Close

Electronic Health Record

Do No Harm 2.0

Table of Contents

Chapter 1: Why Should We Care?

I. Cybersecurity Is A Patient Safety Imperative

For healthcare professionals, patient safety is paramount, but even simple treatments can be far from risk-free. For example, in the interest of seeking a diagnosis, a doctor may have to order an imaging study or test that carries its own risks (e.g., a CT with contrast might cause an allergic reaction). Over the years, however, as the medical profession has developed a better understanding of how these tests are used, we can weigh the benefits and risks, and also develop methods to reduce the risk of an adverse outcome (e.g., doing a thorough patient history to assess the risk of the aforementioned allergy).

So it is with healthcare information. To do their jobs, healthcare professionals need to collect and analyze the most intimate details of our personal lives. Managed correctly, especially given the new technology now available, collection of that information can contribute greatly to the recovery of a patient. But without the correct protocols in place, that very same information can lead to inadvertent harm, possibly in excess of the original reason for seeking medical attention.

This is what we mean by saying that cybersecurity is a patient safety issue, and this report is intended to suggest ways in which the healthcare industry can help patients benefit from the extraordinary potential of informational system to enhance their well-being, while simultaneously mitigating potential risks. To do that we first need to understand those risks.

Information security professionals often say that the goal of cybersecurity is to maintain three qualities of a system: 1) confidentiality, meaning that access to information is restricted only to authorized users; 2) integrity, meaning the information is trustworthy and accurate; and 3) availability, meaning authorized users can quickly and reliably access information.1 These three qualities may seem abstract from patient well-being, but in reality, they are crucial to ensuring quality care.

Healthcare providers need to maintain the confidentiality of their patients’ data not only to prevent medical identity theft, but also to assure patients that they can safely share sensitive health information. A study by the Office of the National Coordinator (ONC) found that of patients who did not believe providers reasonably protected their electronic health records, 33 percent had at some point withheld information from a provider due to privacy or security concerns (as opposed to 7 percent of the overall population.)2 As knowledge of cyber risks percolate through popular culture over the next five years, the number of patients who withhold potentially important information from providers could increase if the perceived security does not improve. (Addressing only the perception part of this by underreporting breaches could dramatically backfire.)

Attackers who gain access to a piece of health technology may be able to compromise its integrity by manipulating the data it collects or transmits. Providers with invalid information may misdiagnose and mistreat patients, with potentially grave consequences. Wildly inaccurate data or altered biomarkers that ought to be immutable may cause other medical equipment to malfunction. After providers learn that some data is compromised, it still may take countless man-hours from IT staff and caregivers to restore accurate information, and only then the information that has not been irrevocably lost.

Even a short disruption or slight slowdown in the availability of health data can be the difference between life and death. Healthcare providers may need to access an electronic health record (EHR) or communication tools to get information on a patient in a time sensitive condition. Attackers are increasingly taking advantage of this necessity with ransomware attacks, remotely locking hospital computers until a ransom is paid. According to McAfee, ransomware attacks in the healthcare sector increased by 210 percent between 2016 and 2017,3 and as of Q2 2018, healthcare is the most targeted of any sector for cybersecurity attacks.4

Before introducing the policy solutions that can help steer healthcare towards a more cyber-secure future, it is useful to understand the historical context that shaped the current healthcare cybersecurity landscape. The following chapter provides a historical overview of the events and policies that underpin the current state of cyber insecurity in the healthcare sector.

II. The Case for Urgent Action

What adds urgency to this issue is that the use of information systems in healthcare has increased markedly in recent years, and often the pace of that change has run ahead of ways to mitigate the risks that these developments create. Alongside the increased adoption of networked medical devices, EHRs, and wirelessly-augmented health infrastructures, there has also come an increase in cybersecurity vulnerabilities. These vulnerabilities, whether exploited or not, disturb the delivery of healthcare by weakening this aforementioned, essential foundation of trust. Medical technophobia is not the solution. New medical technologies have improved patient outcomes and helped health systems meet the 21st century demands placed on them. As such, the healthcare sector needs to think systematically about cybersecurity as a necessary trust-building measure with profound implications for patient privacy and safety.

The dangers to the healthcare sector of exploitable cybersecurity vulnerabilities are not imagined. Already, security researchers have demonstrated that malicious actors can exploit vulnerabilities in implanted and networked medical devices that deliver life-supporting functions, like ventilators, infusion pumps, pacemakers, and monitors.5 An often underappreciated threat is the loss of a patient’s protected health information (PHI) as the result of a data breach. In many cases, stolen or inappropriately viewed records reveal patient names, addresses, social security numbers, health insurance information, diagnoses, procedure codes, intimate medical images, and financial data.6 Beyond flagrantly violating patient privacy, the information contained in stolen records can be used to threaten patients’ safety, compromise identities, and fuel fraudulent business or pharmaceutical practices.7 This is unacceptable.

III. The Cybersecurity Risk Landscape Facing the Healthcare Sector

Healthcare Cybersecurity in Context

Healthcare is far from the only critical infrastructure8 sector that is vulnerable as a result of its dependence on information systems. Indeed, as a starting point, healthcare organizations would do well to begin any systematic analysis of their security by adopting the NIST Cybersecurity Framework—designed for use across sectors. However, like any other sector, healthcare has its own peculiarities, not the least of which is that rapid access to a patient’s information can often be what makes the difference between life and death. Given the complexity of patient care, the sort of access controls that might work in other industries are often not appropriate.

In other words, the primary mission of the healthcare sector is to provide timely, longitudinal, and personalized care to patients, on the basis that all lives are of equal value.9 To fulfill this mission, healthcare professionals must be able to quickly and easily share and collaborate using patient information. In the operating room, the emergency department, and across healthcare environments, medical professionals need accurate and readily available patient data to make split second, life and death decisions.

These are complex problems, often requiring the balancing of different risks. For example, in some cases it is the lack of easy access to information for the right people that causes the most problems. OCR has begun to respond to these challenges in care coordination, as a part of its responsibilities to enforce and interpret HIPAA (the Health Insurance Portability and Accountability Act, which defines the privacy and information access rights of patients, among many other areas). On top of the ordinary waiving of HIPAA sanctions to help hospitals respond to natural disasters, OCR is considering rules (most recently through a December 2018 Request for Information10) to allow for “good faith” disclosures of patient data without their consent in emergencies like drug overdoses.11 But in solving one problem, we risk creating others. Though this rule could improve health outcomes, it could also risk the privacy of economically vulnerable patients, particularly if the healthcare provider uses poor cybersecurity practices. As we move more towards value-based care and expand care coordination, we must be thoughtful about the new vulnerabilities these practices can incur. Nevertheless, it is our contention that too often the cybersecurity risk is not properly or fully addressed.

Vulnerabilities and Consequences

No matter the type of care, healthcare providers require full and immediate access to patients’ health records in order to properly tailor their treatments. Otherwise, providers risk exacerbating previous injuries, provoking allergic reactions, or otherwise harming a patient. Recent efforts have sought to improve patient health outcomes by facilitating the sharing of healthcare information. Technological advancements to this end include the shift to EHRs, the adoption of wirelessly connected medical devices, and the use of big data analytics to identify public health patterns. More providers, staff, and affiliates now have easier access to a greater volume of patient data than ever before, and this trend is accelerating (see Chapter Tw0).

But the more access points a health technology system has, the more difficult it is to ensure the cybersecurity of the whole system. One unpatched vulnerability on one device may allow an attacker to leapfrog through a health system’s entire technological infrastructure, potentially crippling an entire hospital network.12 Allowing more professionals or other individuals to access these systems makes it more difficult to track user activity, and a single unmonitored insider can lead to the theft or exposure of millions of intimate patient health records.13 Ever-increasing amounts of data that health technologies collect may make health systems more appealing targets to threat actors.

Technological advancements are ushering in an exciting new age of medicine, and promising innovations should continue to be developed. However, healthcare leaders must balance the attendant cybersecurity risks that arise in the wake of such rapid technological change, or else patients will be harmed and their trust in the healthcare sector will deteriorate. Some of the costs that arise from these risks are described below:

Medical Costs

  • Direct patient harm (e.g., a wirelessly exploited insulin pump delivering a fatal dose of insulin or prescribing a patient the incorrect medication as the result of a manipulated electronic patient record)
  • Indirect patient harm (e.g., delayed or cancelled medical appointments, closure of hospitals, diversion of ambulances following IT systems failure)
  • Medical identity theft, which is especially costly given the permanence, sensitivity, and value of health data and potential delay in discovery. Identity theft can also lead to direct patient harm as a result of duplicate records resulting in misdiagnosis or poor treatment.14
  • System-wide operational disruption

Financial Costs

  • Legal fees and penalties imposed as the result of a cybersecurity incident or data breach
  • Credit-based identity theft resulting from EHR compromise, and costs for providing continuing identity theft protection
  • Restoration or purchase of new information technology systems as the result of a system failure
  • Fraudulent medical claims, including of prescription drugs, insurance, and Medicare and Medicaid
  • Stock manipulation based on undisclosed vulnerabilities, incidents, and PHI

Reputational Costs

  • Loss of public trust in the healthcare system
  • Public HHS investigations, corrective action plans, and national exposure of potentially embarrassing and preventable information system failures

Moral or Ethical Costs

  • Violating patient privacy and dignity
  • Failing to provide immediate and personalized care, exposing patients to preventable harms
  • Breaking the law under HIPAA

So what behaviors incur these cyber risks? Examples from a report by the Health Care Industry Cybersecurity Task Force show that they range from the technological to the human.15 Poor network security, off-the-shelf software with insecure default settings, and failing to install security patches on older, vulnerable devices can all allow attackers to exfiltrate patient data (more about technological vulnerabilities will be covered in Chapter Four). Meanwhile, uncontrolled distribution of passwords and improper disposal of patient data can allow employees unauthorized access. To fully understand these cyber risks though, it is important to know who the humans are behind the threats to the healthcare sector.

Threats: External and Internal

External cybersecurity threats are often the first that come to mind when thinking of risks facing healthcare. However, as the 2018 Verizon Data Breach Investigations Report (DBIR) notes, healthcare is the only industry where cybersecurity incidents are caused more often by insiders (56 percent) than outsiders (43 percent).16 Insiders can take the form of employees, vendors, affiliates, or individuals who have somehow accessed legitimate credentials in order to compromise hospital systems. The actions they take can range from naively dangerous to existentially catastrophic. Cybersecurity experts observe that many attacks combine external vectors with internal actors, such as phishing or social engineering attacks.17 Here, we examine the threats to healthcare cybersecurity in these two broad categories: external and internal threats.

External Cybersecurity Threats Facing the Healthcare System

As the name suggests, external threats originate from outside of a healthcare organization. Cyberattacks perpetrated by external actors involve infiltration of a healthcare organization by exploiting vulnerabilities in the software or hardware of connected medical devices, EHRs, and supporting systems. Attackers can deploy malicious code to gain entry to healthcare databases,18 steal millions of protected health records,19 demand money in exchange for health data and medical devices being held hostage,20 and even prompt widespread disruption or chaos by crippling entire health systems.21

Healthcare providers—from stand-alone practices in Manhattan to enormous Integrated Delivery Networks (IDNs) in St. Louis—are regularly targeted by organized hacking groups. HHS maintains a database of breaches22 that have been reported by health organizations (as they are legally required to do)23 and the picture is bleak, especially when one includes industry analyses that incorporate many cybersecurity events that HHS misses. According to one such analysis of incidents from 2017, nearly 3.5 million patient records were stolen in the 144 cyber incidents for which data is publicly available.24 While the total number of stolen records decreased from 2016 to 2017, the number of ransomware and malware attacks more than doubled.25 Ransomware26 and other malware attacks are some of the tactics most commonly used to target healthcare organizations, but ransomware is by far the most common form of malware attack at 85 percent.27

A common vector for attacks like ransomware is phishing, or the use of infected emails and texts to gain access to a system. The Health Information Sharing and Analysis Center (H-ISAC) and security firm Agari recently found that more than half of the emails purportedly sent from healthcare organizations are fake, making healthcare the sector most targeted by fake emails.28

What does all of this tell us? The connectedness of the healthcare ecosystem leaves it vulnerable to massive, scaleable attacks capable of compromising protected health information and disrupting patient care and groups or individuals willing to exploit that vulnerability exist. Healthcare executives agree. In the recent 2018 HIMSS Cybersecurity Survey of healthcare executives, data breaches and hacking, which includes malware, ransomware, and phishing attacks, were named as the top cybersecurity threats facing healthcare organizations.29

Internal Cybersecurity Threats Facing the Healthcare System

According to the 2018 Verizon DBIR, healthcare is the only industry vertical where there are more insiders that cause a data breach than external actors.30 Insiders, employees, and other intended users of an electronic health system, pose a unique risk to healthcare because they have legitimate access to healthcare information and thus are not subject to traditional, externally-facing cybersecurity defenses. There is also a significant fear that restricting access to data may hinder care, impeding such controls as role-based access control. Moreover, insiders have a thorough understanding of where vulnerable data may reside and possible vulnerabilities that exist within a wide array of systems that they use every day.

An insider incident or insider attack occurs when an individual or group within a healthcare system violates the law by improperly accessing protected health information or taking advantage of a medical cyber-physical system, such as a smart operating room or an implantable cardioverter defibrillator. Given the level of legitimate access insiders have to protected health information, it can be difficult to identify when an insider is abusing their access privileges. In some cases, insider threats can go undetected for astonishingly long periods of time—in one example, an undiscovered vulnerability allowed employees at an Indianapolis hospital to inappropriately access “current and former patients’ social security numbers, contact information, diagnosis, treatment and health insurance” information for over three years.31

Insider incidents can be intentional, negligent, or malicious, but all three can be equally detrimental. It can be as simple as an employee checking on a relative’s record or as complicated as stealing thousands of tax returns. It can happen from a health professional not following protocol, by accidentally misplacing a patient’s file or discarding a computer system without properly removing patient information. In 2017, nearly 800,000 patient records were compromised as the result of accidental insider errors.32 Not all insider incidents are so innocent—potential reasons why an insider might intentionally and unwarrantedly access patient data vary as widely as the incidents themselves.

One reason could be to sell personal medical data on the darkweb,33 as medical data is a “gold mine for vendors of stolen data” that operate on the darkweb.34 Despite the influx of stolen health data flooding dark web markets in recent years, demand is still high. In 2017, records sold for anywhere from $20 to $50 or more per record depending on the value of the record to a buyer.35 For comparison, “basic stolen identity information on a US citizen, which only includes the Social Security number, full name, and birth date, can range from $1 to $8 per person.”36

Selling medical data is particularly harmful for patients because much of the information contained in a medical record is immutable, such as biometric data. The immutability of biometric data, like blood type, psychiatric history, and specific drug allergies, distinguishes it from other updatable information, like a password or credit card number. This means that a single compromised record can negatively affect an individual for the rest of his or her life. Moreover, stolen medical records contain a wealth of information, some of which is not even related to an individual’s health. Emergency contact information can be used to guess the answer to security questions, billing and insurance information can be compromised leading to fraud, and embarrassing diagnoses can be used to extort or blackmail individuals.

Some insiders might unlawfully access patient information simply out of curiosity. The moment a new employee starts at a health system, they likely gain near-ubiquitous access to the health records of millions of patients. While the vast majority of health workers treat this responsibility with respect, some yield to the temptation. A physician may snoop into her ex-husband’s psychiatric reports or a nurse may peer into his girlfriend’s sexual and reproductive health history.37 Employees may look up the medical history of celebrities that have come through their doors,38 as happened to Kim Kardashian and former Rep. Gabrielle Giffords.39 Insiders might even systematically steal medical records for use in filing false tax claims.40 One author recalls the fear he and his colleagues had at entering in sensitive patient information, knowing that despite the hard work of the HIPAA privacy office, anyone of his co-workers could view the information with relative impunity.

What does all this tell us about insider threats? Namely, that insider threats pose a unique risk to the healthcare sector simply because employees are granted legitimate access to so much patient information. As such, identifying an insider breach is more difficult and often takes longer. The scale of an insider breach can be just as harmful as one caused by an external hacker, particularly because insider breaches are so hard to spot. The costs associated with internal and external cyber attacks are high, affecting patients and healthcare providers to varying degrees depending on the scale and success of each attack.41

Citations
  1. Andrew Simmonds, Peter Sandilands, Louis van Ekert, “An Ontology for Network Security Attacks”, Applied Computing, 2004.
  2. Penelope Hughes JD MPH, Vaishali Patel PhD MPH, Joy Pritts JD. “Health care providers’ role in protecting EHRs: Implications for consumer support of EHRs, HIE and patient-provider communication.” ONC Data Brief, no 15 (Washington, DC: Office of the National Coordinator for Health Information Technology. February 2014). source
  3. McAfee, McAfee Labs Threats Report March 2018 (March, 2018) source
  4. McAfee, McAfee Labs Threats Report September 2018 (September, 2018) source
  5. U.S. Food & Drug Administration, St. Jude Medical Recalls Implantable Cardioverter Defibrillators (ICD) and Cardiac Resynchronization Therapy Defibrillators (CRT-D) Due to Premature Battery Depletion, February 16, 2018; Jim Finkle, “J&J Warns Diabetic Patients: Insulin Pump Vulnerable to Hacking,” Reuters, October 4, 2016.
  6. S.G. Shini, Tony Thomas, and K. Chithraranjan, “Cloud Based Medical Image Exchange-Security Challenges, Procedia Engineering 38 (2012): 3454-3461; HIPAA Journal, Touchstone Medical Imaging Suffers 307K Patient Data Breach, October 21, 2014, source
  7. Ryan Francis, “Healthcare Records for Sale on Dark Web,” CSO Online, April 24, 2017.
  8. For a U.S. definition of critical infrastructure sectors, see source
  9. We acknowledge this philosophy is idealized, especially as many of the contributors have worked in a clinical context, but we prefer to hope for the best possible world, while planning for the reality that we have.
  10. U.S. Federal Register, “Request for Information on Modifying HIPAA Rules To Improve Coordinated Care,” December 14, 2018. source
  11. Fred Donovan, “OCR Drafts NPRM on ‘Good Faith’ Patient Data Disclosure Rules,” HealthIT Security, October 19, 2018. source
  12. One prominent example of this was the March 2016 MedStar ransomware attack that compromised a well-known vulnerability and led to immediate and complete loss of health system information, according to MedStar’s director of emergency management during the attack, Craig DeAtley. For more, see Dr. John L. Hick, “Lessons Learned from the MedStar Health System Outage: An Interview with Craig DeAtley, PA-C,” The Exchange Volume 1 Issue 2, 2016.
  13. One prominent example of this was the 2015 Anthem, Inc. attack, in which nearly 80 million member and employee records—including such personal information as name, home address, Social Security number, and birth date—were stolen by a cyber espionage group. See coverage of the Anthem, Inc. Affiliated Covered Entity incident first submitted to HHS OCR on March 13, 2015: Bob Herman, “Details of Anthem’s Massive Cyberattack Remain in the Dark a Year Later,” Modern Healthcare, March 30, 2016.
  14. Michelle Andrews , The Rise of Medical Identity Theft, Consumer Reports online (Consumer Reports, August 25, 2016) source
  15. Health Care Industry Cybersecurity Task Force, Report on Improving Cybersecurity in the Health Care Industry (Washington, D.C.: Department of Health and Human Services, 2017). (Hereafter: Cybersecurity Task Force, Report).
  16. Verizon, Verizon 2018 Data Breach Investigations Report, 5, source. (Hereafter: Verizon, 2018 DBIR).
  17. According to the Indiana University Knowledge Database, phishing attacks “are typically fraudulent email messages appearing to come from legitimate enterprises (e.g., your university, your internet service provider, your bank). These messages usually direct you to a spoofed website or otherwise get you to divulge private information (e.g., passphrase, credit card, or other account updates)” that can then be used to commit a crime or gain unlawful entry to your wider network. See: Indiana University, Avoid Phishing Scams, July 16, 2018, source
  18. United Kingdom National Audit Office, Investigation: WannaCry cyber attack and the NHS (London, United Kingdom: U.K. Department of Health, 2017); CBS News, “Global Cyberattack Strikes Dozens of Countries, Cripples U.K. Hospitals,” CBS News, May 12, 2017. (Hereafter: CBS “Global Cyberattacks”).
  19. Josh Beckerman, “Newkirk Products Reports Data Breach,” The Wall Street Journal, August 5, 2016; Jessica Davis, “OCR Investigating Banner Health for 2016 Breach of 3.7 Million Patient Records,” Healthcare IT News, March 21, 2018.
  20. Brian Fung, “Computer Security Experts Fear Second Wave of ‘Biggest Ransomware Attack Ever,’” The Washington Post, May 14, 2017. (Hereafter: Fung, “Experts Fear Ransomware Attack”).
  21. Fred Donovan, “Cass Regional Finally Recovers from Devastating Ransomware Attack,” HealthIT Security, July 18, 2018.
  22. U.S. Department of Health & Human Services, Submitting Notice of a Breach to the Secretary, January 5, 2015, source
  23. “Notification to the Secretary,” Code of Federal Regulations, title 45 (2011): source
  24. Protenus, Inc. and DataBreaches.net, Breach Barometer 2017 Report, 8-14. (Hereafter: Protenus, Breach Barometer).
  25. Susan Morrow, “Top 10 Threats to Healthcare Security,” Infosec Institute, January 8, 2018.
  26. These attacks wirelessly block, typically through encryption, a clinic’s access to patient health records and/or connected medical devices, disrupting the delivery of patient care and demanding payment to return access to compromised systems. Global attacks of this nature occured in 2017 when a vulnerability in an outdated version of the Microsoft Windows operating system was exploited in various legacy medical devices, thus disrupting patient care and causing permanent loss of health data and IT systems. For more, see: Tim Johnson, “How the Dark Overlord is costing U.S. clinics big time with ransom demands,” Providence Journal, May 29, 2017; CBS “Global Cyberattacks”; Fung, “Experts Fear Ransomware Attack”; Alex Hern, “NHS Could Have Avoided WannaCry Hack with ‘Basic IT Security’, Says Report,” The Guardian, October 26, 2017.
  27. Verizon, 2018 DBIR, 34.
  28. Joe Uchill, “Health-care Group Pushes for Tighter Email Security Amid Fears Over Fraud,” The Hill, November 28, 2017.
  29. Healthcare Information and Management Systems Society, 2018 HIMSS Cybersecurity Survey (Chicago, IL: Healthcare Information and Management Systems Society, 2018).
  30. Verizon, 2018 DBIR, 33.
  31. DataBreaches.net, Fairbanks Hospital Notifies Patients After Discovering Employees Could Have Been Inappropriately Accessing Patient Records for Years (UPDATED), December 22, 2016. (Hereafter: Fairbanks Discovery).
  32. Protenus, Breach Barometer, 2017.
  33. The Darkweb is a portion of the global internet intentionally hidden from public access behind passwords and other controls.
  34. Richard, “The Value of Stolen Data on the Dark Web,” Dark Web News, July 1, 2017.
  35. Ibid.
  36. Michael Kan, “Here’s How Much Your Identity Goes for on the Dark Web,” PCMag, November 15, 2017.
  37. Charles Ornstein, “Small-Scale Violations of Medical Privacy Often Cause the Most Harm,” ProPublica, December 10, 2015.
  38. Charles Ornstein, “Celebrities’ Medical Records Tempt Hospital Workers to Snoop,” National Public Radio, December 10, 2015.
  39. Anna Gorman and Abby Sewell, “Six People Fired from Cedars-Sinai Over Patient Privacy Breaches,” Los Angeles Times, July 12, 2013; Stephanie Innes, “3 UMC Workers Fired for Record Access,” Arizona Daily Star, January 12, 2011.
  40. Michael Kranish, “IRS is Overwhelmed by Identity Theft Fraud,” Boston Globe, February 16, 2014.
  41. Ponemon Institute, Cost of a Data Breach Study: Global Overview (Traverse City, MI: Ponemon Institute, 2018). (Hereafter: Ponemon, Breach Study).

Close

Chapter 1: Why Should We Care?

View as PDF

Table of Contents

Close

Do No Harm 2.0