The Evolving Cyber Threat & How Healthcare Can Mitigate It

August 2017

By John Riggi and Patrick Pilch

WannaCry sent a message: Healthcare has a target on its back, and cyber-attackers have homed in on the mark. When the May 12 ransomware attack unleashed more than 75,000 ransomware attacks across the globe and harmed a notable portion of the U.K.’s healthcare sector, U.S. healthcare organizations were largely spared because of a virtual, but temporary, kill switch discovered before the malware made its way across the pond.

But it would be dangerous for the U.S. healthcare sector to consider itself immune or even less vulnerable, particularly as current cyber threats grow and new ones emerge, directly targeting the sector and its data.

In 2016, the U.S. healthcare sector saw a record number of large-scale data breaches (those affecting 500 or more patients). According to data from the Department of Health and Human Services’ Office for Civil Rights (OCR), 327 large-scale data breaches were reported last year, compared to 199 in 2010.

In 2017, the industry has already seen its fair share of large-scale data breaches, with 130 reported as of June 13.

OCR defines an information breach as “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information (PHI).” It breaks types of information breach into seven categories: hacking/IT incidents, improper disposal, theft, unauthorized access/disclosure, unknown and other. 

Healthcare_Summer-2017_charts-Artboard-2.png*Data source: OCR’s Breach Portal
**As of June 13 and measured by the number of individuals affected
 
Each type of information breach can be defined as:
  • Hacking/IT incidents: Incidents involving insider or outsider intrusions
  • Improper disposal: Incidents in which PHI is improperly disposed
  • Loss: Incidents in which a device containing PHI is lost by the organization or an employee
  • Theft: Incidents in which a device containing PHI is stolen from the organization
  • Unauthorized access/disclosure: Incidents in which inside or outside actors either access restricted areas of the organization’s network or disclose PHI to an unauthorized recipient
  • Unknown: Incidents in which data is not reported or missing
  • Other: All other types of incidents
 

Shifting threats

The type of security breach posing the largest threat to the industry has evolved over the last seven years from theft to unauthorized access or disclosure of data.

In 2010, theft was the most common type of information breach, comprising 135 of the 199 reported incidents (68 percent). Hacking or IT incidents and unauthorized access or disclosure breaches remained lower, with each making up 8 percent of all reported breaches.

By 2016, 129 (29 percent) of breaches involved unauthorized access or disclosure, while 113 (35 percent) were associated with hacking or IT incidents—making these two breach types the greatest threats to the healthcare industry, which holds true today. 

Theft breaches followed (62 incidents), then data loss (16 incidents) and, finally, improper disposal (7 incidents).

Healthcare_Summer-2017_charts-Artboard-3.png*Note: Chart created using data from OCR’s Breach Portal
 
Healthcare_Summer-2017_charts-Artboard-4.png*Note: Each count is the total number of reported breach incidents of the specific information source and breach type. Individual reports of a breach may involve or more breach types (theft, loss, etc.). In those cases, there may be double-counting of the number of reported incidents or reported breaches in a specific year.
**As of June 13, 2017
 

Mitigating evolving risks

The human element presents the greatest cyber risk of all. The most important step to mitigating this risk is to implement proper access controls including file, directory and network share permissions with least privilege in mind. But a broader, well-rounded and documented cybersecurity plan is crucial and should address the following:
  • Risk assessment. Entities should perform regular risk assessments through which they can identify and classify their assets, risks, threats and vulnerabilities.
  • Data/network mapping and access control/management. Entities should know where all HIPAA information is stored, how it traverses the network and the security around that data—who has access, who has control and who has what privileges?
  • Device monitoring. Crucial when it comes to theft breaches, mobile device management (MDM) can alleviate some of these human error risks. Entities should know about every mobile device in their organization that contains personal health information (PHI).
  • Third-party due diligence. Vendor systems can be an access point or weak link in an organization’s protection. Third-party risk due diligence must be done through the prospect, initiation and ongoing relationship stages to isolate changes in risk and vulnerability postures.
  • Top-down security mindset that supports staffing and training. Board members should be informed and proactive in taking ownership of cybersecurity. Organizations should ensure they have a dedicated information security function that reinforces cyber awareness throughout the organization.
  • Well-documented policies, standards and procedures. Providers should document their cybersecurity mindset and be able to produce specific guidance, like their cyber incident response plan, the types and frequency of network security tests performed, and training protocols.
 
Additionally, the FBI recommends the following mitigation measures specific to ransomware attacks like WannaCry:
  • Apply the Microsoft patch for the MS17-010 SMB vulnerability dated March 14, 2017. (Organizations using unsupported Windows operating systems including Windows XP, Windows 8 and Windows Server 2003 should follow customer guidance from Microsoft.)
  • Enable strong spam filters to prevent phishing e-mails from reaching end users and authenticate in-bound e-mail using technologies like Sender Policy Framework, Domain Message Authentication Reporting and Conformance, and DomainKeys Identified Mail.  
  • Scan all incoming and outgoing e-mails to detect threats and filter executable files from reaching the end users. 
  • Ensure anti-virus and anti-malware solutions are set to automatically conduct regular scans.
  • Manage the use of privileged accounts, assigning administrative access only when absolutely needed. 
  • Disable macro scripts from Microsoft Office files transmitted via e-mail. Consider using Office Viewer software to open Microsoft Office files transmitted via e-mail instead of full Office suite applications. Develop, institute and practice employee education programs for identifying scams, malicious links and attempted social engineering.
  • Have regular penetration tests run against the network, no less than once a year, and ideally, as often as possible/practical.
  • Test your backups to ensure they work correctly upon use.
 
The FBI also recently identified DeltaCharlie, a Distributed Denial of Service (DDoS) Botnet infrastructure that North Korean cyber actors known as HIDDEN COBRA are using to target media, aerospace, financial and critical infrastructure sectors in the U.S. and around the world. Organizations should read the Department of Homeland Security (DHS)’s full alert on that here.

Organizations could also benefit from the HITRUST CSF, the most widely adopted security framework in the U.S. healthcare market which helps facilitate HIPAA compliance and cyber readiness. Read more information on that here.

Additional cybersecurity resources can be found here:
For cybersecurity information specific to your healthcare organization, please contact one of the authors of this article.

John Riggi is the head of BDO’s Cybersecurity and Financial Crimes practice. He can be reached at jriggi@bdo.com.

Patrick Pilch is the national co-leader of The BDO Center for Healthcare Excellence & Innovation. He can be reached at ppilch@bdo.com.


Return to the BDO Knows Healthcare Newsletter - Summer 2017