The attempt to compromise University of California (UC), Davis, Medical Center databases this spring came in the form of a seemingly routine email message to a marketing employee. The staff member was responsible for sending event invitations and general interest health mailings to hospital patients and their families, activities far removed from confidential patient records, research, and financial data.
But after opening this email, clicking a link in the message, and entering login credentials on what appeared to be a legitimate UC Davis webpage, the intruder behind this phishing attack was able to hijack the email account. This is what’s called a phishing attack. Two days later, another staff member received a request for a wire transfer through the hacked account, according to Jeanie M. Larson, chief information security officer for UC Davis Health.
The circumstances surrounding this breach, which required UC Davis to report possible disclosure of “very limited medical data” on 15,000 patients, were similar to previous incidents reported at other health care institutions, Larson says.
In 2016, 320 breaches involving unsecured protected health information were posted on the U.S. Department of Health and Human Services (HHS) Office for Civil Rights breach portal, an increase of 18.5% over 2015, according to an IBM report. The majority of attacks occurred via email.
In the first nine months of 2017, five academic medical centers were among dozens of institutions reporting potential data breaches from hacking to HHS. Efforts to maintain the confidentiality, integrity, and availability of patient medical records have intensified.
Medical devices that have connectivity to medical records present the most serious risk to hospitals, according to Stephen Lopez, PhD, MBA, senior director of information security at the AAMC. Medical records typically contain credit card and social security numbers, dates of birth, and sensitive personal health information. With access to medical profiles, intruders can establish false identities and lines of credit to perpetrate insurance fraud or other forms of identity theft.
“Manufacturers of medical devices are not taking information security seriously. There are no regulations that impose information security standards on the devices they manufacture, which is part of the problem,” says Lopez. Hospital IT teams, he adds, tend to focus more on efficiency and electronic medical record improvements. He pointed to one major breach that occurred because several medical devices connected to a hospital network were still using Windows 95, an operating system that was not designed with modern network security in mind. The hospital found sensitive patient data on a blood gas analyzer and later discovered that hackers used the compromised device to access the hospital’s mainframe to mine patient records.
Stored data on medical devices is a significant threat for clinicians and researchers, too, adds Kevin Crain, director of IT security and chief information security officer for University of Maryland Medical Center. The tricky thing about devices, Crain explains, is “they tend to have hard-coded passwords and open ports on the network that an attacker can probe, scan, identify a vulnerability, and then use that to gain access to the device.”
Minimizing risk, training the workforce
While medical files getting in the hands of cyber thieves are a hospital’s biggest nightmare, other sensitive information at academic medical centers is at stake, too. “Research and intellectual property can be frozen or stolen,” notes Mark Jarrett, MD, professor of medicine at Donald and Barbara Zucker School of Medicine at Hofstra/Northwell. Data collected in clinical studies is at risk, too, he adds.
“The bad guys are getting more sophisticated, and you need to keep working at [information security]. I don’t think our work will ever be done.”
Washington University School of Medicine in St. Louis
Jarrett is a member of the Health Care Industry Cybersecurity Taskforce, a group established by HHS to develop strategies against phishing campaigns, malware schemes in which hospital data is held for ransom, and against threats to data in research files and data stored in medical devices. The taskforce includes clinicians, HHS and Department of Homeland Security staff, device manufacturers, software developers, and cybersecurity experts.
In its June 2017 report, the taskforce recommended establishing a leadership role within HHS to communicate with the industry about cyber risks and develop protocols for responding to cyberattacks. The report also recommended increasing security for medical devices and health care IT, improving cybersecurity awareness and education, devising protocols to protect research from exposure, and devising new ways to share threats among health care colleagues.
“It has become a real sea change in terms of the threat,” says Crain. “Up until early 2016, the primary threats against health care were confidentiality related—people breaking into systems. Since 2016, destructive attacks have emerged as the most frequent threat against health care.”
Fostering an awareness of cyber threats throughout the institution is key to successful cybersecurity efforts. In addition to investing in technology solutions, “staff have to be made aware of the risks and things that they are supposed to do to prevent attacks,” Jarrett stresses.
Developing training protocols for employees has become more complex, too, because cyber hackers are continually developing new schemes aimed at tricking busy staff members. “The bad guys are getting more sophisticated, and you need to keep working at it. I don’t think our work will ever be done,” observes John Gohsman, vice chancellor for information technology and chief information officer, Washington University School of Medicine in St. Louis.
Hospital staff and students can help their institutions by being careful of downloading digital software that has not been vetted onto a hospital device, says Gohsman. “You can just sign up for a system—without having IT, without having your general counsel, without having your procurement office involved—that potentially could expose the institution to risk.”
“[Hackers] will continue to adapt, and [their attacks] will get worse. Even if we cut the internet cables, people can still bring memory sticks in or portable hard drives. There are any number of other ways to infiltrate or compromise data.”
University of Maryland Medical Center
Gohsman described a phishing incident in which employees fell victim to an email scheme that potentially compromised 80,270 patient records. “In most of these cases [hackers] replicate our common login screen, the person doesn’t actually get logged into the application, then they capture the password and the ID.”
“In this incident, in March 2017, the log that we needed to find out if we actually had a breach took a long time to get from our cloud vendor,” says Gohsman. “You should actually have a process for that and actually practice that so if you do have an incident you can respond more quickly,” Gohsman, the first information security officer at his institution, says his team has a system that blocks 85% of the 2.5 million email messages that come into the medical school each day because they appear to be spam or phishing emails. “Once we identify them, we make sure that even if somebody does click on the link once we block it, it takes them to a website that helps explain why they shouldn’t have clicked.”
It could happen to you
An investigation of the UC Davis attack revealed that the suspect email may have originated outside the United States, but the source remains unidentified, Larson says. With cyber criminals hard to track down, information security experts strongly advise hospital staff and employees to prepare for an ongoing battle when it comes to thwarting security breaches of their institutions’ data.
“[Hackers] will continue to adapt, and [their attacks] will get worse,” Crain says. “Even if we cut the internet cables, people can still bring memory sticks in or portable hard drives. There are any number of other ways to infiltrate or compromise data.”
“No one should feel they’re immune to a cyberattack or phishing intrusion,” Larson sums up. “It’s an awareness and understanding that must be continuously refreshed and refined so that it remains embedded in the culture of the institution.”