A recent disclosure by Community Health Systems, Inc. (CHS) of a data breach compromising information pertaining to 4.5 million of its patients highlights the need for providers to remain vigilant in securing patient information. The breach at CHS is just one example among others that have occurred recently involving many individuals. Health care providers may want to take this time to review and update their policies as necessary to address emerging threats and vulnerabilities to their systems.
Recent breaches of data held by health care providers
CHS is a health system whose affiliates own, operate or lease 206 hospitals in 29 states. As reported by CHS in a filing with the Securities and Exchange Commission (SEC), the breach resulted from a targeted, external cyber-attack of CHS’s computer network in April and June, 2014. CHS believes the attacks originated from China and involved "highly sophisticated malware and technology" that enabled the attacker to bypass CHS’s security measures. The breaches were the result of an advanced persistent threat, or "APT," in which an attacker uses multiple phases, typically over a long period of time, to conduct reconnaissance of a target; break into a network, often by using social engineering; map an organization’s assets and defenses; access, capture, and exfiltrate information; and potentially install malware. According to the SEC filing, the attackers were able to copy and transfer data, including patient names, addresses, birth dates, and Social Security numbers, to networks outside of CHS. The attackers did not acquire credit card numbers or any medical or clinical information. CHS indicated it will offer credit monitoring to affected individuals and that it has liability insurance to protect against losses of this nature.
The type of breach that occurred at CHS could happen to any health care provider. As the Federal Bureau of Investigation’s (FBI) Cyber Division noted in a Private Industry Notification earlier this year, the health care industry generally "is not technically prepared to combat against cyber criminals’ basic cyber intrusion tactics, techniques and procedures (TTPs), much less against more advanced persistent threats (APTs)."1 Given the sophisticated nature of the attack on CHS, similar attacks may be occurring at other health systems. The breach at CHS is just one of a number of breaches in the last year involving information held by health care providers. Based on information on the Office for Civil Rights’ (OCR) website, other recent and notable breaches of data held by health care providers include:
-
A breach reported by St. Joseph Health System in Texas affecting 405,000 individuals. The breach may have included names, Social Security numbers, medical information, etc.
-
A breach reported by UW Medicine in Washington affecting over 76,000 individuals.
-
A breach reported by Centura Health in Colorado affecting over 12,000 individuals.
-
A breach reported by Nrad Medical Associates in New York affecting 97,000 individuals.
-
A breach reported by the Montana Department of Public Health and Human Services affecting over 1,060,000 individuals.
Incidents reported to OCR in the last 12 months include breaches involving information on desktop computers, network servers, and portable electronic devices, as well as in emails.
Cybersecurity threats facing health care providers
A review of OCR’s website reveals that a wide range of health care providers have had to report breaches involving more than 500 individuals, including health systems, medium-sized medical groups and sole practitioners. Health care providers are especially prone to data theft due to the high value cyber criminals place on medical information, which is often more valuable than credit card data. The street cost for a single patient’s medical record is reportedly $50 and has a longer useful lifespan than a credit card, while a stolen Social Security card is only worth $1.2 According to the Identify Theft Resource Center, 43.4% (204 of 470) of all breaches identified by the Center as of August 12, 2014 fell within the “medical/healthcare” category.3 Access to a patient’s protected health information (PHI) at a health care provider may reveal health insurance information, Social Security numbers, patient medical information and diagnoses, bank account information, etc.
Cybersecurity threats facing health care organizations include:
-
A growing presence of sophisticated and coordinated cybercriminal networks.
-
Malware such as that involved in CHS’s breach.
-
Phishing attacks.
-
Networked devices, video conferencing systems, and printers, etc. that are hacked.4
According to the U.S. government, the cyber threats to health care providers will only increase in the coming year. The FBI warned in April that “[c]yber actors will likely increase cyber intrusions against health care systems—to include medical devices—due to mandatory transition from paper to electronic health records (EHR), lax cybersecurity standards, and a higher financial payout for medical records in the black market. The deadline to transition to EHR is January 2015, which will create an influx of new EHR coupled with more medical devices being connected to the Internet, generating a rich new environment for cyber criminals to exploit.”5
Steps health care providers should take
In light of the recent breaches and the FBI’s warning, covered entities and business associates may want to take some time to review their Health Insurance Portability and Accountability Act (HIPAA) security measures and verify whether they are up-to-date. HIPAA requires covered entities and business associates to review their policies and procedures periodically and update them as necessary in response to environmental or operational changes affecting the security of electronic protected health information in their organization.
Here are some questions covered entities and business associates may want to ask themselves:
-
When did we last review and update our HIPAA security measures? When did we last perform a risk analysis? If the covered entity or business associate has not performed a recent risk analysis and recent review of its policies, now may be the time to do so. As cyber criminals continue to develop new methods, covered entities and business associates should take the time to address new threats and vulnerabilities in their systems. Does your organization maintain sufficient security logs and malware detection software and employ other resources to identify external attacks and intrusions on your system?
-
Have we identified all areas in our organization where we may receive or maintain PHI? Identifying all ways in which PHI enters an organization’s systems is critical. As an organization employs new technology or its IT environment changes, the organization needs to make sure that it updates and adapts its security measures appropriately. Organizations should map the location of all PHI and the ways it enters the organization’s systems. Several notable items which may be inadvertently overlooked include portable devices and media. Has your organization implemented a mobile device policy? Has your organization addressed the use of USB drives, CDs and other portable media?
-
Have we identified all access points to our systems containing PHI? Identifying all access points is critical, including an access points that involve devices that do not contain any PHI, but which may be exploited to circumvent the organization’s security. An area that is often overlooked includes networked devices, printers, faxes, and surveillance cameras, etc.6 Has your organization reviewed its networked devices for potential vulnerabilities that may allow an intruder to bypass your security?
-
Are there additional opportunities to encrypt PHI within our organization? Under HIPAA, covered entities and organizations only need to report breaches of unsecured PHI.Encrypting PHI could protect it and reduce the likelihood of a breach.
-
Do we have sufficient cyber or other liability insurance to cover breaches of PHI? Breaches can be expensive and often involve the provision of credit monitoring and identity protection services for individuals. Although covered entities and business associates should take steps to prevent a breach, they should verify whether their existing insurance covers them in the event of a breach and, if not, consider whether to procure such insurance. Although the market for cyber insurance is still nascent, there are carriers that offer first-party cybersecurity insurance policies, which typically cover a company’s losses arising from events such as business interruption, destruction of data and property, and reputational harm, as well as third-party policies, which cover losses that a company causes to its customers and others, such as harms arising from the exposure of PII through a data breach.
-
Even though we have addressed HIPAA’s requirements, should we do more? HIPAA sets a minimum floor for addressing the security of PHI. Often, there may be good reasons to provide additional protection beyond the minimum required by HIPAA. Does the organization have opportunities for additional protection that are feasible?