single-blog-img

Why Does Healthcare Keep Getting Hacked?

14 May , 2021

Symptoms

A patient walks into a physician’s office with pain in her right shoulder, but nothing appears to have happened there. There’s no bruise, no rash, nothing.

Perhaps the symptom is psychosomatic (in her head). More likely, the issue has to do with her gallbladder — a small organ in the middle of her chest.

A second patient walks into the office. This patient has a pain in her left shoulder. Again, nothing seems to have happened to the site itself.

The diagnosis? A ruptured spleen.

The body is a marvelously complex, interconnected network of biological systems. “Referred pain” — when stimuli to one part of the body is felt elsewhere — is one example to the point, but so is pain of any kind, or the ability to walk, or breathe. Everything works together, but that also means that an issue in any one part of the system can be trouble for the rest.

Information technologies are even more interconnected than the human body. Service providers and data centers — the heart and brain of the system — traffick vast amounts of varied data traveling in every direction imaginable. Like a body with no rhyme or reason, the spleen and the foot and the neuron and the eyelash can all talk to one another. By the same token, an issue in one part of the system — say, a hacker with a gnarly computer worm — can easily cause trouble elsewhere.

It stands to reason, then, that just as our health requires holistic treatment, so too would healthcare IT systems. And yet, these systems are often left vulnerable — as if they aren’t part of a much larger body, where a virus in one part can spread elsewhere. It’s why hackers have targeted healthcare so much recently.

A Checkup

By now it may be a cliche to say that 2020 was the worst year ever for healthcare sector security breaches. Luckily, it’s not entirely true. The worst year was actually…

2015.

(chart via HIPAA Journal)

At least from the standpoint of stolen data, 2015 eclipsed every other year on record. The anomaly comes down almost entirely to one event: the breach of Anthem Inc. In one fell swoop, the health insurance giant lost hold of the most sensitive information — home addresses, birthdays, social security numbers, you name it — belonging to around 78 million Americans.

One would imagine that a company possessing such volumes of such varied data would have outstanding safeguards in place. Instead, Anthem had the kind of record that no insurer would want to cover.

In 2012, the company sent letters to around 33,000 members. Among other things, the letters displayed their social security numbers. The problem? Those SSNs were visible through the little transparent window on the front of the envelopes.

In 2013, the company posted a document to their website. It included, in clear text, the SSNs of an undisclosed number of healthcare professionals.

By 2015 their habit of disclosing SSNs hadn’t faded. 78 million customer records were stolen from their databases — one of the largest data breaches on record.

If your instinct is to give Anthem the benefit of the doubt, consider this: none of those millions of sensitive records were even encrypted. Speaking to the Wall Street Journal, a “person familiar with the matter” explained that the decision to leave it all open was intentional. Encryption, their argument went, would make using the data more difficult: identifying trends, for example, and sharing it with governments and other healthcare providers.

Perhaps that’s true. But it’s also a symptom of a deeper disease.

The Diagnosis

In season 8, episode 5 of Seinfeld, Elaine is visiting the doctor for a rash when she notices her medical chart. She reads it, and spots a negative comment made about her four years prior. Long story short: rather than getting the comment removed, she ends up having to visit multiple doctors for the same rash, all of whom have access to the same chart, and each of whom gives her a new bad review. Finally she enlists Kramer to try and steal her chart, so that it may be vanquished forever.

ELAINE

Where’s my chart, did you get it?

KRAMER

No.

ELAINE

What? What happened?

KRAMER

I don’t know, but now they’ve got a chart on me!

Though the singular “chart” is an abstraction, the bit relies on a number of truths about the healthcare industry:

  1. Even our most granular personal details tend to end up on these forms.
  2. Even very old information can remain in the system for a long time.
  3. Medical data passes with ease between doctors and facilities.

There are good reasons for all of this. Even something as minor as what you do for a living can be useful information for your doctor. A minor allergy recorded years ago may still be relevant to your health today. And, of course, when you’re sick, you don’t want healthcare workers to have any trouble accessing everything they need to know to treat you.

The problem is that we’re no longer living in 1996. Whatever “chart” existed before has been replaced by massive data hubs connected to the web, containing all your information in one place so as to allow efficient access between healthcare entities.

But by the principle that wherever good information can go, bad information can go too, healthcare data hubs also make efficient targets for hackers. Rather than having to go around to individual, smaller-scale healthcare facilities, you crack one centralized aggregator and it’s as if you cracked a hundred facilities at once.

Anthem is the perfect example. All the attackers had to do was defeat one company and they had a quarter of the U.S. population in their hands. And Anthem wasn’t the toughest nut to crack, as we’ve established. Their priority of easy data sharing left one fewer barrier — encryption — in the hackers’ way.

While Anthem is the largest, they are far from the only case of this kind. There is, for instance, the American Medical Collection Agency (AMCA). Their 2019 breach exposed over 20 million citizens’ personal information.

In fact, you don’t even have to breach a healthcare company these days to steal tens of millions of patient records. Last year, Blackbaud — a cloud computing provider — got hit with ransomware. Among educational and religious organizations, charitable foundations, and nonprofits, their clients included dozens of healthcare organizations. So when everyone’s grades and bible verses got swept up by the attackers, so too did 10 million medical records.

The Condition is Worsening

In the time between Anthem and Blackbaud, healthcare data breaches have only become more frequent, more costly and, on average, more serious. One can cite any number of statistics to make the point, but perhaps the simplest is that the 599 incidents in 2020 represents a 55.1% increase from 2019.

The trend is moving so fast, in fact, that measuring annually isn’t enough — even the second half of 2020 looks materially different from the first. According to Critical Insight, whereas 7.7 million patient records were stolen January through June, 21.3 million were stolen July through December. A 177% increase.

(chart via HIPAA Journal)

We might assume that COVID-19 played a role in all this. With the healthcare industry overworked and understaffed, IT security was simply not at the front of most people’s minds. Hackers like that.

But as logical and popular as that narrative is, it doesn’t totally stand up to scrutiny. Consider the chart above, for example. If you didn’t know better, in which year would you guess the pandemic began? 2019, probably — that’s when the trend broke out.

We can also look at the following chart from Bitglass, measuring different kinds of breaches year-over-year:

(chart via bitglass)

A simple eyeball test tells us all we need to know: the point of inflection was not 2020, but 2019.

In other words, COVID-19 doesn’t appear to have materially affected the severity, nor volume of healthcare data breaches. The trend was already headed in this direction, and in 2020 it simply continued.

Thus we must forget this most convenient of excuses. If not, we might mistakenly predict that the problem won’t continue past the pandemic’s expiration. There is no data to suggest that that will be the case.

In its place, we must address the root problems: that patient data is collected in vast sums, aggregated by seductive supply chain targets, and exchanged over insufficiently protected networks.

What can be done about all that?

Treatments

There’s a saying in information security so popular that it has been at various times attributed to Cisco CEO John Chambers, CrowdStrike CTO Dmitri Alperovitch, and two successive FBI Directors, Robert Mueller and James Comey. It goes something like this:

There are only two types of companies: those that have been hacked and those that will be.

Every healthcare organization has, or probably will be hacked, because cyberspace is a body where bleeding in the spleen can cause pain in the shoulder, and an infection in one part of the skin can spread to other areas. There’s no way to prevent every ailment that might arise, but there are safe treatment options.

Speaking of: it looks like a patient just walked in.

(image via BJC Healthcare)

BJC Healthcare has a prior history with cybersecurity. Beginning in March 2018 and lasting for almost a year, the personal information of 33,420 patients was exposed as a result of a misconfigured server. On November 19th the same year, malware was discovered in their patient portal. It had been stealing personal and financial information from those using the portal since October 25th — almost a month.

Even after these successive failures, BJC was still vulnerable.

On March 6th, 2020 — three of their employees were successfully phished. Attackers obtained control of their email addresses, which they could have used to impersonate those employees, escalating the attack to more important members of the company or to employees of BJC’s many client organizations.

Instead, just a few hours after the initial infection, BJC’s security team effectively identified what was going on and booted the attackers. They hired a third-party investigator to help figure out what damage had been done. And even though they were unable to find evidence that the attackers had used or even seen patient data, they nonetheless notified over 200,000 patients from 19 affiliated hospitals of what had happened.

The fact that companies like this exist makes the job of cybersecurity really difficult. One or two employees get phished and suddenly dozens of clients are at risk, each with tens of thousands of patients on their books. We can’t make BJC, Anthem, or AMCA disappear (could we?), but even so, there are all kinds of ways to treat them once they get sick.

For BJC, the doctor ordered a combination of investment in cybersecurity — having a team at the ready — sophisticated detection, and fast, responsible disclosure. Other solutions like more responsible data collection, employee education and training, end-to-end encryption, network segmentation, air gapping, and dozens more cyber safeguards would also help when, inevitably, they’re attacked again.

“Combination” is the key word here. No single protection is sufficient. Healthcare cybersecurity requires holistic treatment.

Leave a Reply

Your email address will not be published. Required fields are marked *