Security of Protected Health Information
Contents
Introduction
Theft of protected health information is one of the fastest growing crimes in the U.S., costing an estimated $30 billion a year and growing.[1] For the healthcare industry in 2020, ransomware attacks were responsible for $20 billion lost in impacted revenue, lawsuits and ransom paid, impacting over 600 hospitals, clinics and other healthcare organizations.[2] More than 1 in 3 health care organization globally reported being hit by ransomware in 2020.[3] A recent report found that external threat actors perpetrated 61% of data breaches, insiders accounted for 39%. [4] Healthcare organizations are routinely targeted by state-sponsored and state-protected cyber gangs, such as the WannaCry attack from North Korea and the NotPetya ransomware virus believed to be from Russia.[5]
Information breaches can incur both response and logistic expenses as well as loss of productivity and revenue. Secondary losses can include the effect on healthcare provider's reputation. Hospitals may have to pay large legal defense fines as well as judgments from legal or regulatory actions from the government.[6] Cyber attacks also directly affect patients: intermingled records for still in medical identity can lead to dangerous medical outcomes by introducing medical inaccuracies.[1]
Examples of Cyberattacks
- July 2020 attack on Family Medical Center of Michigan. The system paid $30K in ransom to cybercriminals. [7]
- July 2021 attack on the University Medical Center of Southern Nevada in which patient data was stolen. [8].
- August 2021 attack on Memorial Health System [9].
- September 2021 attack on Missouri Delta Medical Center. Stolen medical information was released online [10]
Motivations for Cyberattacks and PHI Theft
Electronic health record information is extremely valuable: the price of complete record of a single patient can be sold for 100s of dollars on the dark web [11] Medical information could allow individuals to gain access to prescription medication, receive medical care or access to their financial data. [12] Ransomware attacks can be used to extort money for decrypting as well as not leaking stolen data. More than 1 in 3 health care organizations opt to pay the ransom even though the FBI advises against it [13]
Additional motivations can range from local political, foreign state-sponsored, and terrorist: attackers may seek to disrupt critical human services as a form of political retaliation [14]. For example, Boston Children's hospital received a DDoS attack as part of a campaign related to Justina Pelletier, a teen involved in a high-profile custody battle between her parents and the state of Massachusetts [15] Moreover, in the wake of the Russian war in Ukraine, CISA revealed that Russian state-sponsored threat actors were targeting healthcare and pharmaceutical industries and organizations. [16] These attacks are a form of asymmetrical warfare to achieve foreign policy, military and intelligence objectives [17]
Cyberattack Methods
Known Attack Methods
- Intercepting unencrypted or poorly encrypted data on improperly disposed of electronic media (hard drives, floppy disks, optical media) that contain ePHI [18]
- Planting malicious code onto network machines through email or web downloads
- "Malicious Insider": exploiting or extorting employees with or without administrative access [19]
- Using social media to conduct social engineering attacks – attackers may use information from social media pages to impersonate or trick healthcare providers into performing actions beneficial to the hacker. [14]
- Intercepting unsecured virtual private networks and compromised home work stations. [20]
- Brute-force guessing compromised or weak credentials [21]
- Cross-site Scripting and Forgery [22]
- URL redirection to untrusted sites [22]
Known and Common Vulnerabilities
- Improperly configured multifactor authentication (ensure that MFA does not let you re-enroll a new device for a dormant account) [17]
- "PrintNightmare" vulnerability in the print spooler
- Remote Desktop Protocol (RDP) connections between computers on the network once access is gained. [17]
- Missing or Poor encryption [21]
- Unused or inactive accounts [22]
Prevention
HIPAA regulated entities must implement required implementation specifications, or else document why and implement equivalent alternative measures if reasonable and appropriate. [23]
CMS Security Standards
- Administrative Safeguards
- Definition: “administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.”
- Includes: Security management and training, assigned security responsibility, security incident procedures
- Physical Safeguards
- Definition: “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”
- Includes: facility access, workstation use, workstation security, device and media controls.
- Technical Safeguards
- Definition: “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.”
- Includes: access control, audit control, person or entity authentication, transmission security
General Tips
- Balance frequent password changes - more frequent changes means more calls to IT for password resets and note-written passwords [1]
- "Bring your own device" - can increase productivity and decrease cost but also create more work for the IT department
- Physical safeguards should also be considered: locked doors, property controls (tags, engraving on equipment), personal controls (ID badges, visitor badges), private security [24]
- Hospitals should use carefully audited maintenance log to track equipment and facility repairs that affect physical security [1].
- Human resources should screen new employees for potential liabilities, using criminal records, credit check, drug test, and a search for aliases [1]
Recommendations from the American Hospital Association [25]
- Hospital and health system IT and cyber infrastructure teams should subscribe to cybersecurity alerts from the AHA.
- Employ geo-fencing restricting inbound and outbound traffic to certain countries
- Put into place four-to-six business continuity plans for all internal and third-party mission-critical operations
- Frequently check the redundancy, resiliency and security of the organization's network and data backups - ensure there are multiple copies, including some that exist off-line
- Have a cross-function leadership-level cyber incident response plan which is fully documented, updated and practiced
Recommendations from the FBI and CISA [26]
- Ensure multifactor authentication (MFA) is required for all users and properly configured against "fail open" and re-enrollment scenarios
- Implement time-out and lock-out features
- Disable inactive accounts
- Keep software updated, while prioritizing fixes for known vulnerabilities
- Monitor network logs continuously for suspicious activity
- Implement security alerts
Recommendations from HSS Cybersecurity program [27]
- Enable multi-factor authentication
- Encourage users to choose strong, unique passwords
- Enabling single sign-on
- Restrict access to RDP connections, and audit connectivity logs for port 3389
- Limit access to certain times of the day
- Automated access expiry after a certain amount of time.
Legal Recourse [28]
- USC T18 §1030 covers cyberattacks: unauthorized access, extortion,
- Title 31 - allows for financial sanctions on foreign entities that have conducted or facilitated cyber attacks against U.S organizations
- Title 10 & Title 50 - Allows for offensive posture towards cyber threats.
References
- ↑ 1.0 1.1 1.2 1.3 1.4 Phelan, J. (2012). Creating a Trusted Environment: Reducing the Threat of Medical Identity Theft. Healthcare Information and Management System Society, 29. Retrieved from https://risk.lexisnexis.com/cross-industry-fraud-files/docs/healthcare/Creating-Trusted-Environment-Reducing-Threat-Medical-Identify-Theft.pdf
- ↑ https://illinois.touro.edu/news/the-10-biggest-ransomware-attacks-of-2021.php
- ↑ Weiner, S. (2021, July 20). The growing threat of ransomware attacks on hospitals. AAMC.
- ↑ https://enterprise.verizon.com/resources/reports/dbir/
- ↑ https://www.aha.org/center/cybersecurity-and-risk-advisory-services/ransomware-attacks-hospitals-have-changed
- ↑ Hutton, A., & Jones, J. (2013). Risk Taxonomy (O-RT), Version 2.0.
- ↑ https://www.monroenews.com/story/news/2021/09/20/hackers-target-local-health-care-company/8403463002/
- ↑ https://healthitsecurity.com/news/hospital-ransomware-attack-in-las-vegas-exposes-pii
- ↑ https://healthitsecurity.com/news/memorial-health-faces-lawsuit-after-hive-ransomware-cyberattack
- ↑ https://healthitsecurity.com/news/hive-ransomware-continues-to-attack-healthcare-providers
- ↑ Forensic Readiness. Journal of Medical Systems, 43(1). https://doi.org/10.1007/s10916-018-1123-2
- ↑ https://healthitsecurity.com/features/ensuring-security-access-to-protected-health-information-phi
- ↑ https://assets.sophos.com/X24WTUEQ/at/s49k3zrbsj8x9hwbm9nkhzxh/sophos-state-of-ransomware-in-healthcare-2021-wp.pdf
- ↑ 14.0 14.1 Nieles, M., Dempsey, K., & Pillitteri, V. Y. (2017). An introduction to information security. Gaithersburg, MD. https://doi.org/10.6028/NIST.SP.800-12r1
- ↑ https://www.securityweek.com/hacktivist-gets-10-year-prison-sentence-ddos-attack-hospitals
- ↑ https://www.dni.gov/files/ODNI/documents/assessments/ATA-2021-Unclassified-Report.pdf
- ↑ 17.0 17.1 17.2 https://www.aha.org/cybersecurity-government-intelligence-reports/2022-03-15-joint-cybersecurity-advisory-russian-state
- ↑ Wilshusen, G. C., & Barkakati, N. (2012). Information security: better implementation of controls for mobile devices should be encouraged : report to congressional committees. Retrieved from http://purl.fdlp.gov/GPO/gpo33062
- ↑ Engineering Institute, S. (2008). Introduction to Information Security. Retrieved from www.isc.org/index.pl
- ↑ Weiner, S. (2021, July 20). The growing threat of ransomware attacks on hospitals. AAMC.
- ↑ 21.0 21.1 https://www.balbix.com/blog/the-9-types-of-security-vulnerabilities/
- ↑ 22.0 22.1 22.2 https://www.soffid.com/most-common-security-vulnerabilities/
- ↑ https://www.hhs.gov/sites/default/files/controlling-access-ephi-newsletter.pdf
- ↑ CMS. (2007). Security Physical Safeguards. Retrieved from www.cms.hhs.gov/SecurityStandard/
- ↑ https://www.aha.org/advisory/2022-02-23-us-declares-start-russias-invasion-ukraine-introduces-sanctions-cyber-shields
- ↑ https://www.cisa.gov/news/2022/03/15/mitigating-threats-posed-russian-state-sponsored-cyber-actors-exploitation-default
- ↑ https://www.cisa.gov/sites/default/files/publications/202010081030%20TrueFighter%20RDP%20TLP%20White.pdf
- ↑ https://www.aha.org/center/cybersecurity-and-risk-advisory-services/ransomware-attacks-hospitals-have-changed
Submitted by Nikhil Kurapati