increase in the number of data leaks is expected in the coming years. It has long been considered that, in terms of safety issues, the health care industry is left behind the rest of the world. In fact, many organizations in the field of health are limited to only fulfilling the requirements of the sometimes outdated regulations.
According to a study of IT security and risk management conducted by HIMSS Analytics in 2016, only a quarter of respondents implement in their organizations a coherent and uniform program for active risk management, and often the Old World companies are ahead in their overseas counterparts.
In particular, the Albert Schweitzer Ziekenhuis (ASZ) hospital in the Netherlands serves over 500,000 patients each year at its main hospital and polyclinic system. This hospital is a good example of an organization that successfully combines a high level of safety and convenience for patients. The hospital has over 4,000 employees, and ASZ uses a one-time token system and cloud authentication server. This guarantees a high level of safety of patient information, but it also provides access to the attending physicians and nursing staff to the necessary medical information, wherever they are - in the hospital building or outside it.
Sweden is another country with very advanced technologies that ensure the security and confidentiality of patient medical records. This is where the SITHS initiative operates, where smart cards are used to identify health care and social services, and a proper level of security is achieved through the use of logins and digital signatures. A key requirement of the system is to provide a high level of protection for digital accounts of practicing physicians through smart card-based two-factor authentication technologies, thereby improving patient safety and protecting their personal data. Employees of health care organizations use their SITHS cards to access the nationwide National Patient Overview portal, which stores all patient information online. Currently, 100% of all documentation in the implementation of primary care is stored in the form of electronic medical records (Electronic Healthcare Records, EHR). In addition, more than 95% of all prescriptions written in Sweden are transmitted electronically (ePrescriptions). Check out the digital solutions that are used in healthcare in Sweden.
Protection of mobile access to medical data
Now that we have learned how to protect patients' medical records with electronic means, it is time to deal with mobile technologies. It is expected that by 2020, about 70% of the world's population will use smartphones, and more than 1.2 billion tablet devices will be in operation. The world is becoming increasingly interconnected, with the result that an increasing number of important transactions and an increasing share of information interaction now fall no longer on traditional paper workflow, but on electronic transactions. This is also true for the healthcare industry. Patient medical records will be stored electronically and medical personnel will be able to use tablet devices to access them. Such decisions will have to facilitate patient bypass in hospital wards or home care.
Electronic Identity Cards with Public Key Certificate (PKI) Authentication is still one of the most reliable methods to ensure the security of healthcare workers. These credentials allow logical, physical and visual identification of the individual and guarantee the protection of confidential patient data from unauthorized access. In addition, physically these credentials can be implemented in such a way as to implement the “follow me desktop” model (information is always with me), for example, the medical organization Sunrise Health Region in Saskatchewan (Canada) successfully implemented such a solution. Now the employee can simply insert the ID into the card reader to start the session and be able to view the patient’s medical records on the terminal screen. As soon as the certificate is removed from the reader, the session is closed and patient information becomes unavailable - in accordance with international standards of HIPAA, according to which leaving a workstation unprotected with a password unattended is a violation.
What happens in the case of mobile devices? Implementing the same security solution on tablet devices and smartphones that do not have a USB port or smart card reader slots can be a daunting task. Often, with regard to mobile users, the applicable security standards are not so strict, and sometimes they are completely neglected. This is due to the fact that on many devices such solutions simply do not work, and this is precisely what should not be allowed when it comes to confidential medical records and the protection of personal information about the state of health of individuals.
Bluetooth technology is the only communication channel that is implemented in a wide variety of end devices, so this technology can be used for authentication on almost any device. For example, a health worker can simply “tie” the adapter of an electronic identity card (badge holder) to his mobile device - just as we tie a mobile phone to a car. Thanks to MobilePKI, after establishing such a binding, the smart card will be recognized and processed as if it were inserted into a card reader on a laptop.
By implementing a Bluetooth solution, healthcare organizations can expand the capabilities of PKI-based protection tools, providing treating doctors and nurses with an additional degree of freedom and the ability to use mobile devices anytime and anywhere. In addition to the additional, second factor of PKI authentication, Bluetooth allows employees to digitally sign important documents, such as electronic recipes ePrescriptions.
Electronic ID adapters and tokens using Bluetooth Low Energy technology are a viable solution. It can be easily implemented by health organizations and implemented into the existing ecosystem of electronic certificates to achieve the necessary balance between security and mobility.
Thus, the "vaccine" from the "new plague", which in recent years has become a leakage of data in the field of health, is close to widespread use.
Source: https://habr.com/ru/post/310616/
All Articles