Article
Author(s):
By now, the details of the cyber attack on Banner Health this past summer have been well-documented. Approximately 3.7 million patients, health plan members and beneficiaries, physicians and healthcare providers were impacted by the attack.
By now, the details of the cyber attack on Banner Health this past summer have been well-documented. Approximately 3.7 million patients, health plan members and beneficiaries, physicians and healthcare providers were impacted by the attack.
Of course, Banner Health is not the only casualty of aggressive cyber attacks within the healthcare industry, just the most recent.
Mick Coady, partner and member of PwC’s National Cyber Security and Privacy Practice, says this wave of attacks on the industry is healthcare’s comeuppance.
“Between 1997 and 2005 banking went through this transformation as well,” Coady says. “Banking had a lot of similar problems that we see today in healthcare.”
The problematic difference, Coady suggests, is where healthcare has chosen to focus its attention.
Money not-so-well-spent
Coady believes that healthcare has been so patient care focused that “when you look at the gamut of where the spend has been” it’s on imaging machines and radiology other assorted patient-related technology. Security is the downstream effect.
“We’re in a situation where people, operationally, are completely immature,” he says. “It’s not uncommon for me to walk into a hospital system and feel like I’ve gone back 20 years in time.”
For example, Banner Health likely spent a great deal of money on its information IT security architecture, yet none of it prevented the attacker from penetrating the network. Part of the problem, Coady says, is that when HIPAA came about, the healthcare industry hit the alarm button and encrypted everything.
“You’re protecting everything, but without detection,” he says. “They forgot to put in detections—alarms, bells, and whistles along the way—that would have allowed you to know that the person who compromised you has been inside your environment for five months.”
Echoes Morey Haber, vice president of technology at BeyondTrust, “Cybersecurity has always been an afterthought. It has been added once a risk has been identified and exploited.”
That’s clear in the Banner Health cyber attack, which investigations reveal was initiated on June 17, 2016. The hacker began gathering information around June 23, but it was not until July 13 when Banner Health discovered that “cyber attackers may have gained unauthorized access” to patient information.
In other words, nearly a month had passed between the initial intrusion and the detection of anomalous network activity.
Pathways in
Anthony James, vice president of product strategy for TrapX Security, a leading firm in deception-based cyber security defense, believes that many attackers today are getting into hospital networks through Internet connected medical devices. What he says with certainty is that many of these connected devices were built with security as an afterthought.
“Internet connected medical devices are no different than any other IoT [information of things] device when it comes to security,” James says. “There are many reasons why IoT security has been so challenging.”
For example, because of device size, many devices can’t accommodate an operating system or processing power to support a layered security solution. Also, oftentimes a device’s ecosystem is left open so it can communicate with other devices, which increases the number of potential threat vectors.
It doesn’t help that people still click on links in email telling them that they’ve won a million dollars.
“Hackers are going in and using a deceptive technique like phishing,” Coady says. “That is still, unfortunately, a way into the environment. In the past six months we’ve made a great leap in maturity there, but it still hasn’t gone away.”
Take action
Perhaps the first, and certainly the easiest, step to take to combat cyber attacks is developing the right mindset.
“Why don’t you think of the information as if it was your own?” Coady suggests. “And if it is that sensitive to you and you wouldn’t want your information out there, why would you treat anyone else’s in any different manner?”
Tony Consoli, president of the Mid-Atlantic Region at CBIZ Insurance Services, Inc., recommends three prevention methods every healthcare business should take.
“Know what’s at risk,” Consoli says. “And create a response strategy that is holistic and allows you to respond quickly in any situation.” He also recommends hiring a third party to conduct a penetration test and simulate a hack into your system. “This is a great way to find out if your company is using its security technology effectively.”
In addition, James recommends installing a deception-based security layer into your network.
“This technology creates a network of traps (decoys) that are intermingled with and imitate a company’s real information technology assets,” he explains. “It creates an environment that attracts and detects malicious insiders as soon as they begin their attacks.”
And, if you’ve installed them, sets off those bells and whistles.