CareTech News

MU: Security – What You Need to Know and Updates 08/26/14

 August 2014 

Meaningful Use Update
Security – What You Need to Know and Updates

In the General Rules of the HIPAA Security Rule, we are required to “protect against any reasonably anticipated threats or hazards to the security or integrity of [electronic protected health] information (ePHI).” How do we reasonably anticipate the threats or hazards to patient information that we must protect?
The Concept of “Threat Intelligence”
In cybersecurity, there is the concept of “threat intelligence.” Simply put, threat intelligence is an analysis of security incidents, such as data breaches and malicious attacks. Threat intelligence is often made available as a human-readable report, though it may also be made available in a machine-readable format and used to automatically configure security controls such as security gateways and intrusion prevention systems. I read a lot of threat intelligence reports – the human-readable kind – and they help me better understand cybersecurity risks. What follows is a summary of recent threat intelligence:
Healthcare Data at Risk of Cyber Intrusion
On April 17, 2014, the FBI Cyber Division released a Private Industry Notification (PIN) stating, “Health Care Systems and Medical Devices at Risk for Increased Cyber Intrusions for Financial Gain.” A notice from the FBI about increased risks to healthcare data got my attention. The notice states that the healthcare industry has “lax cybersecurity standards” and “is not technically prepared to combat against cyber criminals’ basic cyber intrusion tactics, techniques and procedures (TTPs), much less against more advanced persistent threats (APTs),” and that “the healthcare industry is not as resilient to cyber intrusions compared to financial and retail sectors, therefore the possibility of increased cyber intrusion is likely.”
“A risk assessment can
identify specific
cybersecurity risks that
need to be addressed,
but a roadmap or plan
should be developed to
close gaps identified in
the risk assessment.”

Jim Deren
Healthcare IT Planning
CareTech Solutions

The notice further explains that healthcare data is more valuable to cyber criminals than other types of data. Criminals can obtain a higher payout on the black market for stolen medical records than for stolen credit card numbers. The FBI cites a report from RSA titled Cybercrime and the Healthcare Industry which states that medical information sells for about $50 per record, compared to $1 per record for SSN or credit card data. These numbers fluctuate based on the market, but generally healthcare data is worth five to ten times what credit card data is worth.
As we all learned from recent news reports, Chinese hackers have stolen the personal information of more than 4 million patients of Community Health Systems, making this the largest data breach that has taken place in the healthcare industry thus far. Similar to the Target breach of last winter, malware (malicious software) was instrumental in the attack. It is not yet known how the malware was delivered, but a frequent technique is via “phishing” emails. It is not time to panic, but it is time to act.
Four Top Healthcare Data Breach Types
In April 2014, the annual Verizon Data Breach Investigation Report was published. This report stratifies breaches by industry and type of breach. In healthcare, the top types of breaches are:  

·         Theft / Loss (46%)

·         Insider Misuse (15%)

·         Misc. Error (12%)  This includes misdelivery, disposal errors, misconfiguration and malfunction.

·         Point of Sale Device Intrusion (9%)

Key Findings on Healthcare Data Risks

A report from Ponemon Institute, commissioned by ID Experts, titled Fourth Annual Benchmark Study on Patient Privacy and Data Security was published in March 2014. Key findings include:

·         90% of the organizations who responded to the study reported at least one breach of patient information in the previous two years.

·         38% had more than five breaches.

·         Misc. Error (12%)  The estimated average economic impact to each healthcare organization is $2,000,000 over a two-year period.

·         Criminal attacks are up 100% since 2010 (still a small portion of the breaches, but growing).

·         Employee negligence is the biggest concern of those who responded.

Healthcare Organizations Themselves Compromised by Malware
Published by SANS in February 2014, Health Care Cyberthreat Report analyzes data from a global network of threat detection sensors. Over a 13-month period (September 2012 to October 2013), these sensors were attacked by 375 U.S.-based healthcare organizations. The attacks originated from many types of devices on healthcare systems’ own networks, including medical devices such as X-ray machines and more traditional computer systems.
This indicates that healthcare organizations have devices on their networks that are compromised by malware and controlled by cybercriminals. In many cases, the organizations are unaware or unable to resolve the problem. This report was cited by the FBI and led to the comments above about “lax cybersecurity standards.”  
Make Cybersecurity a Higher Priority, Develop Risk Management Plan

How does this threat intelligence guide us as we think about the HIPAA and Meaningful Use requirements to ensure cybersecurity? The short answer is that healthcare organizations (and their business associates) need to make it a higher priority to improve their cybersecurity practices. This will require development of a plan and may require additional investment in security tools, training and staff devoted to cybersecurity. A risk assessment (which is required by HIPAA and Meaningful Use) can identify specific cybersecurity risks that need to be addressed, but a roadmap or plan should be developed to close gaps identified in the risk assessment.This is referred to as a risk management plan.

CareTech has invested significantly in its cybersecurity capabilities in recent years and is ready to work with you to address cybersecurity risks. Together we can “protect against any reasonably anticipated threats or hazards to the security or integrity of [ePHI].” It is the right thing to do and is more urgent now than ever. Let us know how we can help.  

For an archive of our newsletters, please visit the
Resources page on