Cyber Security: 7 Steps to Keep Your Company Safe

America is under attack. These are not like the traditional kind but from the Cyber Space.

Sounds like a science fiction but it is real. Over the past twelve months, over 200 million healthcare records have been breached, stolen, illegally altered or distributed by hackers. Whether these are independent attackers or part of a systematic Critical Infrastructure attack scheme is unknown, although the patterns are rather recognizable. I have discussed this issue here with the healthcare industry in mind but will expand on other major industries, which make up our nations “Critical Infrastructure” in my subsequent blogs.

Why is health information a greater target for cyber attacks than other types of personal records?

• From a legal standpoint, several health-related data are Protected Health Information (PHI) which makes them more individual and confidential than most essential data sets.
• Besides health records, connected healthcare databases like Electronic Health Record are interoperable. Through these relations, it is likely for the hackers to reach many attributes of an individual’s personal information such as financial data, credit cards, household address and health histories, including Medical Release, Donor Intent and Consent Forms.
• Relatively unlikely, but critical consideration is the denial of services. If an Electronic Health Record database or Patient Portal is breached, it is possible for the “bad guys” to alter treatment protocols as well as medication e-transmission routines. Both in ambulatory and non-ambulatory situations, these types of record modifications are seriously dangerous and can lead to patient harm or death.
• Agencies like HIPAA have severe penalties associated with each record violation, above and beyond the liability of the provider to notify all patients. When it comes to hundreds of thousands and in some cases millions of records, along with a propensity of mass scale legal consequences, an average provider like a group practice or a small-size hospital may face contingency loss, which can practically drive them out of business. At an average that cost impact can be $3-$5 million dollars to a small provider.
• The issue is not necessarily the potential loss, but one can imagine in a market where there is already an extreme shortage of doctors, clinicians or any type of healthcare provider, a mass scale systematic attack can increase the shortage gap. Just for mental health patients with PTSD, for example, that can be detrimental and cause a serious gap in treatment, which can put the patient in risk as well as others around him. Thus it becomes a Public Health threat.
• The Department of Homeland Security has started investigating into dozens of cases of suspected cyber security flaws in medical devices and hospital equipment that officials fear could be exploited by hackers as identified back in 2014.^[i] Where that number is today is unknown. Recently FBI also has issued warnings on medical devices. “The alert from the law enforcement agency about the “deficient security capabilities” of medical devices, such as wireless heart monitors and insulin dispensers, reinforces the need for providers to adopt best practices that limit unauthorized access to the devices and their sensitive data. One of the potential threats to unprotected IoT (Internet of Things) devices that the FBI warned the public about involved scenarios in which hackers might change the coding controlling the dispensing of medicines or health data collection.”^[ii] However, imagine all life-support systems which currently have very little or no protection from cyber-attacks. With more population approaching the critical elderly mass, it is likely that millions of IoT life support and alarming systems are to be deployed. It is a good economic market. But, how safe are they?
• The most recent data breach on October, 02, 2015 also involves a large number of consumers. Consumer credit monitoring firm Experian on Thursday disclosed a data breach that exposed the personal data of 15 million potential T-Mobile customers.^[iii] I am not getting into why that happened and who got affected. However, the number is large. Furthermore, what we generally experience that the volume estimated at the early stages of ‘exposure identification” keeps growing. IT security experts might agree that in large scale data breaches, absolute estimates are almost impossible. It is also true that the real number of records exposed can be much larger when the systems are interoperable and relational. So, there is a possibility that we might hear a much bigger number for the “Experian” incidence in a few weeks or months to come, although I hope that is not the case here. Health IT systems are immensely designed to be interoperable and integrally relational.
• Unfortunately, the nation is not well aware of the seriousness of the issue. May be most, including the policy makers are not technical enough to understand the inertia effect of these disruptions on the economy. This is an attack at the highest level on our critical Infrastructure because it is citizen’s lives we are talking about. Policy makers and candidates are aware of the continuity of derogative cyber incidences. I feel the need to rectify or protect our health data from cyber-attacks should be on top of the agenda for the subsequent “Kings” fighting for the thrown. Unfortunately, while the presidential race is heating up, are we forgetting the “mission critical” issues that we need to face and rectify now or wait for the succeeding political batch? I am not sure I have heard much of a “debate” on this matter. Have I missed something? 

How does this affect you as a provider?

There are many answers to that question. Following are just a few:

• Advanced Persistent Threat (APT) refers to a type of cyber-attack designed to evade an organization’s present technical and process countermeasures.^[iv] Too technical of a sentence? Well, APTs are those ‘nasty’ kinds that can bypass firewalls, intrusion-detection systems and anti-malware programs without much effort. In addition, the attacks are getting much more sophisticated even during the past six-months. While I initiated my discussion involving the healthcare industry, the reputed Ponemon Institute study points out four specific areas for all industries in general. The researchers used advanced analytics to break the projected economic impact of an attack by per-capita employees, just to give us an idea of what might happen, using a simple “number of employee size” oriented algorithm. I shall try to explain the potential cost to a small-size provider with a size of 100 employees.
  1. Cost of technical support.
     • These activities will elevate to “put things back in place.” The projected cost is $208 or around $20,000 for a small provider with 100 employees. Based on today’s market rates of IT support, I feel this cost might be over $50,000. The primary reason is Health IT networks and data repositories are much more complex and time-consuming to reconfigure, reorganize and protect than most other types.
  2. Cost of lost productivity.
     • Attacks might shut-down an entire network along with work stations. Many other technological disruptions might take place as the maggots start penetrating to the information pipeline. The bottom line is “Business Continuity” where people might sit there for days twigging thumbs. The estimated cost is around $25,000 – $30, 000; however, I feel in healthcare the “doing nothing” in a mission-critical setting is not a choice. This might cause a much larger economic impact based on stringent clinical workflow and precise timing requirements to execute them.
  3. Revenue and business disruption losses.
     • It is rather obvious that there is serious loss involved with your incapability to provide services. In healthcare that might initiate sending a patient to another facility instantly. Thus, it is not just your revenue loss but additional cost to be incurred for searching an appropriate alternative facility along with transferring the patient there to situate and to get treated properly. That is a monumental responsibility.
  4. Value of diminished brand and reputation.
     • I am not sure there is a logical way to calculate that impact, although the study claims this potential loss to be around $770 per capita or $77,000 in a 100 employee based provider. One thing to keep in mind; reputation of a hospital, or even a single physician is the main assets to an intellectually and technically knowledge base outfit. Healthcare is such an industry. Irrespective of big buildings, sophisticated equipment and physicians with five credentials, patient satisfaction depends heavily on “kind and caring” nurses and doctors, wait time to see somebody and how well the staff explains patient’s or a loved one’s condition. These “soft” factors bring them back if they need to choose a provider again or recommend one to friends and family. All of these factors can get severely affected by a serious blockage to information and communication resources during a “mission-critical” episode.
     • The other factor to consider is my own “Episode multiplier”^[v] theorem. Typically in the US, a patient visits healthcare providers about 4.6 times a year, says CDC. In many cases, a new patient might decide to visit his doctor three times a year or more. Thus, there is a built-in repeat business practice in healthcare as a medical mentality that is not common in other industries. We try to stick ‘my doc’ in some cases for 15-20 years. So, the potential future loss in revenue due to a “bad experience” in healthcare is much higher than other types of industries, I think.
     • Unfortunately, healthcare industry has a higher-level propensity to get attacked by Cyber-Criminals.^[vi] Over 80% of C-level executives say that their organizations have been the target of cyber-attacks during the past two years, and only about half feel that they are adequately prepared to thwart them, according to the 2015 KPMG Healthcare Cybersecurity Survey.^[vii] This might be because of significant use of RFID and Wi-Fi based devices, networks, clinical-decision-support systems (CDSS), Electronic Health Record, which contains a lot of patient data. Furthermore, it appears. Cyber criminals make a hefty profit from healthcare data and finally there are a lot of providers, large or small, not truly equipped to combat the attacks. So, “it is a low-hanging fruit,” so to speak.
     • Last but not least, healthcare is probably prone to more compliance. These include HIPAA based regulations, contingency rules, fines and above all litigation exposure from patients. I think, by far an average healthcare provider is exposed to a much higher risk of doing business than any other industry.

The question was “How do these attacks affect a typical provider?” The above are just a handful of potential consequences but there are many more, I am sure.

What can you do?

In a large setting like a hospital, the security officers are better inclined to answer that question because truly the solutions differ by the facility workflow configuration, IT network, virtual domains and above all, a trained workforce. But there are some general suggestions I can give which might be applicable irrespective of the size of the facilities:

1. First and foremost, data governance and compliance are the keys to any security breach; physical, infrastructural or cyber. An excellent point made by John Moynihan, “Unfortunately, many organizations continue to focus solely on technological controls, such as firewalls, anti-virus and encryption. While basic technical controls are necessary, pursuing a technology based approach is myopic, misguided and the recipe for a regulatory violation.” He provides a good case on regulatory compliance implement in Massachusetts, stating “Attorney General Martha Coakley recently signaled that the Commonwealth will hold accountable those who fail to protect the personal information of Massachusetts residents. On May 24, the Attorney General announced a $750,000 fine for an organization’s failure to implement appropriate safeguards, policies and procedures to protect consumer information, failure to properly train its workforce and failure to execute confidentiality agreements with a third-party vendor.”[viii] Unless people realize seriousness of the consequences, they seem to rely solely on technology. I am not sure if such compliance policies exist today in every state; but they should and for every industry. Tech based security providers seem to be making hefty profits without a minutely studied systems analysis and data governance policy to go along with it. Many credible publications repeat this recommendation that protecting corporate credentials as visible as user id and password have to be protected. These are easy targets but can cause the most damage. In fact, investigations of current breaches reveal that lost or stolen corporate credentials play a significant role in allowing advanced threat success, with an estimated 76 percent of network breaches due to lost or stolen credentials.[ix] This is a matter of security policy and data governance, not technology.
2. All workforce members, management, clinical and non-clinical must have a basic training in cyber-security and its implications.
3. While you have enough responsibility and obligations to take care of patients, (and that’s what you should concentrate on) there are security experts or companies just like a specialist in Ear, Nose and Throat, who might be able to look into the strength and authenticity of your SSL/TLS certificates to secure your dedicated domains. I am trying my best not to be technical; thus, how that is done is beyond the scope of my discussion here.
4. Let’s face it. “Our traditional network and endpoint defenses are clearly outmatched and don’t stand a chance at preventing, investigating, or remediating today’s targeted attacks.”^[x] Except household use, I can’t confidently say they do much for a business of any kind. Healthcare providers need to consider Intruder Detection and Prevention System (IDPS) and Pervasive Firewall technologies. This is not a discussion in Cyber-Security Technologies or IT. However, irrespective of the size of the provider, cost can be an issue but nothing compared to what it might cost you upon a cyber-attack. I think the majority of small providers cannot withstand a contingent financial blow that they will face, if disaster strikes.
5. Make sure all data is backed-up daily. And I mean no exception! A reliable daily back-up is the most effective weapon against cyber-disasters. Not necessarily with a desktop or network backup software but an enterprise solution from an MSP (managed service provider), usually developed by large companies such as IBM, AT&T, DELL. These suits generally come in pairs; an enterprise security solution as well as a systematic back-up appliance. Not that I am trying to make any specific recommendation because every case must go through a “Contingency Planning and Documentation” before you decide. By the way, as I understand “HIPAA’s security regulations require health care organizations to have a disaster recovery plan, and an emergency mode operation plans to respond to emergencies that could damage systems with electronic protected health information (EPHI).”^[xi] You might look into this simply explained PDF document.
6. Make sure the backup operations are chronologically managed, secured, and encrypted by HIPAA standards. Normally, that is preferred to be AES level 256 bits. However, “there are many different encryption methods and technologies to protect data from being accessed and viewed by unauthorized users.”^[xii] There are also other well-documented safeguard standards for covered entities published under the Health and Human Services website.
7. There should be “Fire drills” to test the recovery of data in connected servers and workstations and all that should be well documented in a systematic “Contingency Plan” along with a network and endpoint diagrams. I often see them done in 2007 (just an example) and might have been repeated in 2012; nevertheless, nobody really knows where these three-ring binders are. All restorations should be tested at least twice a year and these days; my preference would be every quarter.

I can go on with my elaborations, but one can get a good idea, how serious the matter is. Although, my discussion here was more healthcare oriented, it applies to every industry. It is interesting that our Homeland Security campaigned October as the National Cyber Security Month stating, “We now live in a world that is more connected than ever before. The Internet touches almost all aspects of everyone’s daily life, whether we realize it or not. Recognizing the importance of cybersecurity to our nation, President Obama designated October as National Cyber Security Awareness Month. National Cyber Security Awareness Month is designed to engage and educate public and private sector partners through events and initiatives with the goal of raising awareness about cybersecurity and increasing the resiliency of the nation in the event of a cyber incident.”^[xiii]

---

References

[i] Jim Finkle. U.S. government probes medical devices for possible cyber flaws. Reuters News. Oct 22, 2014.

[ii] Greg Slabodkin. How to Respond to FBI Alerton Medical Devices. Health Data Management. . SEP 16, 2015.

[iii] Stephanie Mlot. Experian Breach Exposes 15 Million T-Mobile Users. PC Magazene.com.

[iv] The Economic Impact of Advanced Persistent Threats. Sponsored by IBM, Independently conducted by Ponemon Institute. May 2014.

[v] Dey, Sukhen. Impact of Affordable Care Act (ACA) on health informatics: Expect an explosion. International Computing and Technology on-line Conference. Sullivan University, USA. December, 2014. Indexed in the IEEE Xplore Database.

[vi] Jim Finkle. Exclusive: FBI warns healthcare sector vulnerable to cyber-attacks. Reuters News. Apr 23, 2014.

[vii] Susan D. Hall. Survey: 81 percent of C-suite execs have seen cyberattacks at their facilities. FierceHealthIT (http://www.fiercehealthit.com). August 26, 2015.

[viii] John Moynihan. Data Protection Law – Compliance is Mandatory. Minuteman Governance. June 9, 2014.

[ix] Protecting corporate credentials against today’s threats. A Whitepaper from IBM. September 2014.

[x] THE BUSINESS CASE FOR PROTECTING AGAINST ADVANCED ATTACKS: Demonstrating the ROI of FireEye as a Service to Non-Technical Executives. A Research Analysis from FireEye. https://www.fireeye.com/

[xi] HIPAA Security Compliance Insider. A Plain English Guide. http://www.hcpro.com/content/42684.pdf

[xii] Security Standards: Technical Safeguards. http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf

[xiii] National Cyber Security Awareness Month 2015. Homeland Security. http://www.dhs.gov/national-cyber-security-awareness-month