American Association for Physician Leadership

Operations and Policy

Cybersecurity: What Leaders Must Know

Denise Howard, MD, MPH, FACOG, CPE | Craig R. Harris, BS, PMP, CRISC, CISSP

July 8, 2019

Peer-Reviewed

Abstract:

The health care industry is experiencing a tsunami of cyberattacks, and threats continue to grow. Health care leaders have a responsibility to act in the interest of their organizations, and cybersecurity should be a primary concern. Understanding the threats and taking steps to minimize the risk of breaches is an important first step. Risk assessment, security policies and “cyber hygiene” make up a secure organization. Investing in cybersecurity is imperative for health care organizations to mitigate risk.




When the UCLA health system’s network was breached in September 2014, the hack went undetected until October. When it was discovered, UCLA officials did not believe the hackers had accessed any medical or personal information, but they were wrong. In May 2015, they learned that the hackers had accessed and exposed the protected health information, or PHI, of 4.5 million patients and staff — despite a multimillion-dollar IT security investment.(1) Immediately after the announcement, a lawsuit was filed in federal court seeking class-action status with a potential payout of more than $4 billion.(2)

Health care data breaches are common, affecting more than 25 percent of consumers.(3) Millions of attacks are attempted daily at hospitals, urgent care centers and pharmacies.(4) Health care systems, community practices, insurance companies and business entities are all at risk (see Table 1).(5) The consequences to the organizations can be grave, including a loss of customers and increased liability for providers as victims of the breach spend thousands of dollars managing the ramifications.

This article reviews the current state of health care cybersecurity, explains why data breaches are on the rise, describes the common threats, explores the implications for health care leaders and provides recommendations to improve the cybersecurity posture of health care organizations.

Current State

The health care industry is experiencing a tsunami of cyberattacks. More Social Security numbers were exposed in the health care sector than in any other industry in 2016(6) and there was approximately one health care data breach a day in 2017, exposing 4.93 million records.(7)

Several factors make health care organizations attractive to would-be hackers. The increased use of the “internet of medical things” devices, such as patient monitoring devices, which collect data, exchange data and are connected to the outside world, provides a major opportunity for security breaches. The increase in mergers and acquisitions within the health care industry creates larger targets and provides another avenue for hackers to access the system.

In addition, patients’ growing demand for instant access to their data, combined with online scheduling capability, further exacerbates the challenge of ensuring the security of health care organizations’ data systems.(8)

Reasons for the Attacks

The health care industry hosts valuable data, making it an irresistible target for cybercriminals. On the dark web, PHI is bought and sold for more than 10 times the amount of stolen credit card information, making it the most expensive data on the criminal market.(8) The value is derived from the data points in the record that, when combined, can be used to create fake IDs to buy medical equipment, write prescriptions and file false insurance claims.

The multiple relationships, multiple touchpoint and multiple facilities of the industry make it susceptible to a variety of attacks. For example, a typical patient experience for an outpatient surgery involves an initial encounter at the physician’s office, an eligibility check with the insurance company, office contact to schedule the procedure, admission to the center for surgery, and a pharmacy visit to have prescriptions filled.

In each of these interactions, the entity uses, transmits and stores PHI. Consequently, each provides an access point for a cyberattack. Although each entity is responsible for protecting PHI for its portion of the patient’s journey, a vulnerability at any point in the process can expose all the entities to a cyberthreat.

Despite these risks, 92 percent of C-suite occupants surveyed by Black Book Research stated that cybersecurity and the threat of a data breach weren’t major talking points with their boards of directors.(9) Fifty-four percent of the respondents reported they do not conduct regular risk assessments and 39 percent don’t conduct any vulnerability testing of their computer systems, network or web applications.(9) Given the lack of cybersecurity oversight, poor security practices and lack of resources, health care organizations are low-hanging fruit for hackers.

Common Threats

The following are common threats and ways organizations can defend against them.

  • Ransomware: Cyberattackers gain access to and infect health care organizations’ IT systems with malware that prevents critical files from being accessed normally. The hackers then demand payment in exchange for restoring the files. This hijacking and ransoming of files is an example of how cybercriminals can profit from their attacks.

  • Employee Negligence/Insider Threat: Sharing passwords, leaving computer workstations open and unattended, and opening suspicious email attachments are a few ways employees can compromise health care IT systems. Multiple studies have concluded that a significant risk reduction can come from staff education on basic “cyber hygiene.” According to the 2018 Verizon Data Breach Investigation Report, health care is the only industry where threats from the inside are greater than the threats from the outside.(10) Fifty-six percent of incidents in health care were the result of insider threats; the most common cause was human error (35 percent) followed by misuse (24 percent).

  • Bring Your Own Device: Many health care organizations encourage staff to bring their own electronic devices (tablets, mobile phones and laptops) to the workplace to increase productivity and reduce cost. However, BYOD policies increase the risk of data breaches because mobile devices can be lost or stolen. Many organizations have not always done the necessary due diligence to develop a comprehensive plan, policies and practices required to ensure the security of the mobile devices they allow to access their health care IT systems. Common vulnerabilities of BYOD programs include encryption of data on mobile devices not being enforced, failure to scan devices for malware, simple or no password requirements, and the ability to access the network without complying with existing policies (such as keeping a device’s software up to date).

There are many ways organizations can defend against these threats (see Table 2).

Implications for Leaders

In many health care facilities, cybersecurity responsibilities are undefined or poorly defined. According to Healthcare IT News, nearly three of four U.S. hospitals do not have a designated cybersecurity professional, and in many small- to medium-sized organizations, there isn’t a single dedicated IT professional.(6)

The size and organizational structure of most hospitals and health care organizations, especially across multiple facilities, makes creating and enforcing consistent security standards and processes difficult. Most employees are unaware of the cybersecurity risks, and enforcement of policies addressing these risks is challenging — if even in place.

Most hospitals focus on upgrading medical technology and employing better staff to ensure the provision of quality care. These are noble and important priorities, but cybersecurity often is overlooked. Many hospitals are large enough to warrant hiring an entire IT team, or at least a head of cybersecurity, but this doesn’t seem to be a priority for many administrators. According to PricewaterhouseCoopers, 62 percent of CEOs are aware of risks, but only 32 percent do anything about them. This represents a significant financial risk for their organizations.(12)

Health care leaders have a fiduciary responsibility to act in the best interest of their organizations. Accordingly, cybersecurity should not be just a top technology concern for leaders, it also should be the primary concern.(13) The National Institute of Standards and Technology’s “Framework for Improving Critical infrastructure Cybersecurity” is becoming the de facto standard in litigation regarding organizations exercising due care related to cybersecurity.(14) NIST has published a document connecting the Health Insurance Portability and Accountability Act’s Security Rule and NIST’s framework, so health care leaders can know what is necessary to minimally comply with HIPAA and at best have secure systems. Eighty-seven percent of respondents to the Center for Connected Medicine’s survey (in partnership with the Health Management Academy) expect to increase spending on cybersecurity in 2019,(15) indicating the growing importance of securing PHI to health care leaders.

Securing PHI

Some basic steps for health care organizations to secure PHI.

  • Security policies: Establish boundaries, guidelines and best practices to ensure compliance objectives are met and to maintain the confidentiality, integrity and availability of PHI. The policies should also cover separation of duties, separation of function, audit, the management of covered entities, outsourced support contracts and vendor vetting.

  • Cyber hygiene: This refers to sound daily practices an organization uses to protect its data when staff are using a computer or mobile device. Both the organization and staff need to develop the habits outlined in the organization’s policies, practices and guidelines. Organizations must train staff to detect and report attack attempts and reinforce best cyber hygiene practices. This will allow early identification of breaches and provide opportunities to minimize damages. An incident handling plan should be developed, maintained and rehearsed so when breaches occur, all stakeholders are familiar with the required response. Create a team of penetration testers and network/application defenders to integrate the defensive tactics and controls with the vulnerabilities and threats found by the penetrators into a single narrative that ensures the efforts of both are maximized. An external audit and testing of risk plans (e.g., business continuity, disaster recovery and incident handling) should occur at least once a year.

  • Network architecture: This should be created to minimize any damage from cyberattacks. Network segmentation is a fundamental step and occurs when a portion of a computer network is separated from the rest of the network. Each segment can contain one or multiple computers or other hosts and they are often grouped by purpose (e.g., IoMT). Security architecture has evolved to meet modern demands — existing architectures designed to “wall off the citadel,” with the assumption that attacks can be stopped or stalled, rarely work and soon will be extinct. New approaches address the “elasticity” of the many relationships that exist within health care organizations. Health care organizations must have transparent visibility across the entire attack surface to understand their threat posture and quickly respond to new vulnerabilities and attacks, while simultaneously demonstrating compliance.(8) “Federated” or “fabric” security architecture shifts the emphasis from prevention to isolation of malicious activity.

Information from all security products and services needs to be correlated, scrutinized and transformed into actionable information, to minimize the most likely threats of damage by cyberattackers in organization-specific enterprises. More complex techniques are available, such as advanced threat intelligence tactics, which can be considered once a security foundation like the one described above is in place.

Summary

Health care organizations’ greatest risk comes from the very systems that have enabled them to provide efficient, cutting-edge care. Health care leaders have a fiduciary responsibility to protect their organizations from cyberattacks, and the first step is being fully aware of the threats and taking the necessary steps to manage the risks. Security policies, cyber hygiene and proper network setup are the foundation of a cybersecure organization.

References

  1. UCLA health system hacked: 4.5 million patient records exposed. HIPAA Journal. https://www.hipaajournal.com/ucla-health-system-hacked-4-5-million-patient-records-exposed-8033 . Published July 18, 2015.

  2. McGee MK. UCLA health faces lawsuit–already. Careers Info Security Web site. https://www.careersinfosecurity.com/ucla-health-faces-lawsuit-already-a-8427 . Published July 22, 2015.

  3. One in four US consumers have had their healthcare data breached, Accenture survey reveals. [press release]. Orlando, FL: Accenture; Feb. 20, 2017. https://newsroom.accenture.com/news/one-in-four-us-consumers-have-had-their-healthcare-data-breached-accenture-survey-reveals.htm .

  4. Alpine Security. 5 biggest healthcare data breaches. Alpine Security blog. https://www.alpinesecurity.com/blog/5-biggest-healthcare-cybersecurity-breaches . Published March 28, 2018.

  5. Nate Lord. Top 10 biggest healthcare data breaches of all time. Digital Guardians blog. https://digitalguardian.com/blog/top-10-biggest-healthcare-data-breaches-all-time . Published June 25, 2018.

  6. Calyptix. 10 biggest problems in healthcare cybersecurity. Calyptix blog. https://www.calyptix.com/hipaa/10-biggest-problems-in-healthcarecybersecurity . Published June 14, 2017.

  7. Spitzer J. 11 of the biggest healthcare cyberattacks of 2017. Becker’s Hospital Review. https://www.beckershospitalreview.com/cybersecurity/11-of-the-biggest-healthcare-cyberattacks-of-2017.html . Published Dec. 5, 2017.

  8. Adefala L. Healthcare experiences twice the number of cyber attacks as other industries. CSO BrandPost. https://www.csoonline.com/article/3260191/security/healthcare-experiences-twice-the-number-of-cyber-attacks-as-other-industries.html . Published March 6, 2018.

  9. 84 Percent of healthcare organizations don’t have a cybersecurity leader. Security Magazine. www.securitymagazine.com/articles/88591-percent-of-healthcare-organiztions-dont-have-a-cybersecurity-leader . Published Dec. 20, 2017.

  10. Verizon Enterprise Solutions. 2018 Data Breach Investigations Report. April 10, 2018. https://enterprise.verizon.com/resources/reports/DBIR2018_Reportexecsummary.pdf.

  11. Cohen JK. Healthcare - The only industry where insider threats outnumber external threats. Becker’s Hospital Review. www.beckershospitalreview.com/cybersecurity/healthcare-the-only-industry-where-insider-threats-outnumber-external-threats.html . Published April 11, 2018.

  12. PwC. 21st Annual Global CEO Survey — US Supplement. January 2018. https://www.pwc.com/us/en/library/ceo-agenda/pdf/21st-annual-global-ceo-survey-us-supplement.pdf .

  13. Houser K. Cybersecurity is a top concern for healthcare executives. Futurism.com. https://futurism.com/the-byte/cybersecurity-healthcare-executives . Published Nov. 20, 2018.

  14. The Center for Connected Medicine. Top of mind for top health systems 2019. Center for Connected Medicine. January 2019. https://www.connectedmed.com/blog/content/top-of-mind-2019-interoperability-cybersecurity-telehealth.

  15. Shen L. The NIST cybersecurity framework overview and potential impacts. The SciTechLawyer. www.americanbar.org/content/dam/aba/publications/scitechlawyer/2014/summer/nistcybersecurityframework_overviewpotentialimpacts.pdf .

Denise Howard, MD, MPH, FACOG, CPE

Denise Howard, MD, MPH, FACOG, CPE, is a member of the Physician Leadership Journal’s editorial board, a senior attending physician for Sidra Medicine, assistant professor of clinical obstetrics and gynecology for Weill Cornell Medicine, and a board member of the Lotus Consulting Group. drdenhow@gmail​.com


Craig R. Harris, BS, PMP, CRISC, CISSP

Craig R. Harris, BS, PMP, CRISC, CISSP, is a principal consultant for the Lotus Consulting Group. He has a master’s degree in cybersecurity risk and strategy.

Interested in sharing leadership insights? Contribute



For over 45 years.

The American Association for Physician Leadership has helped physicians develop their leadership skills through education, career development, thought leadership and community building.

The American Association for Physician Leadership (AAPL) changed its name from the American College of Physician Executives (ACPE) in 2014. We may have changed our name, but we are the same organization that has been serving physician leaders since 1975.

CONTACT US

Mail Processing Address
PO Box 96503 I BMB 97493
Washington, DC 20090-6503

Payment Remittance Address
PO Box 745725
Atlanta, GA 30374-5725
(800) 562-8088
(813) 287-8993 Fax
customerservice@physicianleaders.org

CONNECT WITH US

LOOKING TO ENGAGE YOUR STAFF?

AAPL providers leadership development programs designed to retain valuable team members and improve patient outcomes.

American Association for Physician Leadership®

formerly known as the American College of Physician Executives (ACPE)